Skip to content

Update actions/setup-node action to v5 #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renovate merged 1 commit into from
Sep 6, 2025
Merged

Update actions/setup-node action to v5 #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"

- name: Setup Node (PR Summary)
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider switching from a full commit SHA to a semantic version tag for easier maintenance and automatic patch updates. For example, instead of pinning to a specific SHA, you can use the v5 major release tag:

- uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You’re pinning actions/setup-node to a commit SHA for v5.0.0, which prevents you from getting future non-breaking patches. It’s better to use the semver tag to automatically receive minor and patch updates while still locking major:

- uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

with:
node-version-file: source-folder/.tool-versions
cache: npm
Comment on lines 32 to 36
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The “Setup Node” step is duplicated in both PR Summary and PR Review jobs. To follow the DRY principle and avoid future inconsistencies, extract it into a reusable YAML anchor or a composite action. For example:

# Top of your workflow
x-steps:
  setup-node: &setup-node
    uses: actions/setup-node@v5
    with:
      node-version-file: source-folder/.tool-versions
      cache: npm

# Then in each job
steps:
  - name: Setup Node
    <<: *setup-node

This reduces duplication and makes upgrades simpler.

Comment on lines 34 to 36
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To make your cache invalidation more precise, leverage the cache-dependency-path input so the cache key changes when your lockfile updates. For example:

- uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: 'npm'
    cache-dependency-path: source-folder/package-lock.json  # ✅ ensures cache bust when deps change

Expand All @@ -43,7 +43,7 @@ jobs:
npm prune --omit=dev

- name: Setup Node (PR Review)
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: source-folder/.tool-versions
cache: npm
Comment on lines 45 to 49
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The two Setup Node steps are identical except for their names. You can DRY this up by using a YAML anchor or by extracting the common setup into a reusable workflow or composite action. For example, with a YAML anchor:

# Define the anchor at the top of your steps
x-setup-node: &setup-node
  uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

# Reuse it in both steps
- name: Setup Node (PR Summary)
  <<: *setup-node

- name: Setup Node (PR Review)
  <<: *setup-node

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/code-quality.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
- name: Checkout source branch
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Comment on lines 22 to 23
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have two Checkout source branch steps that are identical. Consider moving it to a shared set of steps or a job-level definition to avoid duplication:

jobs:
  code-quality:
    steps:
      - name: Checkout source branch
        uses: actions/checkout@v5
      # other steps...

Comment on lines 22 to 23
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You’ve pinned actions/checkout to a full commit SHA. Using a semver tag (e.g. @v3) is more maintainable and still locks major versions:

- uses: actions/checkout@v3

- name: Setup Node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to the build workflow, use a semantic version tag for actions/setup-node instead of a full SHA. This ensures you receive non-breaking updates automatically:

- name: Setup Node
  uses: actions/setup-node@v5
  with:
    node-version-file: .tool-versions
    cache: npm

with:
node-version-file: .tool-versions
cache: npm
Expand All @@ -47,7 +47,7 @@ jobs:
- name: Checkout source branch
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: .tool-versions
cache: npm
Comment on lines 47 to 53
Copy link

@github-actions github-actions bot Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The “Checkout source branch” and “Setup Node” steps appear twice, leading to repetition. Consider using YAML anchors or a reusable workflow to DRY them:

# Define anchors at top
x-steps:
  checkout: &checkout
    name: Checkout source branch
    uses: actions/checkout@v3  # or your preferred tag

  setup-node: &setup-node
    name: Setup Node
    uses: actions/setup-node@v5
    with:
      node-version-file: .tool-versions
      cache: npm

# Then in your jobs
steps:
  - <<: *checkout
  - <<: *setup-node
  # ... other steps

Expand Down