chore: bump Node-20 actions to Node-24 compatible SHAs (#110)

* chore: bump Node-20 actions to Node-24 compatible SHAs (#109)

GitHub-Actions runners force Node-24 on 2026-06-02 (≈one week from
this commit) and remove Node-20 entirely on 2026-09-16. The
release.yml run for v0.2.17 emitted Node-20 deprecation annotations
on three actions; bumping them to current major-version SHAs makes
the warnings go away and unblocks the forced-migration date.

Bumps (SHA + documented tag both updated):

  actions/checkout       34e1148... # v4 -> 93cb6ef... # v5
  actions/setup-python   a26af69... # v5 -> a309ff8... # v6
  docker/login-action    c94ce9f... # v3 -> 650006c... # v4

49 lines changed across 10 workflow files:

  .github/workflows/artifact-cleanup.yml      1 line
  .github/workflows/branch-protection.yml     1 line
  .github/workflows/changelog-prestage.yml    2 lines
  .github/workflows/changelog-rollup.yml      2 lines
  .github/workflows/ci.yml                    30 lines
  .github/workflows/codeql.yml                1 line
  .github/workflows/eval-nightly.yml          2 lines
  .github/workflows/pin-freshness-audit.yml   2 lines
  .github/workflows/release.yml               3 lines
  .github/workflows/security.yml              5 lines

No behaviour change beyond the underlying Node runtime. The actions
themselves keep the same input/output contract across these majors
(per upstream release notes).

Local verification:
  pin-freshness audit: 68 pins checked, 0 findings
  pytest tests/: 215 passed
  mypy --strict, ruff, ci-script compile gate, branch-protection
    contexts sync: all clean

Self-version bump 0.2.17 -> 0.2.18 (chore = PATCH).

Closes #109

* chore: trigger CI re-evaluation

* chore: retrigger CI after Actions outage

* chore: retrigger CI after Actions outage

Author: constk

.github/workflows/artifact-cleanup.yml

@@ -42,7 +42,7 @@ jobs:
     name: Prune old artifacts
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
       - name: Compute threshold
         id: threshold

.github/workflows/branch-protection.yml

@@ -35,7 +35,7 @@ jobs:
       matrix:
         branch: [main, develop]
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
       - name: Verify token is configured
         env:

.github/workflows/changelog-prestage.yml

@@ -48,7 +48,7 @@ jobs:
     name: Open prestage PR
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
         with:
           ref: develop
           # Full history so `git describe --abbrev=0 --tags` can resolve
@@ -61,7 +61,7 @@ jobs:
           # opens, but its CI doesn't run until a user pushes on top.
           token: ${{ secrets.RELEASE_BOT_TOKEN || secrets.GITHUB_TOKEN }}
 
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
 

.github/workflows/changelog-rollup.yml

@@ -35,7 +35,7 @@ jobs:
       github.event_name == 'workflow_dispatch' ||
       github.event.workflow_run.conclusion == 'success'
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
         with:
           ref: develop
           # full history needed for `git describe --abbrev=0 --tags <ref>^`
@@ -48,7 +48,7 @@ jobs:
           # pushes a commit on top.
           token: ${{ secrets.RELEASE_BOT_TOKEN || secrets.GITHUB_TOKEN }}
 
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
 

.github/workflows/ci.yml

@@ -17,9 +17,9 @@ jobs:
     name: Lint & Format
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -30,9 +30,9 @@ jobs:
     name: Type Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -43,9 +43,9 @@ jobs:
     runs-on: ubuntu-latest
     # Pure in-process tests — completes fast so PR authors get quick feedback.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -56,9 +56,9 @@ jobs:
     runs-on: ubuntu-latest
     # Enforces [tool.coverage.report].fail_under from pyproject.toml (75%).
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -68,9 +68,9 @@ jobs:
     name: Architecture (import-linter)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -83,9 +83,9 @@ jobs:
     # `uv run pre-commit install` can't leak unformatted code or a stray
     # secret past the first defence layer.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -99,8 +99,8 @@ jobs:
     # this job enforces the file-half. No exemption mechanism — pre-existing
     # offenders should be split before this job lands, not allowlisted.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: python .github/scripts/check_file_length.py
@@ -113,10 +113,10 @@ jobs:
     # that the 75 % coverage gate cannot detect on its own.
     if: github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
         with:
           fetch-depth: 0  # full history so `git show origin/<base>:` resolves
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: python .github/scripts/check_version_bump.py
@@ -129,8 +129,8 @@ jobs:
     # First-party = major tag; astral-sh/setup-uv = patch tag; third-party
     # = SHA + trailing `# vN.M.P` comment.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: python .github/scripts/check_action_pins.py
@@ -143,10 +143,10 @@ jobs:
     # `::warning::` if src/ is touched without tests/.
     if: github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
         with:
           fetch-depth: 0  # full history so the diff resolves
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: python .github/scripts/check_tests_present.py
@@ -158,8 +158,8 @@ jobs:
     # line cites a `#NNN` ticket; closed cites warn (or fail under
     # ASPIRATIONAL_STRICT=1). GITHUB_TOKEN enables ticket-state lookup.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - env:
@@ -173,8 +173,8 @@ jobs:
     # interfaces. The audit checks shape (presence + min 200 bytes) and
     # structure (`## Key interfaces` heading). No exemption mechanism.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: python .github/scripts/check_src_readmes.py
@@ -183,7 +183,7 @@ jobs:
     name: Frontend Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: "24"
@@ -198,7 +198,7 @@ jobs:
     # enjoys (ruff + mypy + pytest); the Frontend Build job above validates
     # the bundler output, this one validates source quality.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: "24"
@@ -217,9 +217,9 @@ jobs:
     # .github/branch-protection/*.json contexts arrays disagree with the
     # actual workflow jobs on disk.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -233,9 +233,9 @@ jobs:
     # Adding a type in one but not the other would mean commits pass locally
     # while PR titles fail in CI (or vice versa).
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev

.github/workflows/codeql.yml

@@ -41,7 +41,7 @@ jobs:
           - language: javascript-typescript
             build-mode: none
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4

.github/workflows/eval-nightly.yml

@@ -45,9 +45,9 @@ jobs:
     name: Run golden QA dataset
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: ${{ inputs.python_version || '3.14' }}
       - run: uv sync --frozen --extra dev --extra eval

.github/workflows/pin-freshness-audit.yml

@@ -34,8 +34,8 @@ jobs:
     name: Pin freshness audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
 

.github/workflows/release.yml

@@ -27,11 +27,11 @@ jobs:
       # Actions are SHA-pinned because this workflow has elevated permissions
       # (contents: write + packages: write). Bump SHAs with the # vX.Y.Z
       # annotation when a new release lands and you've reviewed the diff.
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
 
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
 
@@ -65,7 +65,7 @@ jobs:
             .
 
       - name: Log in to GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee  # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/security.yml

@@ -23,7 +23,7 @@ jobs:
     name: Secret scan (gitleaks)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
         with:
           fetch-depth: 0  # full history so gitleaks can scan every commit
       # Install and run the binary directly — the v2 action attempts to upload
@@ -43,9 +43,9 @@ jobs:
     name: Python deps (pip-audit)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.14"
       - run: uv sync --frozen --extra dev
@@ -71,7 +71,7 @@ jobs:
     name: Frontend deps (npm audit)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: "24"
@@ -87,7 +87,7 @@ jobs:
     runs-on: ubuntu-latest
     # Blocking: any fixable HIGH/CRITICAL CVE in the built image fails the PR.
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
       - name: Build image
         run: docker build -t harness-python-react:ci .
       - name: Run Trivy vulnerability scanner