Upgrade GitHub Actions for Node 24 compatibility

[salmanmkc]

Summary

Upgrade GitHub Actions to their latest versions to ensure compatibility with Node 24, as Node 20 will reach end-of-life in April 2026.

Changes

Action	Old Version(s)	New Version	Release	Files
actions/cache	2f8e542	8b402f5	Release	bundle-desktop-intel.yml, bundle-desktop-linux.yml, bundle-desktop-windows.yml, bundle-desktop.yml, ci.yml, deploy-docs-and-extensions.yml
actions/checkout	08eba0b, 11bd719, 93cb6ef, f43a0e5, v4	8e8c483	Release	build-cli.yml, bundle-desktop-intel.yml, bundle-desktop-linux.yml, bundle-desktop-windows.yml, bundle-desktop.yml, canary.yml, check-release-pr.yaml, ci.yml, create-release-pr.yaml, deploy-docs-and-extensions.yml, docs-update-recipe-ref.yml, goose-issue-solver.yml, goose-pr-reviewer.yml, merge-release-pr-on-tag.yaml, nightly.yml, pr-comment-build-cli.yml, pr-comment-bundle-intel.yml, pr-comment-bundle-windows.yml, pr-smoke-test.yml, pr-website-preview.yml, publish-docker.yml, quarantine.yml, recipe-security-scanner.yml, release.yml, scorecard.yml, test-finder.yml, update-hacktoberfest-leaderboard.yml, update-release-pr.yaml
actions/download-artifact	cc20338, v4	v7	Release	canary.yml, nightly.yml, pr-comment-build-cli.yml, pr-comment-bundle-intel.yml, pr-comment-bundle-windows.yml, pr-comment-bundle.yml, pr-smoke-test.yml, release.yml
actions/github-script	v7	v8	Release	pr-comment-bundle.yml, recipe-security-scanner.yml, update-hacktoberfest-leaderboard.yml, update-health-dashboard.yml
actions/setup-node	1a4442c, 3235b87	6044e13	Release	bundle-desktop-windows.yml, deploy-docs-and-extensions.yml, docs-update-recipe-ref.yml, pr-website-preview.yml
actions/setup-python	v5	v6	Release	pr-smoke-test.yml
actions/upload-artifact	4cec3d8, ea165f8, v4	b7c566a	Release	build-cli.yml, bundle-desktop-intel.yml, bundle-desktop-linux.yml, bundle-desktop-windows.yml, bundle-desktop.yml, canary.yml, docs-update-recipe-ref.yml, nightly.yml, pr-smoke-test.yml, recipe-security-scanner.yml, release.yml, scorecard.yml, update-health-dashboard.yml

Context

Per GitHub's announcement, Node 20 is being deprecated and runners will begin using Node 24 by default starting March 4th, 2026.

Why this matters

• Node 20 EOL: April 2026
• Node 24 default: March 4th, 2026
• Action: Update to latest action versions that support Node 24

Security Note

Actions that were previously pinned to commit SHAs remain pinned to SHAs (updated to the latest release SHA) to maintain the security benefits of immutable references.

Testing

These changes only affect CI/CD workflow configurations and should not impact application functionality. The workflows should be tested by running them on a branch before merging.

[Copilot]

Pull request overview

Updates GitHub Actions dependencies across CI/CD workflows to versions compatible with the upcoming Node 24 runtime on GitHub-hosted runners.

Changes:

• Bumps actions/checkout, actions/cache, actions/upload-artifact, actions/download-artifact, actions/github-script, actions/setup-node, and actions/setup-python to newer major versions.
• Refreshes many action references from older SHAs/tags to newer release SHAs/tags across build, release, and automation workflows.

