fix(ci): update GitHub Actions for Node 24

[antonio-orionus]

Summary

• update GitHub Actions to Node 24-compatible action majors
• run release/upstream workflows on Node 24
• fix upstream scan script so plain Node can parse it and repeated clone scans work
• add CodeRabbit review configuration tailored to this package

Verification

• npm run typecheck
• npm run test
• npm run build
• node --check scripts/scan-yt-dlp-source.mjs
• upstream-scan workflow dispatch passed: https://github.com/antonio-orionus/ytdlp-errors/actions/runs/26758044902

Summary

Updates GitHub Actions workflows and CI infrastructure to support Node.js 24, adds CodeRabbit review configuration, and fixes the upstream scan script for repeated execution.

Changes

Workflows (release, test, upstream-scan):

• Upgraded actions/checkout and actions/setup-node from v4 to v6
• Upgraded softprops/action-gh-release from v2 to v3
• Upgraded peter-evans/create-pull-request from v6 to v8
• Updated Node.js runtime from 20–22 to 24 across workflows
• Extended test matrix from {18, 20, 22} to {18, 20, 22, 24}

Upstream scan script (scripts/scan-yt-dlp-source.mjs):

• Clears .tmp/yt-dlp directory before re-initializing git clone (fixes stale content interfering with repeated scans)
• Relaxed TypeScript non-null assertions (!) on extracted regex match values (call, fragment)

Review configuration:

• Added .coderabbit.yaml with per-label instructions and path-specific guidelines

Risk Areas

• Release automation: Dependency upgrades (action majors, Node 24) could introduce incompatibilities; release workflow should be validated post-merge
• Upstream snapshot consistency: The scan script no longer fails on stale .tmp/yt-dlp state, but relaxed non-null assertions may allow undefined values to flow through; verify scan results remain valid
• Action version compatibility: GitHub Actions v6 major versions may have breaking changes; verify against existing workflow expectations

Verification

PR reports successful verification:

• npm run typecheck, npm run test, npm run build
• node --check scripts/scan-yt-dlp-source.mjs (syntax validation)
• Upstream-scan workflow dispatch passed

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6c2c69df-86a8-405c-9a8d-a068ebd0d53d

📥 Commits

Reviewing files that changed from the base of the PR and between 1b6c492 and 545d56c.

📒 Files selected for processing (1)

• .github/workflows/release.yml

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**

⚙️ CodeRabbit configuration file

Review GitHub Actions for least-privilege permissions, unsafe secret exposure, untrusted PR execution, shell quoting, release/tag correctness, npm trusted publishing assumptions, artifact handling, and commands that can fail silently.

Files:

• .github/workflows/release.yml

🔇 Additional comments (1)

.github/workflows/release.yml (1)

35-35: LGTM!

---

📝 Walkthrough

Walkthrough

PR adds a repository CodeRabbit review configuration, updates GitHub Actions (checkout/setup-node, Node runtimes, and release/create-pull-request actions), and improves the yt-dlp scanner script to clear the clone directory and relax certain regex non-null assertions.

Changes

Maintenance: Configuration, CI Actions, and Script Improvements

Layer / File(s)	Summary
CodeRabbit Review Configuration .coderabbit.yaml	Repository-wide CodeRabbit configuration is added with review profile settings, PR title/summary instructions, per-label guidance, tooling toggles, path scoping/filters, and path-specific instructions for workflows, scripts, source, tests, and package.json exports.
GitHub Actions Workflow Version Upgrades .github/workflows/release.yml, .github/workflows/test.yml, .github/workflows/upstream-scan.yml	Actions checkout and setup-node steps upgraded from v4 to v6 across workflows; Node runtimes updated to 24 (test matrix adds Node 24); release workflow updates softprops/action-gh-release to @v3; upstream-scan updates peter-evans/create-pull-request to @v8.
Script Cleanup and Type Assertion Adjustments scripts/scan-yt-dlp-source.mjs	Adds rmSync import, clears existing .tmp/yt-dlp before cloning, and removes non-null assertions on regex-derived call and fragment assignments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

github_actions, bug, documentation

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objectives: updating GitHub Actions and Node version. However, it omits significant changes including CodeRabbit configuration and a critical upstream scan script fix, which together represent a substantial portion of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-actions-node24-upstream-scan

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

30-38: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote shell variables to prevent word-splitting and glob expansion.

