chore: update Github Action dependencies

[patrick-stephens]

GitHub Actions Dependency Updates

docker/setup-qemu-action@v4

• Node.js 24 is now the default runtime (requires Actions Runner v2.327.1+)
• Migrated to ESM (ECMAScript Modules)
• Updated dependencies: @actions/core, @docker/actions-toolkit, js-yaml, lodash, brace-expansion
• Release notes

---

crazy-max/ghaction-import-gpg@v7

• Node.js 24 is now the default runtime (requires Actions Runner v2.327.1+)
• Migrated to ESM
• Updated dependencies: @actions/core, @actions/exec, brace-expansion, minimatch, openpgp
• Release notes

---

actions/download-artifact@v8

• Migrated to ESM
• Supports direct downloads and new skip-decompress parameter
• Digest (hash) mismatches now fail the workflow by default (configurable)
• Improved support for CJK characters in artifact names
• Requires Node.js 24 and Actions Runner v2.327.1+
• Release notes

---

actions/upload-artifact@v7

• Adds support for direct (unzipped) file uploads via the new archive parameter
• Migrated to ESM
• Requires Node.js 24 and Actions Runner v2.327.1+
• Release notes

---

bats-core/bats-action@4.0.0

• ⚠️ Breaking: GitHub CI tokens are no longer passed automatically. If you hit rate limits, see the authenticated requests guide
• New: Allow configuring or disabling the GitHub token
• Removed Ubuntu 20.04 from the test matrix
• Dependency updates
• Release notes

---

---

Summary by cubic

Pin and upgrade CI Actions across workflows, move to Node.js 24/ESM where supported, and enforce SHA pinning with a new lint (no exceptions). Also pass a token to bats-core/bats-action to avoid rate limits, and exclude vendored source from the pin check.

• Dependencies

  • Pinned all Actions to SHAs; added .pinact.yaml and an actions-pin-sha job using suzuki-shunsuke/pinact-action; removed the pinact exception and excluded source/** (vendored/upstream) from scanning.
  • Upgrades: docker/setup-qemu-action v3 → v4, crazy-max/ghaction-import-gpg v6 → v7, actions/upload-artifact v6 → v7.
  • actions/download-artifact moved to v8 in most jobs (digest checks on by default); some jobs remain on v7 for compatibility.
  • bats-core/bats-action v3.0.1 → v4.0.0 with github-token provided.
  • Misc pins/bumps across workflows: actions/checkout v6.0.2, docker/* (buildx/build-push/login/metadata), azure/* (helm/kubectl), helm/kind-action, actions/github-script, reviewdog/*, anchore/sbom-action, softprops/action-gh-release, coverallsapp/*, jwlawson/actions-setup-cmake, threeal/cmake-action, google-github-actions/* (auth/get-secretmanager-secrets/upload-cloud-storage), redhat-actions/openshift-tools-installer, sigstore/cosign-installer, re-actors/alls-green, raven-actions/debug, frabert/replace-string-action.

• Migration

  • Workflows run on Node.js 24; Actions Runner must be v2.327.1+.
  • actions/download-artifact v8 fails on digest mismatches by default.
  • If you use bats-core/bats-action elsewhere, pass github-token to avoid rate limits.

^{Written for commit e6943d8. Summary will update on new commits.}

[coveralls]

Pull Request Test Coverage Report for Build 23061103958

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• 3 unchanged lines in 1 file lost coverage.
• Overall coverage remained the same at 56.666%

---

Files with Coverage Reduction	New Missed Lines	%
src/aws/flb_aws_credentials_process.c	3	71.6%

Totals
Change from base Build 22352894906:	0.0%
Covered Lines:	86703
Relevant Lines:	150997

---

💛 - Coveralls

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".pinact.yaml">

<violation number="1" location=".pinact.yaml:6">
P1: This `files` pattern overrides pinact's default workflow targets, so the action-pinning check will skip `.github/workflows/**` instead of enforcing SHA pinning there.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: This files pattern overrides pinact's default workflow targets, so the action-pinning check will skip .github/workflows/** instead of enforcing SHA pinning there.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .pinact.yaml, line 6:

<comment>This `files` pattern overrides pinact's default workflow targets, so the action-pinning check will skip `.github/workflows/**` instead of enforcing SHA pinning there.</comment>

<file context>
@@ -1,10 +1,6 @@
-#   ref: main
+files:
+  # Ignore all files in vendored and other source code
+  - pattern: source/**
</file context>