Upgrade GitHub Actions to latest versions

[salmanmkc]

Summary

Upgrade GitHub Actions to their latest versions for improved features, bug fixes, and security updates.

Changes

Action	Old Version(s)	New Version	Release	Files
actions/upload-pages-artifact	56afc60	7b1f4a7	Release	docs.yml
anchore/sbom-action	v0	v0.23.0	Release	release.md
aquasecurity/trivy-action	b6643a2	e368e32	Release	security-scan.yml
github/codeql-action/analyze	4248455	bb471cd	Release	codeql.yml
github/codeql-action/init	4248455	bb471cd	Release	codeql.yml
github/codeql-action/upload-sarif	4248455, v3	bb471cd	Release	security-scan.yml, vet.yml
github/stale-repos	v3.0.2	v8.0.4	Release	stale-repo-identifier.md

Why upgrade?

Keeping GitHub Actions up to date ensures:

• Security: Latest security patches and fixes
• Features: Access to new functionality and improvements
• Compatibility: Better support for current GitHub features
• Performance: Optimizations and efficiency improvements

⚠️ Breaking Changes

• github/codeql-action/init (v3 → v4): Major version upgrade — review the release notes for breaking changes
• github/codeql-action/analyze (v3 → v4): Major version upgrade — review the release notes for breaking changes
• actions/upload-pages-artifact (v3 → v4): Major version upgrade — review the release notes for breaking changes
• github/codeql-action/upload-sarif (v3 → v4): Major version upgrade — review the release notes for breaking changes
• github/stale-repos (v3.0.2 → v8.0.4): Major version upgrade — review the release notes for breaking changes

Security Note

Actions that were previously pinned to commit SHAs remain pinned to SHAs (updated to the latest release SHA) to maintain the security benefits of immutable references.

Testing

These changes only affect CI/CD workflow configurations and should not impact application functionality. The workflows should be tested by running them on a branch before merging.

[Copilot]

Pull request overview

This PR upgrades several GitHub Actions to their latest versions to improve security, features, and compatibility. The changes include major version upgrades (v3→v4) for CodeQL and upload-pages-artifact actions, and updates to other security and SBOM generation tools.

Changes:

• Upgraded github/codeql-action/* from v3 to v4 across multiple workflow files
• Updated actions/upload-pages-artifact from v3 to v4 with SHA pinning
• Upgraded aquasecurity/trivy-action to version 0.34.1
• Updated anchore/sbom-action from v0 to v0.23.0
• Upgraded github/stale-repos from v3.0.2 to v8.0.4

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/vet.yml	Upgraded codeql-action/upload-sarif from v3 to v4
.github/workflows/stale-repo-identifier.md	Updated stale-repos action from v3.0.2 to v8.0.4
.github/workflows/security-scan.yml	Upgraded codeql-action/upload-sarif (3 instances) and trivy-action to latest versions
.github/workflows/release.md	Updated anchore/sbom-action from v0 to v0.23.0 for both SPDX and CycloneDX formats
.github/workflows/docs.yml	Upgraded upload-pages-artifact from v3 to v4 with SHA pinning
.github/workflows/codeql.yml	Updated codeql-action/init and codeql-action/analyze from v3 to v4

Comments suppressed due to low confidence (7)

.github/workflows/security-scan.yml:37

• There are two spaces between the SHA and the comment marker '#', while the original format had one space. This is inconsistent with the formatting on line 74 (actions/checkout) which maintains single space formatting. For consistency, use a single space between the SHA and the '#' comment marker.

This issue also appears in the following locations of the same file:

• line 63
• line 77
• line 87

        uses: github/codeql-action/upload-sarif@bb471cdcf4dda2c934c5b656f554d43c1434ed13  # v4

.github/workflows/security-scan.yml:63

• There are two spaces between the SHA and the comment marker '#', while the original format had one space. This is inconsistent with the formatting on line 74 (actions/checkout) which maintains single space formatting. For consistency, use a single space between the SHA and the '#' comment marker.

        uses: github/codeql-action/upload-sarif@bb471cdcf4dda2c934c5b656f554d43c1434ed13  # v4

.github/workflows/security-scan.yml:77

• There are two spaces between the SHA and the comment marker '#', while the original format had one space. This is inconsistent with the formatting on line 74 (actions/checkout) which maintains single space formatting. For consistency, use a single space between the SHA and the '#' comment marker.

