react-redux icon indicating copy to clipboard operation
react-redux copied to clipboard

Published 20 hours ago verified publisher icon reduxjs

Use default Node version in CI

Open nickserv opened this issue 2 years ago • 5 comments

Deprecated Node versions are used in CI, potentially causing security and reliability issues. Instead, it's better to use GitHub's default Node version, which also doesn't require additional downloads or installations.

nickserv avatar Sep 13 '23 01:09 nickserv

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit cc690dc211dbfa3c1d70507a1807e4bcf49e7073:

Sandbox Source
Vanilla Configuration
Vanilla Typescript Configuration

codesandbox-ci[bot] avatar Sep 13 '23 01:09 codesandbox-ci[bot]

The size action is warning because of https://github.com/preactjs/compressed-size-action/issues/93 but it seems like it's safe to ignore as it already runs on Node 16:

The following actions uses node12 which is deprecated and will be forced to run on node16: preactjs/compressed-size-action@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/

nickserv avatar Sep 13 '23 02:09 nickserv

This isn't a hard opinion, but I'm on the negative side of this. This introduces less determinism into our builds and test suite. That has the potential for breakage and extra workload for us as maintainers.

There's nothing necessarily wrong with using older Node versions, since this isn't deployed software and the practical effects on end-users are minimal. The most likely actual breakage is with the versions of tools that we use and the supported Node versions of our various Actions. In that context, I think it's more important to keep builds and tests consistent and as close to deterministic as possible.

timdorr avatar Sep 13 '23 16:09 timdorr

I believe it's more deterministic, as at least it's using the same default Node version in each workflow. Also Mark has already agreed to my idea, but I'm curious what he thinks about this specifically.

nickserv avatar Sep 20 '23 03:09 nickserv

That's consistency, not determinism. The build environment will change over time. A run one week under Node 20 might be different or break the next week under Node 22. It's the same reason we use a lockfile for our dependencies.

I'm all for consistency. I have issue with nondeterminism.

timdorr avatar Sep 20 '23 14:09 timdorr