Update github actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v4 → v7
actions/deploy-pages	action	major	v4 → v5
actions/github-script	action	major	v7 → v9
actions/upload-pages-artifact	action	major	v3 → v5

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v6

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

v5

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

actions/deploy-pages (actions/deploy-pages)

v5.0.0

Compare Source

Changelog

• Update Node.js version to 24.x @​salmanmkc (#​404)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#​374)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory @​dependabot (#​360)
• Make the rebuild dist workflow work nicer with Dependabot @​yoannchaudet (#​361)
• Bump the non-breaking-changes group across 1 directory with 3 updates @​dependabot (#​358)
• Delete repeated sentence @​garethsb (#​359)
• Update README.md @​tsusdere (#​348)
• Bump the non-breaking-changes group with 4 updates @​dependabot (#​341)
• Remove error message for file permissions @​TooManyBees (#​340)

---

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v5

Compare Source

actions/github-script (actions/github-script)

v9.0.0

Compare Source

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in #​695
• ci: use deployment: false for integration test environments by @​salmanmkc in #​712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in #​700

New Contributors

• @​Copilot made their first contribution in #​695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v9

Compare Source

v8.0.0

Compare Source

v8: .0.0

Compare Source

What's Changed

• Update Node.js version support to 24.x by @​salmanmkc in #​637
• README for updating actions/github-script from v7 to v8 by @​sneha-krip in #​653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

• @​salmanmkc made their first contribution in #​637
• @​sneha-krip made their first contribution in #​653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

actions/upload-pages-artifact (actions/upload-pages-artifact)

v5.0.0

Compare Source

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#​139)
• feat: add include-hidden-files input @​jonchurch (#​137)

See details of all code changes since previous release.

v5

Compare Source

v4.0.0

Compare Source

What's Changed

• Potentially breaking change: hidden files (specifically dotfiles) will not be included in the artifact by @​tsusdere in #​102
  If you need to include dotfiles in your artifact: instead of using this action, create your own artifact according to these requirements https://github.com/actions/upload-pages-artifact?tab=readme-ov-file#artifact-validation
• Pin actions/upload-artifact to SHA by @​heavymachinery in #​127

Full Changelog: actions/upload-pages-artifact@v3.0.1...v4.0.0

v4

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[github-actions]

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit 591e8c7. ± Comparison against base commit 6856494.

♻️ This comment has been updated with latest results.

[codacy-production]

Pull Request Overview

While the PR successfully upgrades several core GitHub Actions and is considered 'up to standards' by Codacy, there are critical functional considerations regarding breaking changes in the new major versions.

Key risks include the migration to ESM in actions/github-script, which will break any existing logic using require(), and the new default exclusion of dotfiles in actions/upload-pages-artifact. Furthermore, several workflows modified in this PR are synchronized from templates; manual changes to these files will likely be overwritten in future synchronization cycles. These items should be addressed to ensure the reliability of the CI/CD pipeline and maintain configuration integrity.

About this PR

• The upgrade to the latest major version of actions/github-script represents an ESM-only migration. Any internal scripts within your workflows that utilize require('@actions/github') will fail at runtime. Ensure all inline or referenced scripts are updated to use ESM import syntax or the provided global context.

Test suggestions

• Verify that documentation artifacts uploaded via actions/upload-pages-artifact still render correctly on GitHub Pages, specifically checking for the presence of hidden files like .nojekyll.
• Validate that internal JavaScript logic in squad-heartbeat.yml and squad-issue-assign.yml remains compatible with the ESM-only actions/github-script@v9 (no use of require('@actions/github')).
• Confirm that the deployment workflow in deploy-pages.yml successfully executes with actions/deploy-pages@v5.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that documentation artifacts uploaded via actions/upload-pages-artifact still render correctly on GitHub Pages, specifically checking for the presence of hidden files like .nojekyll.
2. Validate that internal JavaScript logic in squad-heartbeat.yml and squad-issue-assign.yml remains compatible with the ESM-only actions/github-script@v9 (no use of require('@actions/github')).
3. Confirm that the deployment workflow in deploy-pages.yml successfully executes with actions/deploy-pages@v5.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🟡 MEDIUM RISK}

This workflow is marked as a synchronized file managed via a source template (templates/workflows/squad-heartbeat.yml). Manual changes here create configuration drift and risk being overwritten during the next synchronization. Please apply these updates to the source template or use the 'squad' utility to maintain consistency across all managed locations.

[codacy-production]

_{🟡 MEDIUM RISK}

Starting with the recent major version updates, this action excludes dotfiles by default. If the 'artifacts/docs' directory requires a .nojekyll file or other hidden configuration files for correct GitHub Pages rendering, you must now explicitly set the 'include-hidden-files' input to true.