Infra: Bump actions to migrate to node22

[Haarolean]

• Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

• No need to
• Manually (please, describe, if necessary)
• Unit checks
• Integration checks
• Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
• My changes generate no new warnings (e.g. Sonar is happy)
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to use newer, pinned action versions across the repository to improve security and compatibility while preserving existing job behavior and build/test logic.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b3e4e62-9822-4389-b307-2f35eade91ce

📥 Commits

Reviewing files that changed from the base of the PR and between b59743d and 85f5f56.

📒 Files selected for processing (6)

• .github/workflows/branch-deploy.yml
• .github/workflows/build-public-image.yml
• .github/workflows/cve_checks.yml
• .github/workflows/docker_build.yml
• .github/workflows/e2e-playwright-run.yml
• .github/workflows/separate_env_public_create.yml

🚧 Files skipped from review as they are similar to previous changes (5)

• .github/workflows/separate_env_public_create.yml
• .github/workflows/docker_build.yml
• .github/workflows/branch-deploy.yml
• .github/workflows/e2e-playwright-run.yml
• .github/workflows/build-public-image.yml

---

📝 Walkthrough

Walkthrough

This PR repins GitHub Actions across CI workflows: checkout/setup-java/setup-node, dorny/paths-filter, AWS/ECR, artifact, and cache actions were updated to newer commit SHAs; workflow logic and commands were not changed.

Changes

GitHub Actions Version Pinning

Layer / File(s)	Summary
Path Filtering .github/workflows/backend_pr.yml, .github/workflows/frontend_pr.yml	dorny/paths-filter pinned to v3.0.3 (from v3.0.2).
Repository Checkout & Language Runtime .github/workflows/backend_tests.yml, .github/workflows/branch-deploy.yml, .github/workflows/branch-remove.yml, .github/workflows/build-public-image.yml, .github/workflows/codeql-analysis.yml, .github/workflows/cve_checks.yml, .github/workflows/docker_build.yml, .github/workflows/e2e-playwright-run.yml, .github/workflows/frontend_tests.yml, .github/workflows/main.yml, .github/workflows/md-links.yml, .github/workflows/release.yml, .github/workflows/release-serde-api.yml, .github/workflows/separate_env_public_create.yml, .github/workflows/workflow_linter.yml	actions/checkout updated to v4.2.2; actions/setup-java updated to v4.6.0; actions/setup-node updated to v4.2.0 where present.
AWS & ECR Authentication .github/workflows/branch-deploy.yml, .github/workflows/build-public-image.yml, .github/workflows/delete-public-image.yml, .github/workflows/docker_publish.yml, .github/workflows/separate_env_public_create.yml	aws-actions/configure-aws-credentials pinned to v4.1.0; aws-actions/amazon-ecr-login pinned to v2.1.0.
Artifact Handling .github/workflows/docker_build.yml, .github/workflows/docker_publish.yml, .github/workflows/e2e-playwright-run.yml, .github/workflows/main.yml, .github/workflows/release.yml	actions/download-artifact pinned to v4.1.8; actions/upload-artifact pinned to v4.6.0.
Cache & CVE Scans .github/workflows/cve_checks.yml, .github/workflows/docker_build.yml	actions/cache remains on v4.3.0 release; pinned commit SHAs refreshed.
Release & Dispatch .github/workflows/release.yml	peter-evans/repository-dispatch updated to v4.0.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• kafbat/kafka-ui#1762: Modifies the same workflow files and adds path-filter configuration alongside version pins.
• kafbat/kafka-ui#1786: Updates the same GitHub Actions workflows with structural changes to job conditions and filters.

Suggested labels

type/enhancement

Poem

🐰 Action versions hop to v4, so spry!
Checkout and Java now fly high,
AWS keys snug in their nest,
Artifacts travel on their quest,
CI hums softly — pipelines sigh.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Infra: Bump actions to migrate to node22' accurately summarizes the primary change—updating GitHub Actions to support Node 22. The title is clear, specific, and directly reflects the main objective of the changeset across all 16 workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch infra/bump-actions

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

18-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use a release-safe checkout ref instead of PR-only context.

github.event.pull_request.head.sha is unavailable for release events, so checkout will target the wrong revision when publishing (likely the default branch instead of the tagged commit).

Proposed fix

       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # https://github.com/actions/checkout/releases/tag/v4.2.2
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.sha }}
           token: ${{ github.token }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 18 - 22, The checkout step uses
actions/checkout with ref: ${{ github.event.pull_request.head.sha }}, which is
only set for PR events and fails for release events; change the ref expression
to a release-safe value such as ${{ github.ref }} (or ${{ github.sha }} if you
need the commit SHA) in the actions/checkout invocation and keep fetch-depth: 0
and token unchanged so the workflow checks out the correct tagged commit for
release events.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cve_checks.yml:
- Line 21: Update the pinned commit for the actions/cache step: replace the
incorrect SHA `d4323d4df104b026a6aa633fdb11d772146be0bf` used with `uses:
actions/cache@v4.3.0` with the correct SHA
`0057852bfaa89a56745cba8c7296529d2fc39830` so the pinned commit matches the
v4.3.0 tag.

