From 10151d8db4d3bf5e58a661f75348fd53a7ed67be Mon Sep 17 00:00:00 2001
From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com>
Date: Mon, 25 May 2026 22:24:56 -0400
Subject: [PATCH] chore(ci): bump pinned-by-tag actions to latest majors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bundles the five GitHub Actions dependabot bumps so they land as a
single CI-validated unit instead of five separate force-rebases:

- actions/upload-artifact          v4 → v7  (#3)
- actions/cache                    v4 → v5  (#4)
- github/codeql-action/*           v3 → v4  (#5)
- actions/attest-build-provenance  v2 → v4  (#6)
- peter-evans/create-pull-request  v6 → v8  (#2)

Only loose @vN tag pins are touched. SHA-pinned action references
(scorecard.yml upload-artifact v7.0.1, scorecard.yml codeql-action
v4.35.3, helm-release.yml upload-artifact v4.4.3) are left intact —
those were intentionally pinned at specific points for supply-chain
hardening and will be updated independently when their pins next roll.

actionlint passes; only pre-existing shellcheck info-level findings
in unrelated script blocks (SC2086 / SC2129) which the linter has been
emitting since before the bump.

upload-artifact v5 dropped the implicit same-name-merge behavior; our
usages already use uniquely-namespaced artifact names (matrix.platform,
env.VERSION, etc.) so no callsite needs adjustment. actions/cache v5
tightens cache-key validation but our keys are already conservative
hashes of Cargo.lock / requirements.txt etc.

Closes dependabot PRs #2, #3, #4, #5, #6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/benchmark.yml          |  2 +-
 .github/workflows/clippy.yml             |  2 +-
 .github/workflows/contributors.yml       |  2 +-
 .github/workflows/coverage.yml           |  2 +-
 .github/workflows/docs-quality.yml       |  2 +-
 .github/workflows/docs.yml               |  2 +-
 .github/workflows/e2e-cross-platform.yml |  4 ++--
 .github/workflows/fuzz.yml               |  4 ++--
 .github/workflows/mutation.yml           |  2 +-
 .github/workflows/release.yml            | 10 +++++-----
 .github/workflows/security.yml           | 12 ++++++------
 11 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 3eb7a29..bad3bb9 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -40,7 +40,7 @@ jobs:
         run: cargo bench --bench config_parsing --bench registry_lookup --bench version_comparison -- --noplot
 
       - name: Store benchmark results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: benchmark-results
           path: target/criterion/
diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml
index 76b7703..d07d22d 100644
--- a/.github/workflows/clippy.yml
+++ b/.github/workflows/clippy.yml
@@ -44,7 +44,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload analysis results to GitHub
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: rust-clippy-results.sarif
           wait-for-processing: true
\ No newline at end of file
diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
index 00c5681..404c395 100644
--- a/.github/workflows/contributors.yml
+++ b/.github/workflows/contributors.yml
@@ -149,7 +149,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.changes.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'chore: update contributors'
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 6f8553d..a88d774 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -59,7 +59,7 @@ jobs:
           JARVY_FAST_TEST: 1
 
       - name: Upload HTML coverage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: coverage-report
           path: target/llvm-cov/html/
diff --git a/.github/workflows/docs-quality.yml b/.github/workflows/docs-quality.yml
index db9c8bc..91a99dc 100644
--- a/.github/workflows/docs-quality.yml
+++ b/.github/workflows/docs-quality.yml
@@ -25,7 +25,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Restore lychee cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: .lycheecache
           key: lychee-${{ runner.os }}
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 09c33fb..452f39e 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -47,7 +47,7 @@ jobs:
           python-version: "3.12"
 
       - name: Cache pip
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.cache/pip
           key: pip-${{ runner.os }}-mkdocs
diff --git a/.github/workflows/e2e-cross-platform.yml b/.github/workflows/e2e-cross-platform.yml
index a2aa24a..58ef799 100644
--- a/.github/workflows/e2e-cross-platform.yml
+++ b/.github/workflows/e2e-cross-platform.yml
@@ -129,7 +129,7 @@ jobs:
 
       - name: Upload Test Results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: e2e-results-${{ matrix.platform }}
           path: |
@@ -179,7 +179,7 @@ jobs:
   #
   #     - name: Upload Results
   #       if: always()
-  #       uses: actions/upload-artifact@v4
+  #       uses: actions/upload-artifact@v7
   #       with:
   #         name: e2e-results-${{ matrix.platform }}
   #         path: target/e2e-results/
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 6901d77..d71cd63 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -68,14 +68,14 @@ jobs:
         continue-on-error: true
 
       - name: Upload corpus
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: fuzz-corpus-${{ matrix.target }}
           path: fuzz/corpus/${{ matrix.target }}
           retention-days: 90
 
       - name: Upload crash artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: failure()
         with:
           name: fuzz-crashes-${{ matrix.target }}
diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml
index d82d369..962035e 100644
--- a/.github/workflows/mutation.yml
+++ b/.github/workflows/mutation.yml
@@ -104,7 +104,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload mutation results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: mutation-results
           path: mutants.out/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 838f0e7..37fda28 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -166,7 +166,7 @@ jobs:
             cargo generate-rpm
           fi
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.platform }}${{ matrix.cross && format('-{0}', matrix.pkg_arch) || '' }}-release-artifacts
           path: ${{ matrix.artifact_paths }}
@@ -186,7 +186,7 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
 
       - name: Cache cargo tools
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.cargo/bin
           key: ${{ runner.os }}-cargo-sbom-tools
@@ -278,7 +278,7 @@ jobs:
           done
 
       - name: Upload SBOMs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: sbom-${{ env.VERSION }}
           path: |
@@ -329,7 +329,7 @@ jobs:
           done
 
       - name: Upload signed artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: signed-artifacts-${{ env.VERSION }}
           path: |
@@ -374,7 +374,7 @@ jobs:
           path: signatures
 
       - name: Create attestation for all builds
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@v4
         with:
           subject-path: artifacts/**/jarvy*
 
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index f06feb1..872236d 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -44,7 +44,7 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
 
       - name: Cache cargo registry
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cargo/registry
@@ -108,7 +108,7 @@ jobs:
           generateSarif: true
 
       - name: Upload Semgrep SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: semgrep.sarif
         if: always()
@@ -127,7 +127,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: rust
           queries: security-extended
@@ -139,7 +139,7 @@ jobs:
         run: cargo build --release --all-features
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:rust"
 
@@ -156,7 +156,7 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
 
       - name: Cache cargo registry
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cargo/registry
@@ -175,7 +175,7 @@ jobs:
           echo '```' >> $GITHUB_STEP_SUMMARY
 
       - name: Upload geiger report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: geiger-report
           path: geiger-report.txt