chore(ci): pin and refresh workflow dependencies, sync lockfile, and enforce preflight drift checks

[Copilot]

Description

Refresh workflow action dependencies to current stable releases, eliminate floating refs by SHA-pinning targeted uses: entries, fix stale inline version annotations, resolve lockfile drift failures, and ensure local pre-push hooks catch lockfile drift automatically.

Changes

• Dependency upgrades + SHA pinning (workflow-only)

  • Upgraded targeted actions to latest stable versions and pinned to full commit SHAs:
    • actions/upload-artifact → v7.0.1
    • actions/download-artifact → v8.0.1
    • actions/cache → v5.0.5
    • denoland/setup-deno → v2.0.4
    • pnpm/action-setup → v5.0.0
    • docker/login-action → v4.1.0
    • docker/build-push-action → v7.1.0
    • docker/setup-qemu-action → v4.0.0
    • actions/github-script → v9.0.0 pin
    • github/codeql-action (init, analyze, upload-sarif) → v3.35.2
    • neondatabase/delete-branch-action → v3.2.1
    • neondatabase/create-branch-action → v6.4.0

• Floating reference remediation

  • Replaced floating refs (@vX / @vX.Y.Z) in targeted workflows with 40-char SHA pins plus inline version comments.

• Version-comment hygiene

  • Corrected stale annotations where SHAs already matched newer tags.
  • Clarified softprops/action-gh-release pin provenance in release.yml (pinned to v3.0.0 SHA, with note that v2 resolves elsewhere).

• CI lockfile drift fix

  • Synced pnpm-lock.yaml with workspace manifests.
  • Updated examples/cloudflare-worker importer lock entry to match wrangler specifier ^4.83.0, removing stale 4.82.x lock references that broke frozen-lockfile installs.

• Pre-push drift guard enhancement

  • Added check:lockfile task in deno.json:
    • pnpm install --frozen-lockfile --ignore-scripts
  • Updated preflight to run deno task check:lockfile, so deno task setup:hooks pre-push checks now catch lockfile drift automatically.
  • Updated scripts/setup-hooks.ts pre-push messaging to explicitly include lockfile sync checking.

• Scope guardrails preserved

  • No changes to workflow job logic, ordering, conditions, matrices, path filters, thresholds, or deployment targets.
  • Intentionally pinned values remained unchanged (including DENO_VERSION: '2.7.11' in ci.yml and wrangler@4.81.0 in mdbook.yml).

Testing

• Unit tests added/updated
• Manual testing performed
• CI passes

Zero Trust Architecture Checklist

Required for every PR touching worker/ or frontend/.
Check each item that applies. If an item doesn't apply, check it and note "N/A".

Worker / Backend

• Every handler verifies auth before executing business logic (N/A)
• CORS origin allowlist enforced (not *) on write/authenticated endpoints (N/A)
• All secrets accessed via Worker Secret bindings (not [vars]) (N/A)
• All external inputs Zod-validated before use (N/A)
• All D1 queries use parameterized .prepare().bind() (no string interpolation) (N/A)
• Security events emitted to Analytics Engine on auth failures (N/A)

Frontend / Angular

• Protected routes have functional CanActivateFn auth guards (N/A)
• Auth tokens managed via Clerk SDK (not localStorage) (N/A)
• HTTP interceptor attaches ****** (no manual token passing) (N/A)
• API responses validated with Zod schemas before consumption (N/A)

API Shield / Vulnerability Scanner

Required for every PR touching docs/api/openapi.yaml, worker/routes/, or resource endpoint handlers.

• New/changed endpoints have a unique operationId in openapi.yaml (N/A)
• Resource endpoints (those with /{id} path parameters) include a security: annotation (N/A)
• Resource queries are scoped to the authenticated user (WHERE user_id = ?) — not just by ID (N/A)
• Missing/unauthorized resources return 404 (not 403) to avoid leaking resource existence (N/A)
• cloudflare-schema.yaml regenerated if openapi.yaml changed (deno task schema:cloudflare) (N/A)

---

If this PR does not touch worker/ or frontend/, the ZTA checklist is not required.
If this PR does not touch openapi.yaml or resource handlers, the API Shield checklist is not required.

Original prompt

Overview

Update all GitHub Actions workflows to use the latest stable versions of their action dependencies, fix floating (non-SHA-pinned) action references for security, correct stale version-comment annotations, and upgrade several actions that are behind by a major or minor version.

