ci: modernize generated action defaults

.github/workflows/benchmark.yml

@@ -34,8 +34,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Set up Node.js
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -59,7 +59,7 @@ jobs:
     - name: Restore baseline
       if: github.event_name == 'pull_request'
       id: restore-baseline
-      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: baseline-bench.txt
         key: go-benchmark-${{ github.event.pull_request.base.ref }}-never
@@ -95,7 +95,7 @@ jobs:
 
     - name: Comment PR with results
       if: github.event_name == 'pull_request' && steps.restore-baseline.outputs.cache-matched-key != ''
-      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       with:
         script: |
           const fs = require('fs');
@@ -160,14 +160,14 @@ jobs:
 
     - name: Save baseline
       if: github.event_name == 'push'
-      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: baseline-bench.txt
         key: go-benchmark-${{ github.ref_name }}-${{ github.sha }}
 
     - name: Upload benchmark results
       if: always()
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: benchmark-results
         path: |

.github/workflows/ci-wfctl.yml.example

@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: '1.26'   # bumped from generated 1.22 to match repo standard
+          go-version: '1.26.4'   # bumped from generated 1.22 to match repo standard
       - name: Install wfctl
         run: go install github.com/GoCodeAlone/workflow/cmd/wfctl@latest
       - name: Validate config
@@ -81,7 +81,7 @@ jobs:
 #       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 #       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
 #         with:
-#           go-version: '1.26'
+#           go-version: '1.26.4'
 #       - name: Build binary
 #         run: |
 #           GOOS=linux GOARCH=amd64 go build -o bin/server ./cmd/server/
@@ -92,9 +92,9 @@ jobs:
 #           username: ${{ github.actor }}
 #           password: ${{ secrets.GITHUB_TOKEN }}
 #       - name: Set up Docker Buildx
-#         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+#         uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
 #       - name: Build and push Docker image
-#         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+#         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
 #         with:
 #           context: .
 #           push: true

.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
       packages: read
     strategy:
       matrix:
-        go-version: ['1.26']
+        go-version: ['1.26.4']
 
     steps:
     - name: Check out code
@@ -40,7 +40,7 @@ jobs:
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: ${{ matrix.go-version }}
-        cache: true
+        cache: false
 
     - name: Set up Node.js
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -78,7 +78,7 @@ jobs:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
     - name: Upload coverage reports
-      uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
+      uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
       if: always() && steps.codecov-token.outputs.available == 'true'
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
@@ -100,8 +100,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Set up Node.js
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -138,8 +138,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Set up Node.js
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -162,7 +162,7 @@ jobs:
       run: go build -v ./...
 
     - name: Upload UI build artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: admin-ui-dist
         path: ui/dist/
@@ -183,8 +183,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Build examples
       run: |
@@ -206,8 +206,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Run golangci-lint on examples
       uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
@@ -232,8 +232,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Run go mod tidy (workflow)
       run: go mod tidy
@@ -312,8 +312,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Set up Node.js
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -359,19 +359,19 @@ jobs:
           echo -n "  $config ... "
 
           # Run with timeout — exit 124 means timeout (expected for servers)
-          output=$(timeout 10s ./workflow-example -config "$config" 2>&1) && {
+          if timeout 10s ./workflow-example -config "$config" >/tmp/workflow-example.out 2>&1; then
             echo "OK (exited cleanly)"
             passed=$((passed + 1))
-          } || {
+          else
             rc=$?
-            if [ $rc -eq 124 ]; then
+            if [ "$rc" -eq 124 ]; then
               echo "OK (server timeout — expected)"
               passed=$((passed + 1))
             else
               echo "WARN (exit $rc — may need runtime deps)"
               warned=$((warned + 1))
             fi
-          }
+          fi
         done
 