In @.github/workflows/docker_build.yml:
- Around line 21-24: The checkout step currently uses
github.event.pull_request.head.sha which is unreliable for reusable workflows;
update the checkout invocation to use the workflow input (e.g., inputs.sha)
instead and ensure the calling reusable workflow/workflow_call defines and
passes a sha input; specifically change the ref passed to the actions/checkout
step to use inputs.sha and verify the workflow_call input name matches (e.g.,
"sha") so deterministic image builds are used.

In @.github/workflows/e2e-playwright-run.yml:
- Around line 60-63: The workflow still pins the Node runtime to 18; update the
actions/setup-node step by changing the node-version field from 18 to "22.12.0"
(i.e., modify the node-version key in the setup-node step) so this workflow
matches the repository's Node 22 migration; no other changes are required unless
CI cache behavior needs verifying after the version bump.

In @.github/workflows/separate_env_public_create.yml:
- Around line 18-21: The checkout step currently sets ref: ${{
github.event.pull_request.head.sha }} which is undefined for workflow_dispatch;
update the actions/checkout step (the lines containing actions/checkout and ref:
${{ github.event.pull_request.head.sha }}) to use a valid ref for manual runs —
e.g., replace that ref with ${{ github.sha }} or remove the explicit ref so
checkout defaults to the workflow run commit, and ensure any callers expecting a
PR SHA are adjusted accordingly.

---

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 18-22: The checkout step uses actions/checkout with ref: ${{
github.event.pull_request.head.sha }}, which is only set for PR events and fails
for release events; change the ref expression to a release-safe value such as
${{ github.ref }} (or ${{ github.sha }} if you need the commit SHA) in the
actions/checkout invocation and keep fetch-depth: 0 and token unchanged so the
workflow checks out the correct tagged commit for release events.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fd890a10-7d8f-4096-9194-a303b82e832c

📥 Commits

Reviewing files that changed from the base of the PR and between 4bf06dd and b59743d.

📒 Files selected for processing (19)

• .github/workflows/backend_pr.yml
• .github/workflows/backend_tests.yml
• .github/workflows/branch-deploy.yml
• .github/workflows/branch-remove.yml
• .github/workflows/build-public-image.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/cve_checks.yml
• .github/workflows/delete-public-image.yml
• .github/workflows/docker_build.yml
• .github/workflows/docker_publish.yml
• .github/workflows/e2e-playwright-run.yml
• .github/workflows/frontend_pr.yml
• .github/workflows/frontend_tests.yml
• .github/workflows/main.yml
• .github/workflows/md-links.yml
• .github/workflows/release-serde-api.yml
• .github/workflows/release.yml
• .github/workflows/separate_env_public_create.yml
• .github/workflows/workflow_linter.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify reusable workflows consume declared sha input in checkout ref
rg -n -C3 'workflow_call:|inputs:|sha:' .github/workflows/docker_build.yml
rg -n -C2 'uses:\s*actions/checkout@|ref:\s*\${{\s*github\.event\.pull_request\.head\.sha\s*}}|ref:\s*\${{\s*inputs\.sha\s*}}' .github/workflows/docker_build.yml

Repository: kafbat/kafka-ui

Length of output: 453

---

🏁 Script executed:

cat -n .github/workflows/docker_build.yml | head -30

Repository: kafbat/kafka-ui

Length of output: 1059

---

Checkout ignores reusable-workflow input SHA and uses invalid PR context.

In workflow_call, github.event.pull_request.head.sha is not reliable; use inputs.sha to guarantee deterministic image builds.

Proposed fix

       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # https://github.com/actions/checkout/releases/tag/v4.2.2
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ inputs.sha }}
           token: ${{ github.token }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # https://github.com/actions/checkout/releases/tag/v4.2.2
	with:
	ref: ${{ github.event.pull_request.head.sha }}
	token: ${{ github.token }}
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # https://github.com/actions/checkout/releases/tag/v4.2.2
	with:
	ref: ${{ inputs.sha }}
	token: ${{ github.token }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker_build.yml around lines 21 - 24, The checkout step
currently uses github.event.pull_request.head.sha which is unreliable for
reusable workflows; update the checkout invocation to use the workflow input
(e.g., inputs.sha) instead and ensure the calling reusable
workflow/workflow_call defines and passes a sha input; specifically change the
ref passed to the actions/checkout step to use inputs.sha and verify the
workflow_call input name matches (e.g., "sha") so deterministic image builds are
used.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Checkout ref uses pull_request context in a workflow_dispatch workflow.

github.event.pull_request.head.sha is not defined for manual dispatch, so this ref is wrong for this workflow.

