chore: migrate to Node.js 24 and update vega/canvas dependencies#104
Conversation
Bumps the GitHub Actions runtime from node16 to node24 to meet the upcoming deprecation deadline (June 2026). Fixes the canvas installation failure on Node 22+ runners by upgrading the globally-installed Vega stack: - canvas 2 -> 3 - vega 5 -> 6 - vega-cli 5 -> 6 - vega-lite 5 -> 6 canvas@2 does not provide prebuilt binaries for the node-v127 ABI (Node 22/24), causing a 404 during install. canvas@3 and vega-cli@6 include prebuilt binaries for modern Node versions. Also updates: - engines.node to >=24.x - @types/node to ^24.0.0 - actions/checkout to v6 in workflows
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the GitHub Action runtime and vega-related tooling to newer major versions, aligning documentation and CI accordingly.
Changes:
- Bump vega/canvas global install versions (canvas 3, vega 6, vega-cli 6, vega-lite 6)
- Raise Node.js baseline (package engines + action runtime) to Node 24
- Update CI workflow to use a newer
actions/checkoutmajor version
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/setup-cml.ts | Updates the npm global install command for vega tooling |
| package.json | Raises Node engine requirement and updates @types/node major version |
| dist/index.js | Regenerated build output reflecting updated vega install command |
| action.yml | Updates action runtime from node16 to node24 |
| README.md | Updates documented vega install command to match implementation |
| .github/workflows/check.yml | Updates actions/checkout major version used in CI |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@0x2b3bfa0 Would you be able to take some time to review the above? I can confirm this fixes the immediate issue (missing dep, CML actually is not usable anymore) while also running on Node 24 in my fork. |
|
@0x2b3bfa0 @shcheklein Since I see some activity on that PR: Is there any way to get the above changes merged? The current situation is that setting up CML is completely broken. Merging the changes (and adding a new tag) is minimal, and solves the immediate issue, and would at least give some more time to user for finding a maintained alternative. |
The typo fix in src/setup-cml.ts (intall -> install) was committed without rebuilding dist/index.js, so `npm run build && git diff --exit-code` in the verify job failed. Rebuild dist so it matches src. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Authenticate the action's CML release lookup by passing GITHUB_TOKEN to each `uses: ./` step. Unauthenticated calls hit the 60/hr per-IP limit and flake on shared macOS/Windows runners (test-version[-prefix] failures). - Guard `cml comment/check create` to run only where the token is write-scoped (same-repo PRs and the scheduled run). Fork PRs get a read-only GITHUB_TOKEN, so that step 403s; skipping it lets test-latest pass while still exercising install + `cml --version`. The scheduled run on the default branch keeps full end-to-end coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
new Octokit({ token }) is ignored by @octokit/rest — the option is `auth`.
As a result the CML release lookup always ran unauthenticated (60 req/hr
per IP), which flakes on shared macOS/Windows runners with "API rate limit
exceeded". Switching to `auth: process.env.GITHUB_TOKEN` (now passed in via
the workflow) raises the limit to 5000/hr and fixes the test-latest /
test-version rate-limit failures.
Verified: Octokit({token}) -> x-ratelimit-limit 60; Octokit({auth}) -> 5000.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@0x2b3bfa0 can you please review this when you have a minute |
Address review feedback: - await the global vega install. exec() returns a Promise that rejects on failure; without await the try/catch never fires and the rejection becomes an unhandled rejection that crashes the action (the exact hard-fail seen in #103) instead of the intended core.warning. Now failures are non-fatal. - add a `token` action input (default ${{ github.token }}) and use it for the Octokit release lookup, so the lookup is authenticated (5000/hr) for all users by default — not just when GITHUB_TOKEN happens to be in the env. Removes the now-redundant GITHUB_TOKEN env from the CI action steps. - pin CI build to Node 24 via actions/setup-node, matching engines.node and the node24 action runtime (ncc output is Node-version-independent, verified). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Fixes #103.
setup-cml@v2is currently broken:canvas@2has no prebuilt binary for the Node 22/24 (node-v127) ABI, so the global Vega install 404s and the action fails; the Node 16/20 Actions runtimes are also being deprecated (Node 20 EOL on runners). This PR migrates the action to Node 24, bumps the Vega/canvas stack, makes the Vega install non-fatal, authenticates the release lookup, and makes CI pass on fork PRs.Runtime & dependencies
action.yml:using: node16→node24(verified: the action runs under the runner's node24 runtime — alltest-*jobs are green on ubuntu/macOS/Windows).package.json:engines.node→>=24.x,@types/node→^24.canvas@2 vega@5 vega-cli@5 vega-lite@5→canvas@3 vega@6 vega-cli@6 vega-lite@6(src +dist+ README).canvas@3/vega-cli@6ship prebuilt binaries for modern Node ABIs.package-lock.json: prune now-unreachable transitive deps (@azure/*,@actions/cache,@actions/glob).intall→install, and rebuilddistto matchsrc(theverifyjob checksnpm run build && git diff --exit-code).Robustness & auth fixes
awaitthe Vega install.exec()returns a Promise that rejects on a failed install; withoutawaitthetry/catchnever fires and the rejection bubbles up as an unhandled rejection that crashes the action (the hard-fail mode in setup-cml@v2 breaks due to older dependencies + Node 20 deprecation #103) instead of the intendedcore.warning. A failed Vega install is now non-fatal, matching the documentedvega:behaviour.new Octokit({ token })is a no-op —@octokit/restauthenticates viaauth, nottoken. The release lookup therefore always ran unauthenticated (60 req/hr per IP) and flaked on shared macOS/Windows runners withAPI rate limit exceeded. Added atokeninput (default${{ github.token }}) and switched toauth:, so the lookup is authenticated (5000/hr) for every user by default.CI (
check.yml)actions/checkout@v3→@v6; pin the build to Node 24 viaactions/setup-node(matchesengines.nodeand the action runtime).cml comment/check createonly where the token is write-scoped (same-repo PRs + the scheduled run); skip on fork PRs, which get a read-onlyGITHUB_TOKENand would otherwise 403.test-latestnow passes from forks while still exercising install +cml --version; the nightly schedule keeps full end-to-end coverage.Compatibility note (CML + DVC)
CML itself does not call Vega — the tools serve the user's DVC pipeline (
dvc plots … --show-vega > spec.json→vl2png spec.json -s 1.5→cml publish). The new stack was validated end-to-end:vega-cli@6hard-depends oncanvas@^3(socanvas@3is the intended pairing), andvega-lite@6compiles DVC's v5-schema templates — thelinearandconfusiontemplates (incl. the latter's deprecatedselectionsyntax) plus CML's own v4 sample all render to valid PNG viavl2png -s 1.5and to SVG. Caveat: the@6stack raises the effective Node floor to ≥20 andcanvas@3needs a prebuilt binary (or the cairo/pango toolchain) on the runner — both hold on GitHub-hosted*-latestimages.