Reviewed changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
.github/workflows/update-release-pr.yaml	Updates actions/checkout pin used for release-note automation.
.github/workflows/update-health-dashboard.yml	Updates actions/github-script and actions/upload-artifact for dashboard automation.
.github/workflows/update-hacktoberfest-leaderboard.yml	Updates actions/checkout and actions/github-script for leaderboard automation.
.github/workflows/test-finder.yml	Updates actions/checkout pin used by the test discovery workflow.
.github/workflows/scorecard.yml	Updates actions/checkout and actions/upload-artifact pins used by Scorecard.
.github/workflows/release.yml	Updates actions/checkout, actions/upload-artifact, and actions/download-artifact pins in release workflow.
.github/workflows/recipe-security-scanner.yml	Updates actions/checkout, actions/upload-artifact, and actions/github-script used by recipe scanning.
.github/workflows/quarantine.yml	Updates actions/checkout pin used by quarantine checks.
.github/workflows/publish-docker.yml	Updates actions/checkout pin used for Docker publishing.
.github/workflows/pr-website-preview.yml	Updates actions/checkout and actions/setup-node pins used for site previews.
.github/workflows/pr-smoke-test.yml	Updates checkout/artifact/python actions used in smoke testing.
.github/workflows/pr-comment-bundle.yml	Updates actions/github-script and actions/download-artifact used for PR bundle comments.
.github/workflows/pr-comment-bundle-windows.yml	Updates actions/checkout and actions/download-artifact used for Windows bundle PR comments.
.github/workflows/pr-comment-bundle-intel.yml	Updates actions/checkout and actions/download-artifact used for Intel bundle PR comments.
.github/workflows/pr-comment-build-cli.yml	Updates actions/checkout and actions/download-artifact used for CLI build PR comments.
.github/workflows/nightly.yml	Updates checkout/upload/download actions used in nightly pipeline.
.github/workflows/merge-release-pr-on-tag.yaml	Updates actions/checkout pin used in tag-merge automation.
.github/workflows/goose-pr-reviewer.yml	Updates actions/checkout pin used in PR reviewer automation.
.github/workflows/goose-issue-solver.yml	Updates actions/checkout pin used in issue solver automation.
.github/workflows/docs-update-recipe-ref.yml	Updates actions/checkout, actions/setup-node, and actions/upload-artifact used by docs automation.
.github/workflows/deploy-docs-and-extensions.yml	Updates actions/checkout, actions/setup-node, and actions/cache used by docs deployment.
.github/workflows/create-release-pr.yaml	Updates actions/checkout pin used to generate release PRs.
.github/workflows/ci.yml	Updates actions/checkout and actions/cache pins used in CI.
.github/workflows/check-release-pr.yaml	Updates actions/checkout pin used for release PR checks.
.github/workflows/canary.yml	Updates checkout/upload/download action pins used by canary pipeline.
.github/workflows/bundle-desktop.yml	Updates checkout/cache/upload action pins used by desktop bundling.
.github/workflows/bundle-desktop-windows.yml	Updates checkout/setup-node/cache/upload action pins used by Windows desktop bundling.
.github/workflows/bundle-desktop-linux.yml	Updates checkout/cache/upload action pins used by Linux desktop bundling.
.github/workflows/bundle-desktop-intel.yml	Updates checkout/cache/upload action pins used by Intel macOS desktop bundling.
.github/workflows/build-cli.yml	Updates checkout/upload action pins used by CLI build workflow.

Comments suppressed due to low confidence (2)

.github/workflows/pr-smoke-test.yml:176

• actions/download-artifact@v7 is referenced by tag here; pin it to a specific commit SHA to keep reruns deterministic and consistent with other pinned workflows.

      - name: Download Binary
        uses: actions/download-artifact@v7

.github/workflows/recipe-security-scanner.yml:333

• actions/github-script@v8 is referenced by tag here; pin to a commit SHA (consistent with other pinned actions in this workflow like step-security/harden-runner).

      - name: Set GitHub status check
        if: always() && steps.find_recipes.outputs.has_recipes == 'true' && steps.recipe_changes.outputs.recipe_files_changed == 'true'
        uses: actions/github-script@v8

[zanesq]

@salmanmkc thanks! can you look at the copilot reviews we do want them pinned if possible

[salmanmkc]

@salmanmkc thanks! can you look at the copilot reviews we do want them pinned if possible

Sure will pin them

[zanesq]

LGTM thanks! We'll go ahead and merge this so we can run the actions from main and we can revert if any issues.

[salmanmkc]

LGTM thanks! We'll go ahead and merge this so we can run the actions from main and we can revert if any issues.

sounds good to me!

[zanesq]

Merged manually via command line due to GitHub UI merge check being stuck.