Skip to content

NO-JIRA: ci(deps): bump actions/setup-node from 6.4.0 to 7.0.0#9030

Merged
openshift-merge-bot[bot] merged 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-7.0.0
Jul 17, 2026
Merged

NO-JIRA: ci(deps): bump actions/setup-node from 6.4.0 to 7.0.0#9030
openshift-merge-bot[bot] merged 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-7.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-node from 6.4.0 to 7.0.0.

Release notes

Sourced from actions/setup-node's releases.

v7.0.0

What's Changed

Enhancements:

Bug fixes:

Documentation updates:

Dependency update:

New Contributors

Full Changelog: actions/setup-node@v6...v7.0.0

v6.5.0

What's Changed

Full Changelog: actions/setup-node@v6.4.0...v6.5.0

Commits
  • 8207627 Migrate to ESM and upgrade dependencies (#1574)
  • 04be95c Add cache-primary-key and cache-matched-key as outputs (#1577)
  • 7c2c68d docs: Update caching recommendations to mitigate cache poisoning risks (#1567)
  • 6a61c03 Merge pull request #1569 from jasongin/update-actions-cache-5.1.0
  • 30eb73b Resolve high-severity audit issues
  • 4e1a87a Update dist
  • 360237f Strict equality
  • 4f8aac5 Bump @​actions/cache to 5.1.0, log cache write denied
  • f4a67bb Only use mirrorToken in getManifest if it's provided (#1548)
  • 0355742 Remove dummy NODE_AUTH_TOKEN export (#1558)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated the documentation preview deployment to use the latest Node setup action.
    • Kept the existing Node.js 20 configuration and all deployment steps the same.

@dependabot dependabot Bot added area/ci-tooling Indicates the PR includes changes for CI or tooling ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Jul 17, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

The docs preview deployment workflow updates its pinned actions/setup-node version from v6.4.0 to v7.0.0 while preserving the Node.js 20 configuration and subsequent deployment steps.

Possibly related PRs

Suggested reviewers: cblecker, bryan-cox

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only a workflow dependency pin changed; no test files or Ginkgo titles were added or edited.
Test Structure And Quality ✅ Passed Only .github/workflows/docs-deploy.yaml changed; no Ginkgo test code was modified, so the test-quality checklist is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only a docs deploy workflow action version changed; no manifests, controllers, replicas, affinity, selectors, or PDBs were modified.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only .github/workflows/docs-deploy.yaml changed, bumping setup-node; no Ginkgo e2e tests or IPv4/external-network test logic were added.
No-Weak-Crypto ✅ Passed The PR only bumps actions/setup-node in a workflow; no weak-crypto primitives, custom crypto, or secret comparisons were added.
Container-Privileges ✅ Passed PR only bumps actions/setup-node in a GitHub Actions workflow; the changed manifest adds no privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed PR only updates actions/setup-node from v6.4.0 to v7.0.0 in a workflow; no new log statements or sensitive-value echoes were added.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: upgrading actions/setup-node from 6.4.0 to 7.0.0.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/setup-node-7.0.0

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from bryan-cox and cblecker July 17, 2026 01:06
@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.4.0 to 7.0.0.
- [Release notes](https://github.com/actions/setup-node/releases)
-
[Commits](actions/setup-node@48b55a0...8207627)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
github-actions Bot force-pushed the dependabot/github_actions/actions/setup-node-7.0.0 branch from 33deab4 to 6f38eb8 Compare July 17, 2026 01:15

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/docs-deploy.yaml (1)

32-36: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable automatic dependency caching for this deployment job.

setup-node can automatically enable npm caching based on repository metadata, and its documentation recommends package-manager-cache: false for privileged workflows when caching is unnecessary. This job only deploys an artifact, so the cache adds attack surface without providing value. (github.com)

       - uses: actions/setup-node@820762786026740c76f36085b0efc47a31fe5020 # v7.0.0
         with:
           node-version: '20'
+          package-manager-cache: false

As per path instructions, review CI/CD cache-poisoning risks explicitly.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs-deploy.yaml around lines 32 - 36, Disable automatic
dependency caching in the setup-node step by setting package-manager-cache to
false alongside node-version. Keep the existing npm_config_cache environment
setting unchanged, and ensure the docs deployment job does not rely on
setup-node’s repository-metadata-based cache behavior.

Sources: Path instructions, Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/docs-deploy.yaml:
- Around line 32-36: Disable automatic dependency caching in the setup-node step
by setting package-manager-cache to false alongside node-version. Keep the
existing npm_config_cache environment setting unchanged, and ensure the docs
deployment job does not rely on setup-node’s repository-metadata-based cache
behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: cd153fec-0fff-4810-9e5f-d8d45f1e2c8a

📥 Commits

Reviewing files that changed from the base of the PR and between 33deab4 and 6f38eb8.

📒 Files selected for processing (1)
  • .github/workflows/docs-deploy.yaml

@cblecker

Copy link
Copy Markdown
Member

/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 17, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

  • The changed files don't match any pipeline_run_if_changed patterns
  • All files match pipeline_skip_if_only_changed patterns
  • No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cblecker, dependabot[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 17, 2026
@cblecker

Copy link
Copy Markdown
Member

/verified bypass

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 17, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@cblecker: The verified label has been added.

Details

In response to this:

/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox

Copy link
Copy Markdown
Member

/ok-to-test

@bryan-cox

Copy link
Copy Markdown
Member

/retitle NO-JIRA: ci(deps): bump actions/setup-node from 6.4.0 to 7.0.0

@openshift-ci openshift-ci Bot changed the title ci(deps): bump actions/setup-node from 6.4.0 to 7.0.0 NO-JIRA: ci(deps): bump actions/setup-node from 6.4.0 to 7.0.0 Jul 17, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@dependabot[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Bumps actions/setup-node from 6.4.0 to 7.0.0.

Release notes

Sourced from actions/setup-node's releases.

v7.0.0

What's Changed

Enhancements:

Bug fixes:

Documentation updates:

Dependency update:

New Contributors

Full Changelog: actions/setup-node@v6...v7.0.0

v6.5.0

What's Changed

Full Changelog: actions/setup-node@v6.4.0...v6.5.0

Commits
  • 8207627 Migrate to ESM and upgrade dependencies (#1574)
  • 04be95c Add cache-primary-key and cache-matched-key as outputs (#1577)
  • 7c2c68d docs: Update caching recommendations to mitigate cache poisoning risks (#1567)
  • 6a61c03 Merge pull request #1569 from jasongin/update-actions-cache-5.1.0
  • 30eb73b Resolve high-severity audit issues
  • 4e1a87a Update dist
  • 360237f Strict equality
  • 4f8aac5 Bump @​actions/cache to 5.1.0, log cache write denied
  • f4a67bb Only use mirrorToken in getManifest if it's provided (#1548)
  • 0355742 Remove dummy NODE_AUTH_TOKEN export (#1558)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
  • Updated the documentation preview deployment to use the latest Node setup action.
  • Kept the existing Node.js 20 configuration and all deployment steps the same.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 17, 2026
@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@bryan-cox

Copy link
Copy Markdown
Member

/label acknowledge-critical-fixes-only

@openshift-ci openshift-ci Bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Jul 17, 2026
@openshift-merge-bot
openshift-merge-bot Bot merged commit bcebdfc into main Jul 17, 2026
19 checks passed
@dependabot
dependabot Bot deleted the dependabot/github_actions/actions/setup-node-7.0.0 branch July 17, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ci-tooling Indicates the PR includes changes for CI or tooling jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants