ci: migrate GitHub Actions to Node.js 24 and fix Dockerfile ARG warning

[tomquist]

What

Resolves the Node.js 20 deprecation warnings across all GitHub Actions workflows, plus a Docker lint warning in the Home Assistant addon.

GitHub Actions → Node.js 24

Bumped every action to a release that runs on the Node.js 24 runtime:

Action	Before	After
actions/checkout	v4	v5
actions/setup-node	v4	v5
actions/upload-artifact (+ /merge)	v4	v5
actions/download-artifact	v4	v5
actions/github-script	v7	v8
docker/build-push-action	v5	v7
docker/metadata-action	v5	v6
docker/setup-buildx-action	v3	v4
docker/login-action	v3	v4
softprops/action-gh-release	v1	v3

Note: docker/build-push-action required v7 (v6 is still Node 20). The Node 24 Docker/artifact actions require GitHub Actions Runner v2.327.1+, which GitHub-hosted runners already satisfy.

Dockerfile UndefinedArgInFrom fix

In ha_addon/Dockerfile, ARG BUILD_FROM was declared after the builder stage's FROM, making it stage-scoped rather than global. A FROM can only reference a global ARG (declared before the first FROM), so the final FROM ${BUILD_FROM...} triggered the UndefinedArgInFrom warning. Moved the declaration to the top of the file; the default base-image fallback is unchanged.

Why

• actions/checkout@v4, actions/setup-node@v4, the Docker actions, and the artifact actions all run on Node.js 20, which GitHub is deprecating (forced to Node 24 by June 16th 2026, removed Sept 16th 2026).
• The Docker build emitted UndefinedArgInFrom: FROM argument 'BUILD_FROM' is not declared.

Summary by CodeRabbit

• Chores
  • Updated CI/CD pipeline automation tools to the latest compatible versions to enhance stability and security across build, test, and release processes.

[coderabbitai]

Warning

Review limit reached

@tomquist, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 10 minutes and 43 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7595a3d-717b-4f38-acb6-711ae4b37f4e

📥 Commits

Reviewing files that changed from the base of the PR and between 26e2d73 and 10bcaab.

📒 Files selected for processing (7)

• .github/dependabot.yml
• .github/workflows/bug-needs-logs.yml
• .github/workflows/build-images.yml
• .github/workflows/ci.yml
• .github/workflows/enforce-pr-target.yml
• .github/workflows/release.yml
• ha_addon/Dockerfile

Walkthrough

Four CI/CD workflow files update GitHub Actions to newer major versions: bug-needs-logs.yml upgrades github-script, ci.yml updates checkout/setup-node/upload-artifact, build-images.yml upgrades Docker and artifact actions across multiple jobs, and release.yml updates checkout and gh-release actions.

Changes

GitHub Actions Dependency Updates

Layer / File(s)	Summary
Bug-logging workflow github-script upgrade .github/workflows/bug-needs-logs.yml	actions/github-script is bumped from @v7 to @v8 in the ask-for-logs job.
CI workflow action upgrades .github/workflows/ci.yml	actions/checkout, actions/setup-node, and actions/upload-artifact are upgraded from v4 to v5 in the validate and test-addon jobs.
Docker image build workflow action upgrades .github/workflows/build-images.yml	Checkout, Docker build, and artifact actions are updated across the main app build (build and merge jobs) and add-on build (build-addon and merge-addon jobs). Docker setup, metadata, login, and build-push actions move to newer versions, as do artifact upload, merge, and download actions.
Release workflow action upgrades .github/workflows/release.yml	actions/checkout is bumped from v4 to v5, and softprops/action-gh-release is upgraded from v1 to v3 for GitHub Release publishing.

---

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Possibly Related PRs

• tomquist/hm2mqtt#245: Introduces the bug-needs-logs.yml debug-log-request workflow that is being updated in this PR.
• tomquist/hm2mqtt#304: Refactors the image-build workflow logic that receives these action-version upgrades in build-images.yml.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'migrate GitHub Actions to Node.js 24' and 'fix Dockerfile ARG warning', but the changeset only updates GitHub Actions versions and doesn't address any Dockerfile ARG warning.	Update the title to accurately reflect the changes: 'ci: upgrade GitHub Actions to Node.js 24 compatible versions' or similar, removing reference to the unrelated Dockerfile ARG warning.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/optimistic-goldberg-g4fE7

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/bug-needs-logs.yml:
- Line 25: Replace the floating tag "actions/github-script@v8" with an immutable
commit SHA to prevent upstream drift; locate the workflow step that contains the
line uses: actions/github-script@v8 and update it to uses:
actions/github-script@<commit-sha> (the specific commit SHA from the
actions/github-script repository) so the workflow pins to a fixed revision.

In @.github/workflows/build-images.yml:
- Line 58: The workflow currently pins marketplace actions using floating tags
like actions/checkout@v5, docker/build-push-action@v7,
actions/upload-artifact@v5, and docker/login-action@v4 (and other `@v`*
occurrences) which should be replaced with immutable commit SHAs; locate each
usage of these actions in .github/workflows/build-images.yml (references:
actions/checkout, docker/build-push-action, actions/upload-artifact,
docker/login-action) and replace the `@vN` tags with the corresponding full commit
SHA from the action's GitHub repo (e.g., actions/checkout@<sha>), updating every
occurrence listed in the comment so the workflow uses exact commit SHAs rather
than floating tags.

In @.github/workflows/ci.yml:
- Line 26: Replace floating major-version action references with their
corresponding full commit SHAs: locate the usages of actions/checkout@v5,
actions/setup-node@v5, and actions/upload-artifact@v5 in the workflow and update
each to the exact commit SHA for the desired release; ensure you test the
workflow after replacing each tag to confirm compatibility and lock the CI to
the reviewed upstream commit.

In @.github/workflows/release.yml:
- Line 22: The workflow uses floating major tags for actions
(actions/checkout@v5 and softprops/action-gh-release@v3); update those uses to
pin to the specific immutable commit SHAs instead of the floating tags: replace
actions/checkout@v5 and softprops/action-gh-release@v3 with their corresponding
full commit SHAs in the release workflow, ensuring you reference the same action
steps (the checkout step and the gh-release step) so the workflow uses fixed
commits and avoids tag drift.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a0e1f794-48ec-4088-a138-869c2515b7f8

📥 Commits

Reviewing files that changed from the base of the PR and between c1a4577 and 26e2d73.

📒 Files selected for processing (4)

• .github/workflows/bug-needs-logs.yml
• .github/workflows/build-images.yml
• .github/workflows/ci.yml
• .github/workflows/release.yml