chore: migrate to Node.js 24 and update vega/canvas dependencies#104
Merged
Conversation
Bumps the GitHub Actions runtime from node16 to node24 to meet the upcoming deprecation deadline (June 2026). Fixes the canvas installation failure on Node 22+ runners by upgrading the globally-installed Vega stack: - canvas 2 -> 3 - vega 5 -> 6 - vega-cli 5 -> 6 - vega-lite 5 -> 6 canvas@2 does not provide prebuilt binaries for the node-v127 ABI (Node 22/24), causing a 404 during install. canvas@3 and vega-cli@6 include prebuilt binaries for modern Node versions. Also updates: - engines.node to >=24.x - @types/node to ^24.0.0 - actions/checkout to v6 in workflows
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the GitHub Action runtime and vega-related tooling to newer major versions, aligning documentation and CI accordingly.
Changes:
- Bump vega/canvas global install versions (canvas 3, vega 6, vega-cli 6, vega-lite 6)
- Raise Node.js baseline (package engines + action runtime) to Node 24
- Update CI workflow to use a newer
actions/checkoutmajor version
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/setup-cml.ts | Updates the npm global install command for vega tooling |
| package.json | Raises Node engine requirement and updates @types/node major version |
| dist/index.js | Regenerated build output reflecting updated vega install command |
| action.yml | Updates action runtime from node16 to node24 |
| README.md | Updates documented vega install command to match implementation |
| .github/workflows/check.yml | Updates actions/checkout major version used in CI |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
@0x2b3bfa0 Would you be able to take some time to review the above? I can confirm this fixes the immediate issue (missing dep, CML actually is not usable anymore) while also running on Node 24 in my fork. |
5 tasks
Contributor
Author
|
@0x2b3bfa0 @shcheklein Since I see some activity on that PR: Is there any way to get the above changes merged? The current situation is that setting up CML is completely broken. Merging the changes (and adding a new tag) is minimal, and solves the immediate issue, and would at least give some more time to user for finding a maintained alternative. |
The typo fix in src/setup-cml.ts (intall -> install) was committed without rebuilding dist/index.js, so `npm run build && git diff --exit-code` in the verify job failed. Rebuild dist so it matches src. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Authenticate the action's CML release lookup by passing GITHUB_TOKEN to each `uses: ./` step. Unauthenticated calls hit the 60/hr per-IP limit and flake on shared macOS/Windows runners (test-version[-prefix] failures). - Guard `cml comment/check create` to run only where the token is write-scoped (same-repo PRs and the scheduled run). Fork PRs get a read-only GITHUB_TOKEN, so that step 403s; skipping it lets test-latest pass while still exercising install + `cml --version`. The scheduled run on the default branch keeps full end-to-end coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
new Octokit({ token }) is ignored by @octokit/rest — the option is `auth`.
As a result the CML release lookup always ran unauthenticated (60 req/hr
per IP), which flakes on shared macOS/Windows runners with "API rate limit
exceeded". Switching to `auth: process.env.GITHUB_TOKEN` (now passed in via
the workflow) raises the limit to 5000/hr and fixes the test-latest /
test-version rate-limit failures.
Verified: Octokit({token}) -> x-ratelimit-limit 60; Octokit({auth}) -> 5000.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
shcheklein
previously approved these changes
Jun 26, 2026
Member
|
@0x2b3bfa0 can you please review this when you have a minute |
Address review feedback: - await the global vega install. exec() returns a Promise that rejects on failure; without await the try/catch never fires and the rejection becomes an unhandled rejection that crashes the action (the exact hard-fail seen in #103) instead of the intended core.warning. Now failures are non-fatal. - add a `token` action input (default ${{ github.token }}) and use it for the Octokit release lookup, so the lookup is authenticated (5000/hr) for all users by default — not just when GITHUB_TOKEN happens to be in the env. Removes the now-redundant GITHUB_TOKEN env from the CI action steps. - pin CI build to Node 24 via actions/setup-node, matching engines.node and the node24 action runtime (ncc output is Node-version-independent, verified). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0x2b3bfa0
approved these changes
Jun 27, 2026
|
Hello CML from ubuntu-latest! |
|
Hello CML from macos-latest! |
|
Hello CML from windows-latest! |
|
Hello CML from ubuntu-latest! |
|
Hello CML from macos-latest! |
|
Hello CML from windows-latest! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #103.
setup-cml@v2is currently broken:canvas@2has no prebuilt binary for the Node 22/24 (node-v127) ABI, so the global Vega install 404s and the action fails; the Node 16/20 Actions runtimes are also being deprecated (Node 20 EOL on runners). This PR migrates the action to Node 24, bumps the Vega/canvas stack, makes the Vega install non-fatal, authenticates the release lookup, and makes CI pass on fork PRs.Runtime & dependencies
action.yml:using: node16→node24(verified: the action runs under the runner's node24 runtime — alltest-*jobs are green on ubuntu/macOS/Windows).package.json:engines.node→>=24.x,@types/node→^24.canvas@2 vega@5 vega-cli@5 vega-lite@5→canvas@3 vega@6 vega-cli@6 vega-lite@6(src +dist+ README).canvas@3/vega-cli@6ship prebuilt binaries for modern Node ABIs.package-lock.json: prune now-unreachable transitive deps (@azure/*,@actions/cache,@actions/glob).intall→install, and rebuilddistto matchsrc(theverifyjob checksnpm run build && git diff --exit-code).Robustness & auth fixes
awaitthe Vega install.exec()returns a Promise that rejects on a failed install; withoutawaitthetry/catchnever fires and the rejection bubbles up as an unhandled rejection that crashes the action (the hard-fail mode in setup-cml@v2 breaks due to older dependencies + Node 20 deprecation #103) instead of the intendedcore.warning. A failed Vega install is now non-fatal, matching the documentedvega:behaviour.new Octokit({ token })is a no-op —@octokit/restauthenticates viaauth, nottoken. The release lookup therefore always ran unauthenticated (60 req/hr per IP) and flaked on shared macOS/Windows runners withAPI rate limit exceeded. Added atokeninput (default${{ github.token }}) and switched toauth:, so the lookup is authenticated (5000/hr) for every user by default.CI (
check.yml)actions/checkout@v3→@v6; pin the build to Node 24 viaactions/setup-node(matchesengines.nodeand the action runtime).cml comment/check createonly where the token is write-scoped (same-repo PRs + the scheduled run); skip on fork PRs, which get a read-onlyGITHUB_TOKENand would otherwise 403.test-latestnow passes from forks while still exercising install +cml --version; the nightly schedule keeps full end-to-end coverage.Compatibility note (CML + DVC)
CML itself does not call Vega — the tools serve the user's DVC pipeline (
dvc plots … --show-vega > spec.json→vl2png spec.json -s 1.5→cml publish). The new stack was validated end-to-end:vega-cli@6hard-depends oncanvas@^3(socanvas@3is the intended pairing), andvega-lite@6compiles DVC's v5-schema templates — thelinearandconfusiontemplates (incl. the latter's deprecatedselectionsyntax) plus CML's own v4 sample all render to valid PNG viavl2png -s 1.5and to SVG. Caveat: the@6stack raises the effective Node floor to ≥20 andcanvas@3needs a prebuilt binary (or the cairo/pango toolchain) on the runner — both hold on GitHub-hosted*-latestimages.