ci: update actions to Node 24 runtimes

[gmr]

Summary

GitHub is forcing Node 20 JS actions to Node 24 on 2026-06-16 and removing Node 20 on 2026-09-16. Update the actions that still ran on Node 20:

• actions/cache v4 → v5 (node24; inputs unchanged — path/key/restore-keys)
• rust-lang/crates-io-auth-action v1 → v1.0.4 (node24)

actions/checkout@v5 and dtolnay/rust-toolchain (composite) were already fine.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD pipeline tooling to use newer versions of build and deployment actions for improved reliability and performance.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three version pin updates across two GitHub Actions workflow files: actions/cache is bumped from v4 to v5 in both release.yaml and testing.yaml, and rust-lang/crates-io-auth-action is pinned from v1 to v1.0.4 in release.yaml. No workflow logic changes.

Changes

CI Action Version Updates

Layer / File(s)	Summary
Bump actions/cache and crates-io-auth-action versions .github/workflows/release.yaml, .github/workflows/testing.yaml	actions/cache updated from v4 to v5 in both workflows; rust-lang/crates-io-auth-action pinned from v1 to v1.0.4 in the release workflow. All cache paths, keys, and surrounding workflow logic are unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 Hop, hop, a version or two,
Cache goes from four up to five, brand new!
The auth action pinned with precision so neat,
No logic disturbed, just a tidier beat.
This bunny approves — ship it, tout suite! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating CI actions to Node 24 runtimes to address GitHub's deprecation of Node 20.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/testing.yaml (1)

29-37: ⚠️ Potential issue | 🟠 Major

Harden cache usage for PR-triggered workflow to reduce cache-poisoning risk.

Lines 28-37 cache build artifacts (target) in a workflow that runs on pull_request events; this allows untrusted code to write to a repository-scoped, persistent cache that affects subsequent builds. Prevent cache writes on PRs by separating restore and save operations.

Suggested hardening pattern

-      - name: Cache cargo registry and build
-        uses: actions/cache@v5
+      - name: Restore cargo cache
+        uses: actions/cache/restore@<full_commit_sha_for_v5>
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             target
           key: ${{ runner.os }}-cargo-${{ matrix.rust }}-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: |
             ${{ runner.os }}-cargo-${{ matrix.rust }}-
+
+      - name: Save cargo cache (trusted events only)
+        if: github.event_name != 'pull_request'
+        uses: actions/cache/save@<full_commit_sha_for_v5>
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ matrix.rust }}-${{ hashFiles('**/Cargo.lock') }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/testing.yaml around lines 29 - 37, The current workflow
configuration using actions/cache@v5 allows pull requests to write to the shared
cache, creating a cache-poisoning risk. Replace the single cache action with
separate restore and save operations: use actions/cache/restore@v5 to only read
from the cache during PR runs, and add a separate actions/cache/save@v5 step
that only executes on trusted branches (not on pull_request events) to write
cache updates. This ensures untrusted PR code cannot pollute the cache that
subsequent builds depend on.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yaml:
- Line 27: GitHub Actions across your workflows are using mutable version tags
which pose security risks. Replace all mutable action references with specific
commit SHAs: At `.github/workflows/release.yaml` lines 27 and 50, replace
`actions/cache@v5` and `rust-lang/crates-io-auth-action@v1.0.4` respectively
with their full commit SHAs. At `.github/workflows/testing.yaml` line 29,
replace `actions/cache@v5` with its commit SHA. Additionally, address the other
mutable references mentioned in the content: in `.github/workflows/testing.yaml`
at lines 25 and 29 replace `actions/checkout@v5` and `actions/cache@v5` with
commit SHAs, at line 28 replace `dtolnay/rust-toolchain@master` with a specific
commit SHA (this is critical since it uses a branch ref), and in
`.github/workflows/release.yaml` at lines 25 and 28 replace
`actions/checkout@v5` and `dtolnay/rust-toolchain@stable` with commit SHAs. Look
up the latest commit SHA for each action version and pin each action to its
corresponding immutable commit hash to prevent supply chain attacks.