         echo ""
@@ -402,7 +402,7 @@ jobs:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
-          cache: true
+          cache: false
       - name: Download module deps (needed for `go list -deps`)
         env:
           GOWORK: "off"
@@ -424,7 +424,7 @@ jobs:
           DEPS=$(go list -deps ./... 2>&1)
           LIST_EXIT=$?
           set -e
-          if [ $LIST_EXIT -ne 0 ]; then
+          if [ "$LIST_EXIT" -ne 0 ]; then
             echo "FAIL: \`go list -deps ./...\` exited $LIST_EXIT (gate cannot enforce):"
             echo "$DEPS" | head -10 | sed 's/^/  /'
             exit 1
@@ -436,7 +436,9 @@ jobs:
             || true)
           if [ -n "$UNEXPECTED" ]; then
             echo "FAIL: unexpected gcp/azure/api transitive deps in workflow-core build graph:"
-            printf '  %s\n' $UNEXPECTED
+            while IFS= read -r dep; do
+              printf '  %s\n' "$dep"
+            done <<< "$UNEXPECTED"
             echo
             echo "Only cloud.google.com/go/compute/metadata is allowlisted (OAuth2 ADC helper)."
             echo "Other gcp/azure SDK packages belong in a plugin, not workflow core."

.github/workflows/codeql.yml

@@ -45,8 +45,8 @@ jobs:
       if: matrix.language == 'go'
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.26'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Set up Node.js
       if: matrix.language == 'go'
@@ -64,12 +64,12 @@ jobs:
         NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       with:
         category: "/language:${{ matrix.language }}"

.github/workflows/conformance-budget-check.yml

@@ -46,13 +46,13 @@ jobs:
         id: hour
         run: echo "value=$(date -u +%Y%m%d%H)" >> "$GITHUB_OUTPUT"
 
-      # actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 does post-step write-back automatically:
+      # actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 does post-step write-back automatically:
       # if cache-hit is false, the action records the path's contents
       # at job-end and uploads under this key for the next run on the
       # same key. No explicit upload-cache step is needed.
       - name: Restore budget result cache
         id: budget-cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           key: budget-${{ github.event.pull_request.base.sha || github.sha }}-${{ steps.hour.outputs.value }}
           path: /tmp/budget-result.json

.github/workflows/conformance-smoke.yml

@@ -77,8 +77,8 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: '1.26'
-          cache: true
+          go-version: '1.26.4'
+          cache: false
 
       - name: Build wfctl
         run: go build -o wfctl ./cmd/wfctl

.github/workflows/copilot-setup-steps.yml

@@ -33,7 +33,7 @@ jobs:
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
-          cache: true
+          cache: false
           cache-dependency-path: go.sum
 
       # Configure Go for private repository access
@@ -43,7 +43,7 @@ jobs:
 
       # Setup Docker for containerized development
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
 
       # Install Go dependencies and development tools
       - name: Install Go dependencies and tools

.github/workflows/create-release.yml

@@ -88,7 +88,7 @@ jobs:
           printf '%s\n' "${{ steps.next_version.outputs.tag }}" > release-metadata/release-tag.txt
 
       - name: Upload release metadata
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: release-metadata
           path: release-metadata/release-tag.txt

.github/workflows/dependency-update.yml

@@ -30,8 +30,8 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.24'
-        cache: true
+        go-version: '1.26.4'
+        cache: false
 
     - name: Update main dependencies
       run: |
@@ -50,7 +50,7 @@ jobs:
         cd example && go build ./...
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: 'chore: update Go dependencies'

.github/workflows/helm-lint.yml

@@ -18,7 +18,7 @@ jobs:
       uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
     - name: Set up Helm
-      uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+      uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
       with:
         version: 'v3.16.0'
 

.github/workflows/osv-scanner.yml

@@ -32,7 +32,7 @@ permissions:
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2" # v2.3.8
     with:
       # Example of specifying custom arguments
       scan-args: |-
@@ -41,7 +41,7 @@ jobs:
         ./
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9a498708959aeaef5ef730655706c5a1df1edbc2" # v2.3.8
     with:
       # Example of specifying custom arguments
       scan-args: |-