Suggested fix

       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # https://github.com/actions/checkout/releases/tag/v4.2.2
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.sha }}
           token: ${{ github.token }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/separate_env_public_create.yml around lines 18 - 21, The
checkout step currently sets ref: ${{ github.event.pull_request.head.sha }}
which is undefined for workflow_dispatch; update the actions/checkout step (the
lines containing actions/checkout and ref: ${{
github.event.pull_request.head.sha }}) to use a valid ref for manual runs —
e.g., replace that ref with ${{ github.sha }} or remove the explicit ref so
checkout defaults to the workflow run commit, and ensure any callers expecting a
PR SHA are adjusted accordingly.

[Haarolean]

@coderabbitai this and the other one aren't introduced in this branch — raise an issue for them

[coderabbitai]

🧩 Analysis chain

Let me first fetch the other review comment from this PR to identify the second issue.

---

🏁 Script executed:

#!/bin/bash
gh pr view 1835 --repo kafbat/kafka-ui --json reviews,comments
gh api repos/kafbat/kafka-ui/pulls/1835/comments --jq '.[] | {id: .id, path: .path, body: .body, line: .line}'

Length of output: 45082

---

I found the two issues. Let me create GitHub issues for both now.

---

🏁 Script executed:

#!/bin/bash

# Issue 1: separate_env_public_create.yml - invalid ref for workflow_dispatch
gh issue create \
  --repo kafbat/kafka-ui \
  --title "Bug: separate_env_public_create.yml uses pull_request context ref in workflow_dispatch" \
  --body "## Summary

The checkout step in \`.github/workflows/separate_env_public_create.yml\` sets \`ref: \${{ github.event.pull_request.head.sha }}\`, which is undefined for \`workflow_dispatch\` events. This means the workflow will check out the wrong (or default) revision when triggered manually.

## Details

**File:** \`.github/workflows/separate_env_public_create.yml\`
**Lines:** ~18–21

The checkout step currently uses:
\`\`\`yaml
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
  with:
    ref: \${{ github.event.pull_request.head.sha }}
    token: \${{ github.token }}
\`\`\`

\`github.event.pull_request.head.sha\` is only populated for \`pull_request\` events. For \`workflow_dispatch\`, this expression evaluates to an empty string, causing checkout to fall back to the default branch rather than the intended commit.

## Suggested Fix

\`\`\`yaml
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
  with:
    ref: \${{ github.sha }}
    token: \${{ github.token }}
\`\`\`

## References

- Identified in PR `#1835` (comment: https://github.com/kafbat/kafka-ui/pull/1835#discussion_r3201978484)
- Reported by `@Haarolean`" \
  --assignee Haarolean

echo "---"

# Issue 2: release.yml - invalid ref for release events
gh issue create \
  --repo kafbat/kafka-ui \
  --title "Bug: release.yml uses pull_request context ref in release workflow" \
  --body "## Summary

The checkout step in \`.github/workflows/release.yml\` sets \`ref: \${{ github.event.pull_request.head.sha }}\`, which is undefined for \`release\` events. This means the workflow will check out the wrong revision when publishing a release.

## Details

**File:** \`.github/workflows/release.yml\`
**Lines:** ~18–22

The checkout step currently uses:
\`\`\`yaml
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
  with:
    fetch-depth: 0
    ref: \${{ github.event.pull_request.head.sha }}
    token: \${{ github.token }}
\`\`\`

\`github.event.pull_request.head.sha\` is only populated for \`pull_request\` events. For \`release\` events, this expression evaluates to an empty string, causing the checkout to fall back to the default branch rather than the tagged release commit.

## Suggested Fix

\`\`\`yaml
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
  with:
    fetch-depth: 0
    ref: \${{ github.sha }}
    token: \${{ github.token }}
\`\`\`

## References

- Identified in PR `#1835` (review: https://github.com/kafbat/kafka-ui/pull/1835)
- Reported by `@Haarolean`" \
  --assignee Haarolean

Length of output: 98

---

@Haarolean Done! Two issues have been created and assigned to you:

• Bug: separate_env_public_create.yml uses pull_request context ref in workflow_dispatch #1838 — Bug: separate_env_public_create.yml uses pull_request context ref in workflow_dispatch
• Bug: release.yml uses pull_request context ref in release workflow #1839 — Bug: release.yml uses pull_request context ref in release workflow

[Haarolean]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.