chore(build): upgrade Node.js from 20 to 24 and bump cspell to v10#1353
Merged
WilliamBerryiii merged 1 commit intomainfrom Apr 13, 2026
Merged
chore(build): upgrade Node.js from 20 to 24 and bump cspell to v10#1353WilliamBerryiii merged 1 commit intomainfrom
WilliamBerryiii merged 1 commit intomainfrom
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1353 +/- ##
==========================================
- Coverage 87.66% 87.65% -0.02%
==========================================
Files 61 61
Lines 9328 9328
==========================================
- Hits 8177 8176 -1
- Misses 1151 1152 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
- update node-version to 24 across all 14 CI/CD workflow files - bump cspell and @cspell/cspell-json-reporter from 9.8.0 to 10.0.0 - update devcontainer feature and copilot-instructions to Node.js 24 ⬆️ - Generated by Copilot
WilliamBerryiii
force-pushed
the
chore/upgrade-node-20-to-24
branch
from
60b6c76 to
3e0034d
Compare
katriendg
approved these changes
Apr 13, 2026
nguyena2
approved these changes
Apr 13, 2026
This was referenced Apr 13, 2026
This was referenced Apr 14, 2026
bindsi
added a commit
that referenced
this pull request
Apr 14, 2026
**_superseding PR #1358_** # fix(workflows): add bot filter to dependency PR review workflow The dependency PR review agentic workflow triggered for any pull request matching dependency file paths, regardless of author. Human-authored PRs touching those paths (e.g., `.github/workflows/*.yml`) spun up the full pre-activation → activation → agent pipeline before the agent could call `noop` to exit. This wasted CI resources on ineligible runs. Added the `bots: ["dependabot[bot]"]` frontmatter field to the `on:` section, which moves the actor check from agent runtime to the platform pre-activation job. The existing runtime `noop` activation guard remains as defense-in-depth. Recompiled all agentic workflow lock files with the latest gh-aw compiler. ## Description > Observed in [actions/runs/24359308843](https://github.com/microsoft/hve-core/actions/runs/24359308843), where a `synchronize` event from a human contributor on PR #1353 triggered the full workflow pipeline unnecessarily. Recompiled all 5 agentic workflow lock files from **gh-aw v0.65.4** to **v0.68.1**, resolving two distinct runtime failures that caused repeated "No Safe Outputs Generated" errors across 20+ workflow runs. > The old compiler version generated lock files with incompatible configurations for the current runtime environment, causing both checkout failures and MCP server policy blocks. ### Workflow Bot Filter - Added **`bots: ["dependabot[bot]"]`** to the `on:` frontmatter in *dependency-pr-review.md*, restricting pre-activation to Dependabot-authored PRs only - The platform pre-activation job now injects `GH_AW_ALLOWED_BOTS: "dependabot[bot]"` and rejects non-Dependabot actors before the agent job queues - Preserved the existing **runtime activation guard** (`noop` call when PR author is not `dependabot[bot]`) as a second layer of defense ### Lock File Regeneration Recompiled all agentic workflow lock files via `gh aw compile`, picking up the `bots:` field and a compiler version upgrade. - *dependency-pr-review.lock.yml* — now includes `GH_AW_ALLOWED_BOTS` check in pre-activation - *doc-update-check.lock.yml* — compiler version bump - *issue-implement.lock.yml* — compiler version bump - *issue-triage.lock.yml* — compiler version bump - *pr-review.lock.yml* — compiler version bump - *actions-lock.json* — updated action SHA references ### Root Causes Fixed The **sparse-checkout failure** in *dependency-pr-review* occurred because the v0.65.4 compiler merged `on.pull_request.paths` glob patterns (`**/requirements.txt`, `**/pyproject.toml`) into the `git sparse-checkout set` command. Git cone-mode rejects `**` glob patterns with `fatal: specify directories rather than patterns`. The **MCP policy blocking** affected all workflows. Lock files compiled with AWF v0.25.6 and MCP Gateway v0.2.14 were incompatible with the updated runtime's stricter MCP server policies, causing `2 MCP servers were blocked by policy: 'github', 'safeoutputs'`. The agent completed reviews but could not submit results through safe-output tools. ### Version Upgrades All lock files updated to the same component versions: | Component | Before | After | |---|---|---| | gh-aw compiler | v0.65.4 | v0.68.1 | | AWF (firewall) | v0.25.6 | v0.25.18 | | MCP Gateway | v0.2.14 | v0.2.17 | | `actions/github-script` | v8 | v9 | | `github/gh-aw-actions/setup` | v0.65.6 | v0.68.1 | The *actions-lock.json* consolidated 4 stale `github/gh-aw-actions/setup` version pins (v0.63.1, v0.65.4, v0.65.6, v0.67.1) into a single v0.68.1 entry. ## Related Issue(s) Fixes #1261 Fixes #1357 Fixes #1361 ## Type of Change Select all that apply: **Code & Documentation:** * [x] Bug fix (non-breaking change fixing an issue) * [ ] New feature (non-breaking change adding functionality) * [ ] Breaking change (fix or feature causing existing functionality to change) * [ ] Documentation update **Infrastructure & Configuration:** * [x] GitHub Actions workflow * [ ] Linting configuration (markdown, PowerShell, etc.) * [ ] Security configuration * [ ] DevContainer configuration * [ ] Dependency update **AI Artifacts:** * [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback * [ ] Copilot instructions (`.github/instructions/*.instructions.md`) * [ ] Copilot prompt (`.github/prompts/*.prompt.md`) * [ ] Copilot agent (`.github/agents/*.agent.md`) * [ ] Copilot skill (`.github/skills/*/SKILL.md`) > Note for AI Artifact Contributors: > > * Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review `.github/agents/` before creating new ones. > * Skills: Must include both bash and PowerShell scripts. See [Skills](../docs/contributing/skills.md). > * Model Versions: Only contributions targeting the **latest Anthropic and OpenAI models** will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected. > * See [Agents Not Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and [Model Version Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements). **Other:** * [ ] Script/automation (`.ps1`, `.sh`, `.py`) * [ ] Other (please describe): ## Sample Prompts (for AI Artifact Contributions) <!