Do not change any business logic, deployment targets, thresholds, paths filters, or step behaviour. This is a dependency-hygiene-only PR.

---

Research summary

All findings are from the GitHub Releases API as of 2026-04-16. The current state of each action in this repo is listed with the required change.

Actions at the correct version — verify SHA is still current

Action	Current annotation	Latest release	Status
actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2	v6.0.2	✅ version correct; verify SHA
actions/setup-node	53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0	v6.3.0	✅ version correct; verify SHA
actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0	v6.2.0	✅ version correct; verify SHA
codecov/codecov-action	57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0	v6.0.0	✅ version correct; verify SHA
aquasecurity/trivy-action	57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0	v0.35.0	✅ version correct; verify SHA
rhysd/actionlint	914e7df21a07ef503a81201c76d2b11c789d3fca # v1.7.12	v1.7.12	✅ version correct; verify SHA
dorny/paths-filter	fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1	v4.0.1	✅ version correct; verify SHA
docker/setup-buildx-action	4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0	v4.0.0	✅ version correct; verify SHA
docker/metadata-action	030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0	v6.0.0	✅ version correct; verify SHA
sigstore/cosign-installer	cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1	v4.1.1	✅ version correct; verify SHA

Actions that need upgrading (version behind)

Action	Current	Latest	Files affected
actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0	v7.0.1	ci.yml, bench.yml, lighthouse.yml
actions/download-artifact	@v8 (floating!)	v8.0.1	release.yml
actions/cache	@v5 (floating!)	v5.0.5	release.yml
denoland/setup-deno	667a34cdef165d8d2b2e98dde39547c9daac7282 # v2 / e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3	v2.0.4	cloudflare-dep-update.yml, create-version-tag.yml, sentry-worker.yml, version-bump.yml, release.yml (floating @v2)
pnpm/action-setup	08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4 / fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4	v5.0.0	cloudflare-dep-update.yml, frontend-version-bump.yml, lighthouse.yml, sentry-frontend.yml, neon-branch-create.yml
docker/login-action	b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0	v4.1.0	docker-publish.yml
docker/build-push-action	d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0	v7.1.0	docker-publish.yml
docker/setup-qemu-action	@v4 (floating!)	v4.0.0	release.yml
softprops/action-gh-release	b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2	v3.0.0 (Node 24 runtime)	release.yml
actions/github-script	@v9 (floating!) and 3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7 (old)	v9.0.0	cleanup-branches.yml, version-bump.yml, neon-branch-create.yml, db-migrate.yml
neondatabase/create-branch-action	@v6 (floating!)	v6 → latest patch 6.3.1	neon-branch-create.yml
neondatabase/delete-branch-action	c2005bb7d7caeba12ba3ec63857e9c9f9a4d695a (no version comment)	v3.2.1	neon-branch-cleanup.yml
github/codeql-action	dd677812177e0c29f9c970a6c58d8607ae1bfefd # v4	Latest v3.x action release	ci.yml, codeql.yml

Floating tags that need SHA-pinning (security — supply-chain risk)

All @vX or @vX.Y.Z floating-tag references (no SHA) must be replaced with the full-length commit SHA of the corresponding tag, followed by the version comment. These are in:

• release.yml: actions/checkout@v6.0.2, actions/cache@v5, docker/setup-qemu-action@v4, docker/setup-buildx-action@v4, docker/login-action@v4, docker/build-push-action@v7, actions/download-artifact@v8, denoland/setup-deno@v2 (via 667a34cdef...) and denoland/setup-deno@... # v2 (floating comment). Use SHA pins instead.
• version-bump.yml: actions/checkout@v6.0.2 (floating)
• claude.yml: actions/checkout@v6.0.2 (floating) — already at latest version but unpin
• neon-branch-create.yml: actions/checkout@v6.0.2 (floating), neondatabase/create-branch-action@v6 (floating)
• cleanup-branches.yml: actions/github-script@v9 (floating)
• **`ver...

This pull request was created from Copilot chat.

[Copilot]

Pull request overview

This PR updates GitHub Actions workflow dependencies by upgrading selected actions and replacing floating uses: ...@v* references with full SHA pins plus inline version annotations, aiming to improve supply-chain safety without changing workflow logic.

