chore(ci): bump actions/checkout to v7 and actions/setup-node to v6#122
Merged
Conversation
Both actions still target Node.js 20, which is deprecated on GitHub Actions runners and now force-run on Node.js 24, producing a deprecation warning on every workflow run. Bumping straight to the latest majors (rather than v5 which is the minimum Node 24 bump) for future-proofing. Neither breaking change in the new majors affects this workflow: - actions/checkout v7: blocks fork-PR checkout for pull_request_target / workflow_run (we use neither trigger) and persists creds to a separate file. - actions/setup-node v6: limits auto-caching to npm (we don't use the cache input at all). Ref: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
ahanoff
force-pushed
the
chore/bump-actions-to-node24
branch
from
8967182 to
0981cc4
Compare
ahanoff
changed the title
No code change. Forces a fresh workflow run to validate the updated MS_TEAMS_WEBHOOK_URI secret.
ahanoff
added a commit
that referenced
this pull request
Jun 19, 2026
## Summary Adds the first unit tests in the repo. Extracts the Adaptive Card construction logic from `src/main.ts` into a new `src/card.ts` so it can be exercised without going through the GitHub Actions runtime, then adds `src/__tests__/card.test.ts` with 28 cases pinning the JSON-safety contract from #121. **Stacked on #121.** After #121 merges, this PR will auto-retarget to `main`. ## Why The repo currently has **zero unit tests** — the only test surface is the end-to-end smoke workflow in `test.yml`, which posts to the real MS Teams webhook. That made verifying #121's fix expensive: 4 test commits × 4 Node versions = 16 messages to the Teams channel per test session, and enough volume to trip Power Automate rate limits. With these unit tests, the JSON-safety regression can be verified locally in **~1.5 seconds** with **zero webhook calls**. Future contributors who touch `card.ts` get immediate feedback if they break the contract. ## Changes ### `src/card.ts` (new) - Moves the inline `temlpateData` template object out of `main.ts` (also fixes the pre-existing typo → `templateData`). - Exports `CardData` (typed shape of the data passed into the template) and `WebhookBody` (typed shape of the Teams payload envelope). - Exports `buildWebhookBody(data: CardData): WebhookBody` — a pure function that runs `new Template(templateData).expand({ $root: data })` and wraps the result in the `type: 'message'` envelope. This is the exact code path #121 fixed. ### `src/main.ts` - Imports `buildWebhookBody` and `CardData` from `./card`. - Replaces the inline template + 50-line `template.expand({...})` block with a typed `cardData` object passed to `buildWebhookBody(cardData)`. Behaviour is unchanged. ### `src/__tests__/card.test.ts` (new) 28 test cases: - **Payload envelope (3):** correct `type: 'message'` wrapper, `content` is a plain object (not a JSON string — the original bug pattern), Adaptive Card v1.4. - **Commit message JSON safety (16 + 2):** each case verifies the full webhook body survives `JSON.stringify` → `JSON.parse` round-trip, and that the original commit message characters appear verbatim in the parsed Commit fact. Covers: - `"double quotes"` — the original failing case from #121 - `\` backslashes (single, trailing, mixed with `/`) - `\t`, `\r`, `\n` control characters - `'single quotes'`, `< > [ ]` brackets - Emoji 🚀, CJK 日本語中文 한국어 - `${1+1}` and `${$root.commit.message}` template-injection attempts (verified NOT evaluated by the templating engine) - Empty string, plain ASCII baseline - **`workflow.name` JSON safety (4):** same contract applied to the workflow name field (also user-controlled via the workflow YAML). - **`repository.name` JSON safety (3):** same contract applied to the repository name. ### `.eslintignore` - Adds `src/__tests__/`. The `i18n-text/no-en` rule from `eslint-plugin-github` forbids English string literals, which is incompatible with `describe()`/`it()` test descriptions. ts-jest still type-checks the test files at runtime. ### `dist/main/index.js` - Rebuilt via `npm run package` (the `action.yml` entrypoint points here). ## Verification ``` $ npm test Test Suites: 1 passed, 1 total Tests: 28 passed, 28 total Time: 1.509 s $ npm run build # tsc clean $ npm run format-check # prettier clean $ npm run lint # 0 new errors vs main (1 informational warning about the ignored test file) ``` ## Follow-up (not in this PR) The repo's `test.yml` workflow doesn't run `npm test` yet, so these tests currently only run locally. A small follow-up PR could add a `npm ci && npm test` step to the workflow so regressions are caught in CI without needing the Teams webhook. Kept out of scope here to avoid conflicting with #122 (which also touches `test.yml`).
ahanoff
added a commit
that referenced
this pull request
Jun 19, 2026
…onnectors (#123) ## Summary Updates the README setup instructions to reflect that Microsoft has retired the legacy Office 365 connectors / incoming webhooks in Teams, and aligns the steps with the **current Microsoft Learn walkthrough** (updated Oct 2025). ## Background Microsoft has [retired the legacy Office 365 connectors / incoming webhooks](https://devblogs.microsoft.com/microsoft365dev/retirement-of-office-365-connectors-within-microsoft-teams/). The old-style URLs (`https://*.webhook.office.com/...` or `https://outlook.office.com/webhook/...`) silently accept POSTs with a 2xx response but no longer deliver messages to the channel. From the action's side everything looks healthy (workflow job succeeds, response is `ok`), but nothing arrives in Teams. ## What changes Replaces the previous one-liner step 1 with concrete instructions for creating a **Workflows-based incoming webhook** via the Teams **Workflows** app. The steps now mirror the canonical Microsoft Learn article ([Create an Incoming Webhook](https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook), last updated 2025-10-01): - Open the channel → **... (More options)** → **Workflows** - Search for and select the **"Send webhook alerts to a channel"** template - Configure workflow parameters (pick team + channel) → **Save** - Copy the resulting `https://prod-XX.<region>.logic.azure.com:443/workflows/.../triggers/manual/paths/invoke?...` URL - Store it as the `MS_TEAMS_WEBHOOK_URI` secret Also adds: - A link to the canonical Microsoft Learn walkthrough for users who want more detail. - A `> [!WARNING]` GitHub admonition (replacing the previous `>⚠️ ` emoji blockquote) describing the retirement of legacy connector URLs, so users with an existing `MS_TEAMS_WEBHOOK_URI` secret understand why their notifications silently stopped. > [!NOTE] > The template name changed: previous versions of the MS docs called it *"Post to a channel when a webhook request is received"*; the current name (as of Oct 2025) is *"Send webhook alerts to a channel"*. The README now uses the current name. ## Scope Docs-only change. No source or built artifact touched. Independent of #121 (test/code) and #122 (CI bump, already merged).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the two GitHub-provided actions in
.github/workflows/test.ymlto the latest majors:actions/checkout@v4→actions/checkout@v7(latest: v7.0.0, Jun 2026)actions/setup-node@v4→actions/setup-node@v6(latest: v6.4.0, Apr 2026)Why
@v4of both actions runs on Node.js 20, which was deprecated on GitHub Actions runners and is now force-run on Node.js 24, producing this warning on every workflow run:Both new majors target Node.js 24 natively (since v5), eliminating the warning.
Why latest (v7 / v6) and not the minimum v5 bump
v5 of each action is the minimum required to fix the Node 20 deprecation. Going straight to the latest major is preferred here because neither breaking change affects this workflow:
actions/checkout@v7pull_request_targetandworkflow_runtriggerspushandpull_requestactions/setup-node@v6cacheinputAlso picks up ESM migration and various dependency/security updates in
actions/checkout@v7.Ref: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Scope
Workflow-only change. No source code or built artifact touched. Separate from #121.