Upgrade GitHub Actions to Node.js 24 compatibility

[michieldegezelle]

Summary

• Bump actions/checkout from v4 to v6 in both cli_version.yml (2 occurrences) and tests.yml
• Bump actions/setup-node from v4 to v6 in tests.yml

These v6 releases use the Node.js 24 runtime. GitHub will deprecate the Node.js 20 runtime used by v4 actions; all workflows must be updated before the deadline of June 16, 2026.

Files changed

• .github/workflows/cli_version.yml
• .github/workflows/tests.yml

Test plan

• Confirm CI passes on this PR (Testing and Linting workflow + CLI version check)
• Verify no other workflow files reference actions/checkout@v4 or actions/setup-node@v4

🤖 Generated with Claude Code

[coderabbitai]

Walkthrough

CI workflows update GitHub Actions major versions (actions/checkout and actions/setup-node to v6). Release metadata is updated: CHANGELOG.md gains a 1.55.2 entry and package.json version bumps to 1.55.2.

Changes

GitHub Actions Upgrades

Layer / File(s)	Summary
Update actions to v6 .github/workflows/cli_version.yml, .github/workflows/tests.yml	actions/checkout is upgraded from @v4 to @v6 in the CLI version workflow's conditional "Checkout current branch" and "Checkout main branch" steps and in the tests workflow; actions/setup-node is upgraded from @v4 to @v6 in the tests workflow.

Release and version bump

Layer / File(s)	Summary
Changelog and package version CHANGELOG.md, package.json	Add ## [1.55.2] (04/06/2026) changelog entry noting dependency security fixes; bump version in package.json from 1.55.1 to 1.55.2.

---

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Upgrade GitHub Actions to Node.js 24 compatibility' accurately describes the primary change—updating GitHub Actions to v6 for Node.js 24 compatibility.
Description check	✅ Passed	The description includes a summary of changes, files modified, and a test plan, though it deviates from the template structure by omitting the required sections (Fixes, Description heading, Testing Instructions with numbered steps, and Checklists).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upgrade/node24-actions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/cli_version.yml (1)

38-38: 💤 Low value

Optional: pin actions to a commit SHA to satisfy zizmor's unpinned-uses policy.

The @v6 bumps are valid. zizmor flags these as unpinned per its blanket pin-to-hash policy. This is pre-existing (the @v4 refs were also tag-pinned), so it's not introduced here, but since you're already touching these lines you could pin to the release commit SHA (with the version as a trailing comment) to clear the finding.

♻️ Example pinning (use the actual v6 release SHA)

-        uses: actions/checkout@v6
+        uses: actions/checkout@<v6-release-sha> # v6

Also applies to: 44-44

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cli_version.yml at line 38, Replace the unpinned action
reference "actions/checkout@v6" with the specific release commit SHA for the v6
release and keep the human-readable tag as a trailing comment (e.g., use the
full commit hash with a comment like "# v6") so zizmor's unpinned-uses policy is
satisfied; do the same for the other occurrence ("actions/checkout@v6" at the
other line) so both references are pinned while still indicating the version tag
for clarity.

.github/workflows/tests.yml (1)

21-21: 💤 Low value

Optional: pin actions to a commit SHA to satisfy zizmor's unpinned-uses policy.

Both @v6 bumps are valid; the action runtime (Node 24) is independent of the matrix node-version: 22.x used to run your tests, so there's no conflict. As in cli_version.yml, zizmor flags these as unpinned per its blanket policy — optionally pin to the release commit SHA to clear the finding.

Also applies to: 24-24

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yml at line 21, Replace the unpinned action
references (e.g., the uses: actions/checkout@v6 entries) with pinned commit
SHAs: locate each occurrence of "actions/checkout@v6" in the workflow and change
the tag to the repository commit SHA for the v6 release
(actions/checkout@<commit-sha>), doing the same for any other unpinned action
tags flagged by zizmor; ensure you use the exact release commit SHA for the
corresponding tag so the workflow references an immutable commit instead of a
floating tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/cli_version.yml:
- Line 38: Replace the unpinned action reference "actions/checkout@v6" with the
specific release commit SHA for the v6 release and keep the human-readable tag
as a trailing comment (e.g., use the full commit hash with a comment like "#
v6") so zizmor's unpinned-uses policy is satisfied; do the same for the other
occurrence ("actions/checkout@v6" at the other line) so both references are
pinned while still indicating the version tag for clarity.

In @.github/workflows/tests.yml:
- Line 21: Replace the unpinned action references (e.g., the uses:
actions/checkout@v6 entries) with pinned commit SHAs: locate each occurrence of
"actions/checkout@v6" in the workflow and change the tag to the repository
commit SHA for the v6 release (actions/checkout@<commit-sha>), doing the same
for any other unpinned action tags flagged by zizmor; ensure you use the exact
release commit SHA for the corresponding tag so the workflow references an
immutable commit instead of a floating tag.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c0f66540-0a28-4293-9204-376a7a7b4d01

📥 Commits

Reviewing files that changed from the base of the PR and between 6cee352 and 33afe53.

📒 Files selected for processing (2)

• .github/workflows/cli_version.yml
• .github/workflows/tests.yml

[BenjaminLangenakenSF]

Approved!

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cli_version.yml:
- Line 38: Replace the floating `uses: actions/checkout@v6` references with
pinned full commit SHAs for both occurrences (the two `uses:
actions/checkout@v6` lines) to satisfy the unpinned-uses policy; locate each
`uses: actions/checkout@v6` in the workflow and change it to `uses:
actions/checkout@<FULL_COMMIT_SHA>` (use the official actions/checkout
repository commit SHA you intend to pin), and commit the updated workflow.

In @.github/workflows/tests.yml:
- Line 21: The workflow currently uses mutable tags for third-party actions —
update the two uses entries referencing actions/checkout@v6 and
actions/setup-node@v6 to pinned immutable SHAs: locate the uses lines that
mention "actions/checkout" and "actions/setup-node" in the tests.yml and replace
the tag versions with the corresponding full commit digests (the commit SHA for
the exact release you want) so both uses: entries are fixed to exact SHAs rather
than floating tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 92369c0e-4302-4990-9992-f300b32f7a92

📥 Commits

Reviewing files that changed from the base of the PR and between 33afe53 and 428bcce.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• .github/workflows/cli_version.yml
• .github/workflows/tests.yml
• CHANGELOG.md
• package.json

✅ Files skipped from review due to trivial changes (2)

• package.json
• CHANGELOG.md