Conversation
Bumps node from 25.8.2-alpine3.23 to 25.9.0-alpine3.23. --- updated-dependencies: - dependency-name: node dependency-version: 25.9.0-alpine3.23 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…nto the "develop" branch build(deps): Bump node from 25.8.2-alpine3.23 to 25.9.0-alpine3.23
This merge updates `.github/workflows/pr-tests.yml` to stop pushing PR test images to Docker Hub and instead pass the built image between jobs as an OCI artifact. The test workflow now uploads the multi-arch build output from `build-image`, downloads it in `test-image`, extracts a per-architecture image into the local Docker daemon with `skopeo`, and removes the artifact after testing. The artifact name now includes the pull request number so concurrent PR runs do not share the same artifact identifier.
In `build-image`, the `Login to Docker Hub` step is removed and the `Build Image` step changes from `push: true` to `push: false` with `outputs: type=oci,dest=image.tar`, so the workflow produces a local OCI archive instead of publishing a PR image to Docker Hub. A new `Upload Docker Image Artifact` step uses `actions/upload-artifact@v4` to persist `image.tar` as `docker-image-pr-${{ github.event.pull_request.number }}`. In `test-image`, the Docker Hub login and `docker pull` flow are removed, `TEST_IMAGE` changes from `runtimenode/test:pr-${{ github.event.pull_request.number }}` to `test:pr-${{ github.event.pull_request.number }}`, and new `Download Docker Image Artifact` and `Extract single-arch image with Skopeo` steps load each matrix entry’s `linux/amd64` or `linux/arm64` image as `test:pr-<number>-<arch>`. The smoke test and all integrity checks are updated to resolve `${{ matrix.platform }}` into `ARCH` and run against `${{ env.TEST_IMAGE }}-$ARCH` so they validate the locally extracted per-architecture image. A new `artifact-clean-up` job then removes `docker-image-pr-${{ github.event.pull_request.number }}` using `geekyeggo/delete-artifact@v4` after testing completes.
No other files or workflow jobs are modified by this merge.
…p" branch This merge updates the GitHub Actions workflows to use `docker/build-push-action@v7` instead of the current older major versions. It applies the version bump in both `.github/workflows/deployment.yml` and `.github/workflows/pr-tests.yml` while keeping the existing build, attestation, cache, and artifact logic unchanged. In `.github/workflows/deployment.yml`, the `Build and push (multi-registry, multi-platform)` step is updated from `uses: docker/build-push-action@v5` to `uses: docker/build-push-action@v7` without changing the existing `attests:`, tag, label, platform, or cache settings. In `.github/workflows/pr-tests.yml`, the `Build Image` step is updated from `uses: docker/build-push-action@v6` to `uses: docker/build-push-action@v7` without changing the existing OCI archive output, multi-platform build, tag, or cache configuration. No other files or workflow jobs are modified by this merge.
This merge updates `README.md` and `CONTRIBUTING.md` on `develop` so the documentation reflects the upcoming Node.js `25.9.0` release line and the current CI/CD tooling used by the repository. It refreshes the version examples in both documents and expands the README acknowledgements so recently added workflow actions are documented alongside the existing build and release tooling. In `CONTRIBUTING.md`, the Node.js Version Bumps example is updated from `node:25.8.2-alpine3.23` to `node:25.9.0-alpine3.23`. In `README.md`, the Versioning and Tags example is updated from `v2.1.3+node25.8.2` to `v2.2.0+node25.9.0`. The CI/CD & Build Tooling section of `README.md` is also expanded to add `actions/upload-artifact`, `actions/download-artifact`, and `geekyeggo/delete-artifact` for the PR test artifact workflow, plus `chrnorm/deployment-action` and `chrnorm/deployment-status` for GitHub Deployment tracking in the release workflow. No other files or documentation sections are modified by this merge.
