ci: fix nonexistent actions/upload-artifact SHA pin (Refs standards#48)

[hyperpolymath]

Bulk remediation for hyperpolymath/standards#48.

actions/upload-artifact was pinned to 65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 which does not exist in actions/upload-artifact, breaking every affected workflow at Set up job. Replaced with the real v4.6.2 SHA ea165f8d65b6e75b540449e92b4886f43607fa02 (the pin already used by the canonical rsr-template-repo / v3-templater generators).

SHA-only replacement; pre-existing version comments left intact (cosmetic).

Refs hyperpolymath/standards#48 — per standards#66 protocol this PR uses Refs (not Closes); joint-close only on explicit agreement.

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Hypatia Security Scan

Findings: 5 issues detected

Severity	Count
🔴 Critical	1
🟠 High	2
🟡 Medium	2

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/ipv6-tools/ipv6-tools/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 52,
    "reason": "Secret found: Password",
    "type": "secret_detected",
    "file": "/home/runner/work/ipv6-tools/ipv6-tools/ipv6-only/scripts/he-tunnel-setup.sh",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in ipv6-tools: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/ipv6-tools/ipv6-tools",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 3 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence