Upgrade pinned GitHub Actions to latest stable release commit SHAs

[data-douser]

Summary

Once #46 is resolved (via PR #47), all GitHub Actions will be pinned to full-length commit SHAs. This follow-up issue tracks upgrading each pinned action to the latest stable release version's full commit SHA.

Warning

actions/cache@v4 and Node.js 20.* are both at advanced stages of deprecation. Actions that still depend on Node.js 20 will stop working when GitHub completes the deprecation. actions/cache@v4 should be upgraded to v5 (or its replacement) as a priority. The Node.js version configured in setup-codeql-environment/action.yml and lint-and-format.yml should also be reviewed and bumped accordingly.

Context

PR #47 pins all external actions to commit SHAs corresponding to the following tag versions. Many of these may not be the latest stable release at time of upgrade:

Actions to Upgrade

.github/workflows/copilot-setup-steps.yml

• actions/checkout — currently v6 (de0fac2e)

.github/workflows/lint-and-format.yml

• actions/checkout — currently v6 (de0fac2e)
• actions/setup-node — currently v6 (48b55a01)

.github/workflows/codeql-qlt-unit-tests.yml

• actions/checkout — currently v6 (de0fac2e, ×3)
• actions/upload-artifact — currently v7 (043fb46d)
• actions/download-artifact — currently v8 (3e5f45b2)

.github/actions/setup-codeql-environment/action.yml

• ⚠️ actions/cache — currently v4 (0057852b, ×4) — deprecated, upgrade to latest major version
• actions/setup-node — currently v6 (48b55a01)
• actions/setup-python — currently v6 (a309ff8b, ×2)
• actions/setup-java — currently v5 (be666c2f, ×2)
• actions/setup-go — currently v6 (4a3601121, ×2)
• actions/setup-dotnet — currently v5 (c2fa09f4)
• ruby/setup-ruby — currently v1 (0cb964fd, ×2)
• advanced-security/codeql-development-toolkit/.github/actions/install-qlt — currently main (da8bc39f)

Deprecation Notes

1. actions/cache@v4 is at an advanced stage of deprecation. It should be upgraded to the latest major version (likely v5). All 4 references in setup-codeql-environment/action.yml need updating.
2. Node.js 20.* is at an advanced stage of deprecation in GitHub Actions runners. Review and update the node-version inputs and any hardcoded Node.js version references to a supported LTS version (e.g., 22.*).

How to Upgrade

For each action, resolve the latest stable tag to its commit SHA:

# For tagged releases (handles annotated tags):
git ls-remote https://github.com/OWNER/REPO.git 'refs/tags/TAG^{}'

# For branch-based refs:
git ls-remote https://github.com/OWNER/REPO.git refs/heads/BRANCH

Then update the reference using the format:

uses: actions/checkout@<full-40-char-sha> # v<latest>

Acceptance Criteria

• All external GitHub Actions are pinned to the commit SHA of their latest stable release
• actions/cache is upgraded from v4 to the latest non-deprecated major version
• Node.js version references are updated to a supported LTS version
• CI/CD workflows continue to pass after the upgrade
• The .github/instructions/github_workflows_yaml.instructions.md guidance is followed

Related

• Pin GitHub Actions to full-length commit SHAs and apply supply chain hardening #46 — Pin GitHub Actions to full-length commit SHAs and apply supply chain hardening
• Pin GitHub Actions to full-length commit SHAs #47 — PR implementing the initial SHA pinning