Changes:

• Upgraded targeted GitHub Actions (e.g., artifact, cache, pnpm, docker, CodeQL) and pinned uses: to full commit SHAs.
• Removed floating refs in the touched workflows and refreshed/normalized inline version comments.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/bench.yml	Bumps/pins actions/upload-artifact to v7.0.1 SHA.
.github/workflows/ci.yml	Pins codeql-action/upload-sarif to v3.35.2 SHA and bumps/pins upload-artifact to v7.0.1 SHA.
.github/workflows/claude.yml	Pins actions/checkout to v6.0.2 SHA.
.github/workflows/cleanup-branches.yml	Pins actions/github-script to v9.0.0 SHA.
.github/workflows/cloudflare-dep-update.yml	Pins setup-deno and updates/pins pnpm/action-setup annotation to v5.0.0.
.github/workflows/codeql.yml	Pins codeql-action init/analyze steps to v3.35.2 SHA.
.github/workflows/create-version-tag.yml	Pins setup-deno to v2.0.4 SHA.
.github/workflows/db-migrate.yml	Updates actions/github-script annotation to v9.0.0 for the existing SHA pin.
.github/workflows/docker-publish.yml	Updates/pins docker/login-action and docker/build-push-action to newer SHAs.
.github/workflows/frontend-version-bump.yml	Updates/pins pnpm/action-setup to v5.0.0 SHA.
.github/workflows/lighthouse.yml	Updates/pins pnpm/action-setup to v5.0.0 SHA and upload-artifact to v7.0.1 SHA.
.github/workflows/mdbook.yml	Pins setup-deno to v2.0.4 SHA and updates/pins actions/cache to v5.0.5 SHA.
.github/workflows/neon-branch-cleanup.yml	Pins neondatabase/delete-branch-action to v3.2.1 SHA.
.github/workflows/neon-branch-create.yml	Pins actions/checkout, neondatabase/create-branch-action, and actions/github-script to SHAs.
.github/workflows/release.yml	Pins multiple actions (checkout, setup-deno, cache, docker actions, download/upload artifact) and updates action-gh-release annotation.
.github/workflows/sentry-frontend.yml	Updates/pins pnpm/action-setup to v5.0.0 SHA.
.github/workflows/sentry-worker.yml	Pins setup-deno to v2.0.4 SHA.
.github/workflows/version-bump.yml	Pins actions/checkout, setup-deno, and actions/github-script to SHAs.

[jaypatrick]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in commit 51a6425. I updated .github/workflows/release.yml to clarify the softprops/action-gh-release pin provenance: it remains pinned to the v3.0.0 SHA, with an inline note that the v2 tag resolves to a different commit.

[jaypatrick]

@copilot fix CI

[jaypatrick]

@copilot make sure setup:hooks is run to catch drift automatically as well.

Run pnpm install --frozen-lockfile --ignore-scripts || {
Scope: all 3 workspace projects
 ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with /examples/cloudflare-worker/package.json

Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"

Failure reason:
specifiers in the lockfile don't match specifiers in package.json:

• 1 dependencies are mismatched:
  • wrangler (lockfile: ^4.82.1, manifest: ^4.83.0)

❌ pnpm-lock.yaml is out of sync with package.json!

Run 'pnpm install' locally, commit the updated pnpm-lock.yaml, and push again.
Tip: run 'deno task setup:hooks' to catch drift automatically before every push.
Error: Process completed with exit code 1.

[Copilot]

@copilot fix CI

Fixed in 727f8e9 by syncing pnpm-lock.yaml to match the current wrangler specifier (^4.83.0) for examples/cloudflare-worker, which was causing the lockfile-sync and frontend install CI failures. The latest workflow runs on this commit are currently in action_required state (no jobs started), so once approved/re-run they should proceed with the lockfile issue resolved.

[Copilot]

@copilot make sure setup:hooks is run to catch drift automatically as well.

Run pnpm install --frozen-lockfile --ignore-scripts || {
...

Implemented in 5b71b66 (with hook messaging update in e0e5701): deno task setup:hooks now installs a pre-push hook whose deno task preflight includes a dedicated deno task check:lockfile (pnpm install --frozen-lockfile --ignore-scripts), so lockfile drift is caught automatically before push.

[Copilot]

Pull request overview

Copilot reviewed 20 out of 21 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported