# B22 — GitHub Actions workflow: EOL runners and EOL action versions Bug ref : always.md B.22 ; pharo.md §7 Severity : LOW (runners disappear; actions stop receiving security fixes) File : .github/workflows/continuous-integration-workflow.yaml Lines (HEAD) : `runs-on: ubuntu-18.04`, `runs-on: windows-2016`, `uses: actions/checkout@v1`, `uses: actions/upload-artifact@v1` ## Problem - `ubuntu-18.04` was retired by GitHub in 2022. - `windows-2016` was retired by GitHub in 2022. - `actions/checkout@v1` and `actions/upload-artifact@v1` are no longer maintained and have known security-relevant fixes in v4. The current workflow continues to reference all four. A re-run today either fails outright (runners removed) or runs without recent hardening fixes. ## Fix Bump to currently-supported runners and pin actions to the latest major (or a commit SHA for hermeticity). ```diff diff --git a/.github/workflows/continuous-integration-workflow.yaml b/.github/workflows/continuous-integration-workflow.yaml index b1633efa7..8c9dc0939 100644 --- a/.github/workflows/continuous-integration-workflow.yaml +++ b/.github/workflows/continuous-integration-workflow.yaml @@ -8,7 +8,7 @@ jobs: strategy: matrix: variant: - - os: ubuntu-18.04 + - os: ubuntu-22.04 appname: Pharo vmExecutable: pharo - os: macos-latest @@ -21,14 +21,14 @@ jobs: CXX: clang++ steps: - name: Install dependencies (Linux) - if: matrix.variant.os == 'ubuntu-18.04' + if: matrix.variant.os == 'ubuntu-22.04' run: sudo apt-get install uuid-dev - name: Install dependencies (OS X) if: matrix.variant.os == 'macos-latest' run: brew install autoconf automake libtool - - uses: actions/checkout@v1 + - uses: actions/checkout@v4 - name: CMake configuration run: | @@ -48,7 +48,7 @@ jobs: mkdir -p ../artifacts cp -f build/packages/*.zip build/packages/*.sha1 ../artifacts - name: Upload artifacts - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v4 with: name: build-artifacts path: artifacts @@ -58,14 +58,14 @@ jobs: run: scripts/runTests.sh - name: Upload test results continue-on-error: true - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v4 with: name: test-results path: test-results build-windows-cygwin: name: Build Windows Cygwin - runs-on: windows-2016 + runs-on: windows-2022 strategy: matrix: variant: @@ -75,7 +75,7 @@ jobs: APPNAME: ${{matrix.variant.appname}} VM_EXECUTABLE_NAME: ${{ matrix.variant.vmExecutable }} steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v4 - name: Install Cygwin run: .\scripts\installCygwin.ps1 "setup-x86_64.exe" x86_64 @@ -103,7 +103,7 @@ jobs: shell: pwsh.exe -File .\scripts\runScriptInCygwinBash.ps1 {0} - name: Upload artifacts - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v4 with: name: build-artifacts path: artifacts @@ -115,7 +115,7 @@ jobs: - name: Upload test results continue-on-error: true - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v4 with: name: test-results path: test-results ``` ## Test plan - Re-run the workflow on a non-publishing branch; confirm jobs complete on the new runners. - Test artifact upload still produces the expected zip with `.sha1` in the artifact bundle. ## Risk notes - `actions/upload-artifact@v4` changes behaviour around per-job artifact merging; verify that the consuming `build-artifacts` download still works on the consumer side. - `actions/checkout@v4` requires Node 20, which is what ubuntu-22.04 and windows-2022 runners provide. - For supply-chain extreme hardening, pin to commit SHAs (e.g. `uses: actions/checkout@`). For most repos `@v4` is the pragmatic balance.