Skip to content

chore: bump oven-sh/setup-bun to v2.2.0 (Node.js 24)#1238

Merged
ashwin-ant merged 1 commit intomainfrom
ashwin/bump-setup-bun-node24
Apr 20, 2026
Merged

chore: bump oven-sh/setup-bun to v2.2.0 (Node.js 24)#1238
ashwin-ant merged 1 commit intomainfrom
ashwin/bump-setup-bun-node24

Conversation

@ashwin-ant
Copy link
Copy Markdown
Collaborator

@ashwin-ant ashwin-ant commented Apr 20, 2026

Summary

  • Bump oven-sh/setup-bun pin from v2.1.2 → v2.2.0 (0c5077e) in both action.yml and base-action/action.yml
  • v2.2.0 declares using: "node24"; v2.1.2 uses Node.js 20, which GitHub-hosted runners will force-migrate on June 2, 2026
  • bun-version: 1.3.6 is unchanged — only the installer action's Node runtime is affected

Fixes #1237

Test plan

  • bun run format:check passes
  • Verified v2.2.0 SHA matches refs/tags/v2.2.0 and current refs/tags/v2
  • Verified setup-bun@v2.2.0 action.yml declares using: "node24"
  • CI green on this PR (runner annotation for Node 20 deprecation should disappear)

@ashwin-ant
chore: bump oven-sh/setup-bun to v2.2.0 (Node.js 24)
eeddd3e 
setup-bun v2.1.2 runs on Node.js 20, which GitHub will stop supporting
on June 2, 2026. v2.2.0 updates the action runtime to Node.js 24.

Fixes #1237
claude[bot]
claude bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — verified the SHA matches oven-sh/setup-bun refs/tags/v2.2.0 and v2.

Extended reasoning...

Overview

This PR bumps the pinned commit SHA for the oven-sh/setup-bun action from v2.1.2 (3d26778) to v2.2.0 (0c5077e) in both action.yml and base-action/action.yml. The bun-version: 1.3.6 input is unchanged, so the actual Bun runtime used by the action stays the same — only the Node.js runtime that executes the setup-bun installer moves from Node 20 to Node 24, addressing the upcoming GitHub-hosted runner deprecation.

Security risks

The primary supply-chain concern for a third-party action bump is whether the new SHA actually points to the claimed release. I independently verified via git ls-remote that 0c5077e51419868618aeaa5fe8019c62421857d6 is the exact commit for both refs/tags/v2.2.0 and the floating refs/tags/v2 on oven-sh/setup-bun. The pin is by full SHA (not tag), so it's immutable. No new inputs, permissions, or env vars are introduced.

Level of scrutiny

Low. This is a two-line mechanical version bump of a well-known action, pinned by SHA, with no logic changes. The diff is identical in both files and follows the existing pattern (SHA pin + release URL comment).

Other factors

No bugs were flagged by the bug hunter, no CODEOWNERS file exists for these paths, and there are no outstanding reviewer comments on the timeline. The PR description's verification steps (SHA match, using: node24) align with what I confirmed.

@ashwin-ant ashwin-ant enabled auto-merge (squash) April 20, 2026 00:35
chrislloyd
chrislloyd approved these changes Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chrislloyd chrislloyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stamped 🔨

@ashwin-ant ashwin-ant merged commit 4c682d8 into main Apr 20, 2026
38 checks passed
@ashwin-ant ashwin-ant deleted the ashwin/bump-setup-bun-node24 branch April 20, 2026 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@chrislloyd chrislloyd chrislloyd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request: bump oven-sh/setup-bun pin before GitHub's June 2, 2026 Node.js 20 removal

2 participants

@ashwin-ant @chrislloyd