ci: update GitHub Actions pins for Node 24

[thepastaclaw]

CI action Node 24 pins

Issue being fixed or feature implemented

GitHub Actions now warns that actions targeting Node.js 20 are deprecated and
are being forced to run on Node.js 24. Dash Core develop already has most of
the action updates, but a few workflows still pin older JavaScript action
versions.

What was done?

Updated the remaining workflow action pins to Node 24-compatible versions:

• eps1lon/actions-label-merge-conflict@v3.1.0
• actions/github-script@v8
• amannn/action-semantic-pull-request@v6

Also replaced the deprecated actions-ecosystem/action-add-labels@v1 usage in
the merge-check workflow with actions/github-script@v8, and granted the
minimal issues: write permission needed for PR labels/comments.

How Has This Been Tested?

• git diff --check upstream/develop..HEAD
• Parsed all workflow YAML files with Ruby YAML.load_file
• Searched .github/workflows for the deprecated action pins that triggered the
  warning
• Ran the pre-PR code review gate; result: ship

Breaking Changes

None.

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation
• I have assigned this pull request to a milestone

[github-actions]

✅ No Merge Conflicts Detected

This PR currently has no conflicts with other open PRs.

[thepastaclaw]

✅ Review complete (commit eb1857a)

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8d35c6ac-204f-43d7-9692-22da30d39b9e

📥 Commits

Reviewing files that changed from the base of the PR and between 15cc815 and eb1857a.

📒 Files selected for processing (4)

• .github/workflows/label-merge-conflicts.yml
• .github/workflows/merge-check.yml
• .github/workflows/release_docker_hub.yml
• .github/workflows/semantic-pull-request.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/release_docker_hub.yml

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/semantic-pull-request.yml
• .github/workflows/label-merge-conflicts.yml
• .github/workflows/merge-check.yml

---

Walkthrough

Four GitHub Actions workflows are updated. label-merge-conflicts.yml grants issues: write and upgrades eps1lon/actions-label-merge-conflict to v3.1.0. merge-check.yml updates permissions and rewrites the label step to use actions/github-script@v8 with the issues API. release_docker_hub.yml bumps actions/github-script from v7 to v8. semantic-pull-request.yml bumps amannn/action-semantic-pull-request from v5 to v6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: updating GitHub Actions pins for Node 24 compatibility.
Description check	✅ Passed	The description matches the workflow pin updates and permission changes described in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[thepastaclaw]

Code Review

PR is a small, well-scoped GitHub Actions maintenance update: bumps eps1lon/actions-label-merge-conflict, actions/github-script, and amannn/action-semantic-pull-request to Node 24-compatible majors, and replaces the deprecated actions-ecosystem/action-add-labels with an inline actions/github-script call using the official issues.addLabels REST endpoint plus the required issues: write permission. Code changes verify cleanly. The only issue is the commit body, which describes a v23.1.x release-branch backport and claims an attest-build-provenance/add-pr-comment change that does not appear in the diff — convergent finding from both commit-history agents.

_Note: GitHub does not allow me to approve my own PR; posted the same verified result as a top-level COMMENT review after inline posting failed (command failed (1): python3 scripts/review_poster.py dashpay/dash 7395 15cc815
STDOUT:

STDERR:
Traceback (most recent call last):
File "/Users/claw/.openclaw/workspace/scripts/review_poster.py", line 1163, in
result = post_review(
File "/Users/claw/)._

Reviewed commit: 15cc815

🟡 1 suggestion(s)

1 additional finding(s)

suggestion: Commit body misdescribes the change (wrong target branch, claims changes not in diff)

<commit:15cc8150> (line 1)

The commit subject (ci: update GitHub Actions pins for Node 24) is accurate, but the body is misleading and will be permanent in git log/git blame after merge:

1. It says this is a backport to this release branch, to silence GitHub's Node.js 20 deprecation warnings on the v23.1.x CI, but the PR targets develop, not v23.1.x. Future readers on develop will see a misleading provenance/target claim.
2. It claims the change replaces deprecated attest-build-provenance with actions/attest — no such replacement exists in the diff.
3. It claims it bumps add-pr-comment usage to the current v3 action where present — mshick/add-pr-comment@v3 is unchanged in this diff (it was already pinned to v3).