The tag assertion script does not quote $tag and $pkg in the comparison or assignment statements. While github.ref is relatively controlled and package.json versions follow semver conventions, defense-in-depth requires quoting to prevent unexpected failures if the input contains whitespace or glob characters.

🛡️ Proposed fix to quote variables

       - name: assert tag matches package.json version
         env:
           TAG_REF: ${{ github.ref }}
         run: |
-          tag="${TAG_REF#refs/tags/v}"
-          pkg=$(node -p "require('./package.json').version")
-          if [ "$tag" != "$pkg" ]; then
-            echo "Tag $tag does not match package.json $pkg"; exit 1
+          tag="${TAG_REF#refs/tags/v}"
+          pkg="$(node -p "require('./package.json').version")"
+          if [ "$tag" != "$pkg" ]; then
+            echo "Tag $tag does not match package.json $pkg"; exit 1
           fi

As per coding guidelines: Review GitHub Actions for shell quoting.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 30 - 38, The shell script in the
"assert tag matches package.json version" step must quote all variable
expansions to prevent word-splitting/globbing: ensure TAG_REF is expanded into
tag with parameter expansion quoted (use tag="${TAG_REF#refs/tags/v}"), capture
package.json version into pkg with command substitution quoted (pkg="$(node -p
'require(\"./package.json\").version')"), and use quoted comparisons and
diagnostic output (if [ "$tag" != "$pkg" ]; then echo "Tag $tag does not match
package.json $pkg"; exit 1; fi) so all occurrences of tag and pkg are wrapped in
double quotes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 30-38: The shell script in the "assert tag matches package.json
version" step must quote all variable expansions to prevent
word-splitting/globbing: ensure TAG_REF is expanded into tag with parameter
expansion quoted (use tag="${TAG_REF#refs/tags/v}"), capture package.json
version into pkg with command substitution quoted (pkg="$(node -p
'require(\"./package.json\").version')"), and use quoted comparisons and
diagnostic output (if [ "$tag" != "$pkg" ]; then echo "Tag $tag does not match
package.json $pkg"; exit 1; fi) so all occurrences of tag and pkg are wrapped in
double quotes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d6fbdf4e-207e-4e41-90d6-8d8ed9f63424

📥 Commits

Reviewing files that changed from the base of the PR and between 527f39e and 1b6c492.

📒 Files selected for processing (5)

• .coderabbit.yaml
• .github/workflows/release.yml
• .github/workflows/test.yml
• .github/workflows/upstream-scan.yml
• scripts/scan-yt-dlp-source.mjs

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

.github/workflows/**

⚙️ CodeRabbit configuration file

Review GitHub Actions for least-privilege permissions, unsafe secret exposure, untrusted PR execution, shell quoting, release/tag correctness, npm trusted publishing assumptions, artifact handling, and commands that can fail silently.

Files:

• .github/workflows/test.yml
• .github/workflows/release.yml
• .github/workflows/upstream-scan.yml

scripts/**

⚙️ CodeRabbit configuration file

Review Node scripts for unsafe command construction, stale temporary directories, path traversal, network/release API assumptions, missing error handling, platform-specific behavior, and reproducibility in CI.

Files:

• scripts/scan-yt-dlp-source.mjs

🪛 zizmor (1.25.2)

.github/workflows/test.yml

[warning] 19-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/release.yml

[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 17-17: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): this step

(cache-poisoning)

---

[error] 44-44: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[info] 44-44: action functionality is already included by the runner (superfluous-actions): use gh release in a script step

(superfluous-actions)

.github/workflows/upstream-scan.yml

[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 44-44: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[info] 44-44: action functionality is already included by the runner (superfluous-actions): use gh pr create in a script step

(superfluous-actions)

🔇 Additional comments (11)

.github/workflows/test.yml (1)

17-17: LGTM!

Also applies to: 19-20

.github/workflows/upstream-scan.yml (1)

16-19: LGTM!

Also applies to: 44-44

scripts/scan-yt-dlp-source.mjs (2)

51-51: LGTM!

---

97-98: LGTM!

Also applies to: 105-105

.coderabbit.yaml (7)

2-27: LGTM!

---

28-62: LGTM!

---

34-59: LGTM!

---

63-68: LGTM!

---

69-82: LGTM!

---

83-121: LGTM!

---

122-123: LGTM!