Summary
A full audit of all 14 workflow files under .github/workflows/ identified 22 unique action references. Of these, 8 require attention — 3 are critical (deprecated runtimes or hard June 2026 deadline), 2 are major-version upgrades, and 3 are patch/consistency fixes.
⚠️ GitHub is enforcing Node.js 24 as the default runner runtime from June 2, 2026. Two actions currently pinned to the deprecated Node.js 20 runtime will break on or after that date if not upgraded.
Workflow map
Understanding the caller/reusable relationships is important for scoping PRs correctly — changes to image-reuse.yaml in particular ripple through CI, image publishing, and release simultaneously.
| File |
Role |
Trigger |
Relationship |
image-reuse.yaml |
Reusable |
workflow_call only |
Called by ci-build.yaml, image.yaml, release.yaml. Core image build pipeline — most impactful file in the graph. |
image.yaml |
Both |
push to master/release + workflow_call |
Calls image-reuse.yaml + slsa-github-generator (external). Also callable by other workflows. |
release.yaml |
Caller |
push to v* tags |
Calls image-reuse.yaml + slsa-github-generator (external ×2) for image provenance, goreleaser provenance, and SBOM provenance. |
ci-build.yaml |
Caller |
push, pull_request |
Calls image-reuse.yaml for CI image build. |
codeql.yml |
Standalone |
push, pull_request, schedule |
No cross-workflow calls. CodeQL static analysis for Go and JS. |
scorecard.yaml |
Standalone |
push to master, schedule |
No cross-workflow calls. OSSF Scorecard supply-chain analysis. |
renovate.yaml |
Standalone |
schedule (hourly), workflow_dispatch |
No cross-workflow calls. Self-hosted Renovate bot. |
init-release.yaml |
Standalone |
workflow_dispatch (manual only) |
No cross-workflow calls. Release branch initialisation. |
update-snyk.yaml |
Standalone |
schedule (weekly), workflow_dispatch |
No cross-workflow calls. Regenerates Snyk vulnerability reports and opens a PR. |
Dependency chain:
ci-build.yaml → image-reuse.yaml
image.yaml → image-reuse.yaml + slsa-github-generator (external)
release.yaml → image-reuse.yaml + slsa-github-generator (external ×2)
Motivation
Findings
🔴 P1 — Fix immediately (deprecated / hard deadline)
| Action |
Current |
Latest |
File(s) |
Reason |
github/codeql-action (/init · /analyze · /upload-sarif) |
v2.17.2 |
v4.34.0 |
codeql.yml, scorecard.yaml |
v2 is fully discontinued. Must upgrade to v4 (Node.js 24). All three sub-actions must be bumped together in the same PR. |
actions/create-github-app-token |
v1 |
v3.0.0 |
renovate.yaml |
v1 and v2 run on deprecated Node.js 20. GitHub forces Node.js 24 from June 2, 2026. v2 will never migrate off Node.js 20 per upstream guidance. |
actions/checkout (codeql.yml only) |
v4.0.0 |
v6.0.2 |
codeql.yml |
Only this file is still on v4 — all other files use v6. Bundle with the CodeQL v4 upgrade PR. |
🟡 P2 — Upgrade soon (behind latest stable)
| Action |
Current |
Latest |
File(s) |
Reason |
ossf/scorecard-action |
v2.3.x |
v2.4.0 |
scorecard.yaml |
v2.4.0 upgrades the Scorecard engine to v5.3.0 with improved check accuracy. Bundle with the CodeQL PR since both live in scorecard.yaml. |
actions/setup-go |
SHA comment: "v6.3.0" |
v5.5.0 (marketplace) |
ci-build.yaml, release.yaml, image-reuse.yaml, codeql.yml |
The marketplace major tag is v5. The comment "v6.3.0" matches no public release. Verify the pinned SHA — if not intentional, realign to the latest v5 SHA. Note: image-reuse.yaml is called by 3 workflows, so this fix has wide impact. |
🔵 P3 — Clean up (patch / consistency drift)
| Action |
Current |
Latest |
File(s) |
Reason |
actions/checkout |
v6.0.1 |
v6.0.2 |
init-release.yaml, update-snyk.yaml |
Two files still on v6.0.1 SHA while all others use v6.0.2. Sweep all checkout usages to the same SHA across all 14 workflow files. |
jlumbroso/free-disk-space |
SHA (no version comment) |
v1.3.1 |
release.yaml, image-reuse.yaml |
SHA is correctly pinned but missing the # vX.Y.Z comment required by the SHA-pinning enforcer (zgosalvez action). Add # v1.3.1 to both usages. |
renovatebot/github-action |
SHA comment: # 46.1.5 |
v46.1.5 |
renovate.yaml |
Version is current but missing the v prefix on the comment, inconsistent with the convention enforced across all other files. |
✅ Up-to-date — no action needed
actions/upload-artifact · codecov/codecov-action · codecov/test-results-action · docker/build-push-action · docker/login-action · docker/setup-buildx-action · docker/setup-qemu-action · goreleaser/goreleaser-action · peter-evans/create-pull-request · sigstore/cosign-installer · slsa-framework/slsa-github-generator · softprops/action-gh-release · zgosalvez/github-actions-ensure-sha-pinned-actions
Proposal
Suggested PR breakdown
- PR 1 — Security scanning overhaul (
codeql.yml, scorecard.yaml): upgrade github/codeql-action v2 → v4, actions/checkout v4 → v6, ossf/scorecard-action → v2.4.0. Both files are standalone — no caller impact.