The actual changes are: bump eps1lon/actions-label-merge-conflict to v3.1.0, actions/github-script to v8, amannn/action-semantic-pull-request to v6, and replace actions-ecosystem/action-add-labels@v1 in merge-check.yml with an inline actions/github-script@v8 call (plus the matching issues: write permission grants on label-merge-conflicts.yml and merge-check.yml). Please reword the commit body to match the diff and drop the v23.1.x/release-branch framing before merge.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

- [SUGGESTION] In `<commit:15cc8150>`:1-1: Commit body misdescribes the change (wrong target branch, claims changes not in diff)
  The commit subject (`ci: update GitHub Actions pins for Node 24`) is accurate, but the body is misleading and will be permanent in `git log`/`git blame` after merge:

1. It says this is a backport `to this release branch, to silence GitHub's Node.js 20 deprecation warnings on the v23.1.x CI`, but the PR targets `develop`, not `v23.1.x`. Future readers on develop will see a misleading provenance/target claim.
2. It claims the change `replaces deprecated attest-build-provenance with actions/attest` — no such replacement exists in the diff.
3. It claims it `bumps add-pr-comment usage to the current v3 action where present` — `mshick/add-pr-comment@v3` is unchanged in this diff (it was already pinned to v3).

The actual changes are: bump `eps1lon/actions-label-merge-conflict` to `v3.1.0`, `actions/github-script` to `v8`, `amannn/action-semantic-pull-request` to `v6`, and replace `actions-ecosystem/action-add-labels@v1` in merge-check.yml with an inline `actions/github-script@v8` call (plus the matching `issues: write` permission grants on label-merge-conflicts.yml and merge-check.yml). Please reword the commit body to match the diff and drop the v23.1.x/release-branch framing before merge.

[thepastaclaw]

Code Review

Latest push only rewrites the commit metadata; the tree diff from 15cc8150..eb1857a3 is empty. The prior commit-body finding is fixed: the new message accurately lists the workflow updates in this PR and drops the old v23.1.x release-branch/backport wording plus the unrelated attest/add-pr-comment claims.

Cumulatively, this remains a focused CI maintenance change for Node 24-compatible GitHub Actions pins and replacing the deprecated add-labels action with actions/github-script using issues.addLabels and the matching issues: write permission. No in-scope findings.

Reviewed commit: eb1857a

[thephez]

What do you think about pinning these version via hash instead of relying on the release tags?

[thepastaclaw]

I like SHA pinning as a supply-chain hardening direction, especially for third-party actions, but I would not fold it into this PR.

This PR is intentionally scoped to the Node 24 compatibility bumps and follows the repo's current convention of version/tag pins. A SHA-pinning change should be a dedicated pass across the workflow set so we can decide the policy consistently: first-party actions/* vs third-party actions, how to leave readable upstream version breadcrumbs, and how updates will be maintained by Dependabot/Renovate or a manual process.

So my preference here is: merge this as the minimal deprecation fix, then do SHA pinning as a separate CI hardening PR if we want that policy for Dash Core.

[thepastaclaw]

CI scope check for the red linux64_tsan-test / Test source job:

• Failing job: https://github.com/dashpay/dash/actions/runs/28458489062/job/84351170851
• Root cause in the log: feature_asset_locks.py failed in create_assetunlock() because quorum("selectquorum", ...) returned no quorums active (-1) after two earlier failed attempts.
• PR scope: this branch only changes GitHub workflow YAML files (label-merge-conflicts, merge-check, release_docker_hub, and semantic-pull-request). It does not touch asset locks, LLMQ/quorum logic, functional tests, or source code.
• Existing flaky-test tracker: updated test: feature_asset_locks intermittent llmq_test_platform quorum timeout #7310 with this run as additional evidence.

Conclusion: the PR is proper as-is; this is pre-existing feature_asset_locks.py / Platform-quorum timing flakiness, not a regression caused by the Node 24 action-pin update. I did not push, rebase, amend, create an empty commit, or rerun CI.