---

Outside diff comments:
In @.github/workflows/testing.yaml:
- Around line 29-37: The current workflow configuration using actions/cache@v5
allows pull requests to write to the shared cache, creating a cache-poisoning
risk. Replace the single cache action with separate restore and save operations:
use actions/cache/restore@v5 to only read from the cache during PR runs, and add
a separate actions/cache/save@v5 step that only executes on trusted branches
(not on pull_request events) to write cache updates. This ensures untrusted PR
code cannot pollute the cache that subsequent builds depend on.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: bb43af29-e2a8-40cc-b231-c36950412c6e

📥 Commits

Reviewing files that changed from the base of the PR and between fd4f05b and 97f8cb5.

📒 Files selected for processing (2)

• .github/workflows/release.yaml
• .github/workflows/testing.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check the release.yaml workflow around lines 27 and 50
echo "=== release.yaml around line 27 ==="
sed -n '20,35p' .github/workflows/release.yaml

echo -e "\n=== release.yaml around line 50 ==="
sed -n '45,55p' .github/workflows/release.yaml

echo -e "\n=== testing.yaml around line 29 ==="
sed -n '20,35p' .github/workflows/testing.yaml

Repository: gmr/libpgfmt

Length of output: 1451

---

🏁 Script executed:

# Search for any SHA-pinned actions in workflow files
echo "=== Looking for any SHA-pinned actions in workflows ==="
rg 'uses:.*@[a-f0-9]{40}' .github/workflows/

# Also check if there are any policy documents or security guidelines
echo -e "\n=== Checking for policy or security docs ==="
fd -e md -e txt | xargs rg -l "pin\|action\|security" | head -20

# Count total unpinned actions in all workflows
echo -e "\n=== All unpinned action references in workflows ==="
rg 'uses:\s*\w+/[\w-]+@(?!master|main)' .github/workflows/

Repository: gmr/libpgfmt

Length of output: 486

---

🏁 Script executed:

# Find all action references more simply
echo "=== All 'uses:' lines in workflow files ==="
rg 'uses:' .github/workflows/ -A 0

# Check if there are YAML files with specific pattern
echo -e "\n=== Total count of unpinned actions ==="
rg 'uses: .*@(v[0-9]|[a-zA-Z])' .github/workflows/ | wc -l

Repository: gmr/libpgfmt

Length of output: 631

---

Pin all GitHub Actions to immutable commit SHAs to prevent supply chain attacks through retaggable action versions.

All action references in the workflow files currently use mutable version tags (@v5, @v1.0.4, @master, @stable) instead of pinning to specific commit SHAs. Replace with full commit SHAs:

• .github/workflows/testing.yaml#L25: Replace actions/checkout@v5
• .github/workflows/testing.yaml#L28: Replace dtolnay/rust-toolchain@master (currently uses branch ref—most critical)
• .github/workflows/testing.yaml#L29: Replace actions/cache@v5
• .github/workflows/release.yaml#L25: Replace actions/checkout@v5
• .github/workflows/release.yaml#L28: Replace dtolnay/rust-toolchain@stable
• .github/workflows/release.yaml#L27: Replace actions/cache@v5
• .github/workflows/release.yaml#L50: Replace rust-lang/crates-io-auth-action@v1.0.4

🧰 Tools

🪛 zizmor (1.25.2)

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 27-27: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

📍 Affects 2 files

• .github/workflows/release.yaml#L27-L27 (this comment)
• .github/workflows/release.yaml#L50-L50
• .github/workflows/testing.yaml#L29-L29

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yaml at line 27, GitHub Actions across your
workflows are using mutable version tags which pose security risks. Replace all
mutable action references with specific commit SHAs: At
`.github/workflows/release.yaml` lines 27 and 50, replace `actions/cache@v5` and
`rust-lang/crates-io-auth-action@v1.0.4` respectively with their full commit
SHAs. At `.github/workflows/testing.yaml` line 29, replace `actions/cache@v5`
with its commit SHA. Additionally, address the other mutable references
mentioned in the content: in `.github/workflows/testing.yaml` at lines 25 and 29
replace `actions/checkout@v5` and `actions/cache@v5` with commit SHAs, at line
28 replace `dtolnay/rust-toolchain@master` with a specific commit SHA (this is
critical since it uses a branch ref), and in `.github/workflows/release.yaml` at
lines 25 and 28 replace `actions/checkout@v5` and
`dtolnay/rust-toolchain@stable` with commit SHAs. Look up the latest commit SHA
for each action version and pin each action to its corresponding immutable
commit hash to prevent supply chain attacks.

Source: Linters/SAST tools