- PR 2 — Renovate token upgrade (
renovate.yaml): upgrade actions/create-github-app-token v1 → v3, fix renovatebot/github-action comment prefix. Standalone file — no caller impact.
- PR 3 — Checkout + housekeeping sweep (multiple files): standardise
actions/checkout to v6.0.2 SHA in init-release.yaml and update-snyk.yaml, add missing # v1.3.1 comment on jlumbroso/free-disk-space in release.yaml and image-reuse.yaml, investigate actions/setup-go version comment anomaly. ⚠️ image-reuse.yaml is called by ci-build.yaml, image.yaml, and release.yaml — test all three calling contexts before merging.
Summary
A full audit of all 14 workflow files under
.github/workflows/identified 22 unique action references. Of these, 8 require attention — 3 are critical (deprecated runtimes or hard June 2026 deadline), 2 are major-version upgrades, and 3 are patch/consistency fixes.Workflow map
Understanding the caller/reusable relationships is important for scoping PRs correctly — changes to
image-reuse.yamlin particular ripple through CI, image publishing, and release simultaneously.image-reuse.yamlworkflow_callonlyci-build.yaml,image.yaml,release.yaml. Core image build pipeline — most impactful file in the graph.image.yamlpushto master/release +workflow_callimage-reuse.yaml+slsa-github-generator(external). Also callable by other workflows.release.yamlpushtov*tagsimage-reuse.yaml+slsa-github-generator(external ×2) for image provenance, goreleaser provenance, and SBOM provenance.ci-build.yamlpush,pull_requestimage-reuse.yamlfor CI image build.codeql.ymlpush,pull_request,schedulescorecard.yamlpushto master,schedulerenovate.yamlschedule(hourly),workflow_dispatchinit-release.yamlworkflow_dispatch(manual only)update-snyk.yamlschedule(weekly),workflow_dispatchDependency chain:
Motivation
Findings
🔴 P1 — Fix immediately (deprecated / hard deadline)
github/codeql-action(/init · /analyze · /upload-sarif)v2.17.2v4.34.0codeql.yml,scorecard.yamlactions/create-github-app-tokenv1v3.0.0renovate.yamlactions/checkout(codeql.yml only)v4.0.0v6.0.2codeql.yml🟡 P2 — Upgrade soon (behind latest stable)
ossf/scorecard-actionv2.3.xv2.4.0scorecard.yamlscorecard.yaml.actions/setup-go"v6.3.0"v5.5.0(marketplace)ci-build.yaml,release.yaml,image-reuse.yaml,codeql.ymlimage-reuse.yamlis called by 3 workflows, so this fix has wide impact.🔵 P3 — Clean up (patch / consistency drift)
actions/checkoutv6.0.1v6.0.2init-release.yaml,update-snyk.yamljlumbroso/free-disk-spacev1.3.1release.yaml,image-reuse.yaml# vX.Y.Zcomment required by the SHA-pinning enforcer (zgosalvezaction). Add# v1.3.1to both usages.renovatebot/github-action# 46.1.5v46.1.5renovate.yamlvprefix on the comment, inconsistent with the convention enforced across all other files.✅ Up-to-date — no action needed
actions/upload-artifact·codecov/codecov-action·codecov/test-results-action·docker/build-push-action·docker/login-action·docker/setup-buildx-action·docker/setup-qemu-action·goreleaser/goreleaser-action·peter-evans/create-pull-request·sigstore/cosign-installer·slsa-framework/slsa-github-generator·softprops/action-gh-release·zgosalvez/github-actions-ensure-sha-pinned-actionsProposal
Suggested PR breakdown
codeql.yml,scorecard.yaml): upgradegithub/codeql-actionv2 → v4,actions/checkoutv4 → v6,ossf/scorecard-action→ v2.4.0. Both files are standalone — no caller impact.renovate.yaml): upgradeactions/create-github-app-tokenv1 → v3, fixrenovatebot/github-actioncomment prefix. Standalone file — no caller impact.actions/checkoutto v6.0.2 SHA ininit-release.yamlandupdate-snyk.yaml, add missing# v1.3.1comment onjlumbroso/free-disk-spaceinrelease.yamlandimage-reuse.yaml, investigateactions/setup-goversion comment anomaly.image-reuse.yamlis called byci-build.yaml,image.yaml, andrelease.yaml— test all three calling contexts before merging.