…+node25" branch This merge promotes `release/v2.2.0+node25.9.0` into `maintenance/v2+node25`, marking the next minor release on the Node.js 25 maintenance line. It consolidates five development cycles: the Node.js base image bump from `25.8.2` to `25.9.0`, the PR test workflow move from Docker Hub-pushed images to OCI artifact handoff, the `docker/build-push-action` upgrade to `v7` in both workflows, the release workflow attestation update to signed `mode=max` provenance and SBOM output, and documentation updates aligning examples and CI/CD tooling references with the current release state. In `Dockerfile`, the builder stage base image is updated from `node:25.8.2-alpine3.23` to `node:25.9.0-alpine3.23`, bumping the bundled Node.js runtime from `25.8.2` to `25.9.0`. In `.github/workflows/pr-tests.yml`, the PR image flow no longer pushes test images to Docker Hub; `Build Image` changes from `push: true` to `push: false` with `outputs: type=oci,dest=image.tar`, a new `Upload Docker Image Artifact` step persists the OCI archive, `Download Docker Image Artifact` and `Extract single-arch image with Skopeo` load per-architecture images for the test matrix, all smoke and integrity checks now target the locally extracted per-architecture image tags, and a new `artifact-clean-up` job removes the uploaded artifact after testing completes. The same workflow also updates `uses: docker/build-push-action@v6` to `uses: docker/build-push-action@v7` in `Build Image`, while `.github/workflows/deployment.yml` updates `uses: docker/build-push-action@v5` to `uses: docker/build-push-action@v7` in `Build and push (multi-registry, multi-platform)`. In `.github/workflows/deployment.yml`, the top-level `permissions:` block now adds `id-token: write` so the release job can mint the OIDC token required for attestation signing, and the multi-platform build step replaces `provenance: true` and `sbom: true` with `attests:` entries `type=provenance,mode=max` and `type=sbom,mode=max`. In `CONTRIBUTING.md`, the Node.js Version Bumps example is updated from `node:25.8.2-alpine3.23` to `node:25.9.0-alpine3.23`. In `README.md`, the Versioning and Tags example is updated from `v2.1.3+node25.8.2` to `v2.2.0+node25.9.0`, and the `CI/CD & Build Tooling` section adds `actions/upload-artifact`, `actions/download-artifact`, `geekyeggo/delete-artifact`, `chrnorm/deployment-action`, and `chrnorm/deployment-status`. No migration steps are required beyond updating to `v2.2.0+node25.9.0` on the `maintenance/v2+node25` line.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 37c8311def
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| # Remove the Docker image artifact to free up storage space | ||
| - name: Remove Docker Image Artifact | ||
| uses: geekyeggo/delete-artifact@v4 |
There was a problem hiding this comment.
This new cleanup step can fail legitimate PR checks from forks (and Dependabot) because those pull_request runs get a read-only GITHUB_TOKEN, while geekyeggo/delete-artifact requires write access to Actions and fails by default on permission errors. In that scenario, tests can pass but the workflow still ends in failure at cleanup, blocking external contributions unless this step is skipped/soft-failed for read-only contexts.
Useful? React with 👍 / 👎.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR promotes
maintenance/v2+node25intomain, deliveringv2.2.0+node25.9.0to the main line. It consolidates five maintenance cycles: the Node.js base image bump from25.8.2to25.9.0, the PR test workflow move from Docker Hub-pushed images to OCI artifact handoff, thedocker/build-push-actionupgrade tov7in both workflows, the release workflow attestation update to signedmode=maxprovenance and SBOM output, and documentation updates aligning examples and CI/CD tooling references with the current release state.Files Changed
Added:
Modified:
CONTRIBUTING.mdDockerfileREADME.md.github/workflows/deployment.ymlpr-tests.ymlDeleted:
Key Changes
Dockerfilefromnode:25.8.2-alpine3.23tonode:25.9.0-alpine3.23, bumping the bundled Node.js runtime from25.8.2to25.9.0..github/workflows/pr-tests.ymlto stop pushing PR images to Docker Hub by changing theBuild Imagestep frompush: truetopush: falsewithoutputs: type=oci,dest=image.tar, addingUpload Docker Image Artifact,Download Docker Image Artifact,Extract single-arch image with Skopeo, andartifact-clean-up, and changing the test image flow to local per-architecture images derived from the OCI artifact..github/workflows/pr-tests.ymlfromuses: docker/build-push-action@v6touses: docker/build-push-action@v7in theBuild Imagestep, and updated.github/workflows/deployment.ymlfromuses: docker/build-push-action@v5touses: docker/build-push-action@v7in theBuild and push (multi-registry, multi-platform)step.id-token: writeto the top-levelpermissions:block in.github/workflows/deployment.ymland replacedprovenance: trueandsbom: truewithattests:entriestype=provenance,mode=maxandtype=sbom,mode=maxin theBuild and push (multi-registry, multi-platform)step.CONTRIBUTING.mdfromnode:25.8.2-alpine3.23tonode:25.9.0-alpine3.23, updated the Versioning and Tags example inREADME.mdfromv2.1.3+node25.8.2tov2.2.0+node25.9.0, and addedactions/upload-artifact,actions/download-artifact,geekyeggo/delete-artifact,chrnorm/deployment-action, andchrnorm/deployment-statusto theCI/CD & Build Toolingsection ofREADME.md.