-- If you checked any boxes under "AI Artifacts" above, provide a sample prompt showing how to use your contribution --> <!-- Delete this section if not applicable --> **User Request:** <!-- What natural language request would trigger this agent/prompt/instruction? --> **Execution Flow:** <!-- Step-by-step: what happens when invoked? Include tool usage, decision points --> **Output Artifacts:** <!-- What files/content are created? Show first 10-20 lines as preview --> **Success Indicators:** <!-- How does user know it worked correctly? What validation should they perform? --> For detailed contribution requirements, see: * Common Standards: [docs/contributing/ai-artifacts-common.md](../docs/contributing/ai-artifacts-common.md) - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing * Agents: [docs/contributing/custom-agents.md](../docs/contributing/custom-agents.md) - Agent configurations with tools and behavior patterns * Prompts: [docs/contributing/prompts.md](../docs/contributing/prompts.md) - Workflow-specific guidance with template variables * Instructions: [docs/contributing/instructions.md](../docs/contributing/instructions.md) - Technology-specific standards with glob patterns * Skills: [docs/contributing/skills.md](../docs/contributing/skills.md) - Task execution utilities with cross-platform scripts ## Testing - Verified `bots:` field placement at line 13 in the frontmatter at the correct indentation level within the `on:` block. - Confirmed runtime `noop` activation guard remains intact at lines 57-62. - Confirmed `GH_AW_ALLOWED_BOTS: "dependabot[bot]"` present in the compiled *dependency-pr-review.lock.yml*. - Security analysis: no sensitive data exposure, no privilege changes, no dependency vulnerabilities. - All required automated checks passed (markdown lint, spell check, frontmatter validation, skill validation, link validation, PowerShell analysis). - Manual testing was not performed. ## Checklist ### Required Checks * [x] Documentation is updated (if applicable) (N/A — no documentation changes required) * [x] Files follow existing naming conventions * [x] Changes are backwards compatible (if applicable) * [ ] Tests added for new functionality (if applicable) (N/A — frontmatter field change; no testable code) ### AI Artifact Contributions <!-- If contributing an agent, prompt, instruction, or skill, complete these checks --> * [ ] Used `/prompt-analyze` to review contribution * [ ] Addressed all feedback from `prompt-builder` review * [ ] Verified contribution follows common standards and type-specific requirements ### Required Automated Checks The following validation commands must pass before merging: * [x] Markdown linting: `npm run lint:md` * [x] Spell checking: `npm run spell-check` * [x] Frontmatter validation: `npm run lint:frontmatter` * [x] Skill structure validation: `npm run validate:skills` * [x] Link validation: `npm run lint:md-links` * [x] PowerShell analysis: `npm run lint:ps` ## Notes - Lock files are generated output from `gh aw compile` and should not be edited directly. - All lock files were recompiled together, picking up both the `bots:` field and a compiler version upgrade to the gh-aw action references. ## Follow-up Tasks - Verify the next Dependabot PR correctly activates the workflow after merge. --------- Signed-off-by: Marcel Bindseil <[email protected]>
WilliamBerryiii
pushed a commit
that referenced
this pull request
Apr 24, 2026
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Upgrade Node.js from 20 to 24 across all CI/CD workflows, the development container, and documentation. Bump cspell and @cspell/cspell-json-reporter from 9.8.0 to 10.0.0.
Motivation: cspell v10.0.0 drops Node.js 20 support (engine requirement
>=22.18.0), which caused thespell-check.ymlworkflow to fail on PR #1346. Node.js 24 is selected as the current LTS target that satisfies all dependency requirements.Scope:
node-version: 24.devcontainer/devcontainer.jsonNode.js feature version"20"→"24".devcontainer/README.mdupdated to reflect Node.js 24.github/copilot-instructions.mdpre-installed tools section updatedpackage.jsoncspell dependency bump 9.8.0 → 10.0.0package-lock.jsonregenerated — three transitive dependencies removed,import-freshupgradedRelated Issue(s)
Fixes #1352
Related: PR #1346 (original build failure)
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Testing
Automated Validation
npm run lint:yamlnpm installnpm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsDiff-Based Assessment
node-versionchanged from 20 to 24 with existing quoting conventions preserved>=22.18.0) confirmed satisfied by Node.js 24clear-module,callsites,parent-moduleManual Testing
Manual testing was not performed. Changes are infrastructure-only (CI runtime version and dependency bump).
Checklist
Required Checks
AI Artifact Contributions
N/A — no AI artifacts modified in this PR.
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsSecurity Considerations
Additional Notes