IBX-11778: [GHA] Updated deprecated versions of GitHub actions#103
Open
alongosz wants to merge 14 commits into
Open
IBX-11778: [GHA] Updated deprecated versions of GitHub actions#103alongosz wants to merge 14 commits into
alongosz wants to merge 14 commits into
Conversation
Co-Authored-By: Codex <codex@openai.com>
alongosz
changed the title
Replaced octokit/request-action calls with gh api shell steps in reusable workflows to avoid deprecated Node.js action runtime warnings. Co-Authored-By: Codex <codex@openai.com>
Replaced tibdex/github-app-token with actions/create-github-app-token in release workflows to avoid deprecated Node.js action runtime warnings. Co-Authored-By: Codex <codex@openai.com>
Updated all actions/create-github-app-token usages to v3 so workflow and composite action usage is current. Co-Authored-By: Codex <codex@openai.com>
Updated Slack notification workflows to use slackapi/slack-github-action v3 and its current webhook and API method inputs. Co-Authored-By: Codex <codex@openai.com>
Updated the upmerge reusable workflow to generate a GitHub App token, use it for checkout and API calls, and replace github-push-action with a native git push. Co-Authored-By: Codex <codex@openai.com>
Updated reusable merge workflows to use rlespinasse/github-slug-action v5. Co-Authored-By: Codex <codex@openai.com>
Replaced zendesk/action-gh-release with GitHub CLI release creation in release workflows. Co-Authored-By: Codex <codex@openai.com>
Co-Authored-By: Codex <codex@openai.com>
Co-authored-by: OpenAI Codex <codex@openai.com>
alongosz
force-pushed
the
ibx-11778-update-deprecated-actions
branch
from
ce4c191 to
d84346e
Compare
Co-authored-by: OpenAI Codex <codex@openai.com>
alongosz
force-pushed
the
ibx-11778-update-deprecated-actions
branch
from
d84346e to
3b2a50a
Compare
Co-authored-by: OpenAI Codex <codex@openai.com>
Co-authored-by: OpenAI Codex <codex@openai.com>
This was referenced Jun 25, 2026
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Caution
Description:
This PR updates GitHub workflows and the Composer install composite action that depended on actions using deprecated Node.js runtimes.
The changes include:
actions/checkoutto v7 in affected workflows;actions/create-github-app-tokento v3 and switching from the deprecatedapp-idinput toclient-id;slackapi/slack-github-actionto v3 and updating both incoming webhook and Slack API call inputs;octokit/request-actionusages with equivalentgh apicalls while preserving thedataoutput consumed by later steps;gh release createandgit pushcommands;robot-tokensecret.For QA:
No manual QA is required. Workflow validation should focus on regression coverage for the touched workflows, especially Browser Tests and workflows that now use
gh api,gh release create, or generated GitHub App tokens.Test status:
🟢 Browser Tests stack with dependencies.json handling Browser Tests run 28132632096 via IBX-11778: [GHA] Updated deprecated GitHub Actions core#766
🟢
actions/checkoutBackend CI run 28132631469 via IBX-11778: [GHA] Updated deprecated GitHub Actions core#766🟢
actions/create-github-app-tokenBackend CI run 28132631469 via IBX-11778: [GHA] Updated deprecated GitHub Actions core#766🟢
slackapi/slack-github-actionBrowser Tests run 28132632096 via IBX-11778: [GHA] Updated deprecated GitHub Actions core#766🟢 Cross-merge workflow run 28171377660 via [TMP] IBX-11778: Testing ibexa/gh-workflows#103 ezsystems/ezplatform-kernel#414
🟢 Assign Pull Request to Maintainers workflow run 28175813092 via [TMP] IBX-11778: Testing "Assign Pull Request to maintainers" workflow ezsystems/ezpublish-kernel#3157
🟢 PR base branch check workflow PR check run 28172921268 via IBX-11778: [GHA] Updated deprecated GitHub Actions core#766
🟢 Rector workflow Rector run 28200112994 via IBX-11778: [GHA][Rector PHP] Reused shared Rector workflow core#769
❓
.github/workflows/upmerge.yml❓
.github/workflows/release.yml❓
.github/workflows/release_bundle.yml❓
.github/workflows/post_release.yamlDocumentation:
No documentation required.
Footnotes
According to SonarQube security analysis, pinning GHA action version to specific commit is more secure than using a tag or a branch (as both can be force-pushed by a supply-chain attack). These are generic reusable workflows, so they don't produce too much maintenance. However it doesn't provide any value for
ibexa/*actions and workflows. ↩