        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518  # 0.34.1

.github/workflows/security-scan.yml:87

• There are two spaces between the SHA and the comment marker '#', while the original format had one space. This is inconsistent with the formatting on line 74 (actions/checkout) which maintains single space formatting. For consistency, use a single space between the SHA and the '#' comment marker.

        uses: github/codeql-action/upload-sarif@bb471cdcf4dda2c934c5b656f554d43c1434ed13  # v4

.github/workflows/docs.yml:81

• There are two spaces between the SHA and the comment marker '#', while other SHA-pinned actions in the file use single space formatting. For consistency, use a single space between the SHA and the '#' comment marker.

        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b  # v4.0.0

.github/workflows/codeql.yml:28

• There are two spaces between the SHA and the comment marker '#', while other SHA-pinned actions in the file use single space formatting. For consistency, use a single space between the SHA and the '#' comment marker.

This issue also appears on line 45 of the same file.

        uses: github/codeql-action/init@bb471cdcf4dda2c934c5b656f554d43c1434ed13  # v4

.github/workflows/codeql.yml:45

• There are two spaces between the SHA and the comment marker '#', while other SHA-pinned actions in the file use single space formatting. For consistency, use a single space between the SHA and the '#' comment marker.

        uses: github/codeql-action/analyze@bb471cdcf4dda2c934c5b656f554d43c1434ed13  # v4

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Hey @salmanmkc 👋 — thanks for looking out for the project's CI hygiene and for the effort you put into documenting the upgrades in that detailed table!

Unfortunately this PR can't be accepted as-is because it doesn't follow the contribution process described in CONTRIBUTING.md. Here's what the guidelines say:

• 🚫 Direct PRs from non-core team members are not enabled. Community contributors are asked to open a GitHub Issue with a detailed agentic plan instead. A core team member then picks the plan up and implements it through a coding agent.
• 🤖 Action version updates can be automated. The project already has Dependabot configured for several ecosystems. For GitHub Actions, the recommended path is still an issue-based agentic plan for the core team to pick up.
• ⚠️ Diff / description mismatch. The PR description lists 7 actions updated across 6 files (including codeql.yml, docs.yml, security-scan.yml, vet.yml), but the actual diff only modifies 2 files — anchore/sbom-action ×2 in release.md and github/stale-repos ×1 in stale-repo-identifier.md. The description is misleading as written.

The right path forward is to close this PR and open an issue with a detailed agentic plan. Here's a ready-to-use prompt you can assign to your coding agent to draft that issue:

Open a GitHub Issue in github/gh-aw proposing an upgrade of stale or pinned GitHub Actions to their latest versions.

The issue should follow the repository's agentic plan format (as described in CONTRIBUTING.md) and include:

1. A list of GitHub Actions currently used across all workflow files under .github/workflows/ that are pinned to outdated versions or floating major-version tags (e.g. `@v0`, `@v3`).
   - Check: anchore/sbom-action, aquasecurity/trivy-action, github/codeql-action/{analyze,init,upload-sarif}, actions/upload-pages-artifact, github/stale-repos
   - For each, identify the current pinned ref vs the latest stable release SHA

2. A step-by-step implementation plan specifying:
   - Exact file paths to edit (e.g. .github/workflows/release.md line NNN)
   - Old value → new value for each `uses:` line
   - Whether the change is a minor bump or a major-version upgrade
   - Any breaking-change notes from the upstream release notes

3. A note that actions pinned to commit SHAs should remain SHA-pinned (updated to the latest release SHA) rather than switched to mutable tags, for security.

4. A testing note confirming these changes only affect CI configuration and do not require application-level tests.

Do not create a pull request — create the issue only.

Generated by Contribution Check