chore: upgrade GitHub Actions to current versions

[JerrettDavis]

Summary

Upgrades dotnet/nbgv from the v0.5.1 tag (Node.js 20) to a SHA pin on master that uses Node.js 24, resolving the intermittent Value cannot be null (Parameter 'name') error when the action writes empty-named variables to $GITHUB_ENV.

Action Audit

Action	Current	Latest	Runtime	Action
dotnet/nbgv	v0.5.1	v0.5.1 (tag) / b944774 (master)	node20 → node24	Bumped to SHA
actions/checkout	v6	v6.0.2	node24	No change (major pinned)
actions/setup-dotnet	v5	v5.2.0	node24	No change (major pinned)
actions/upload-artifact	v7	v7.0.1	node24	No change (major pinned)
actions/upload-pages-artifact	v5	v5.0.0	composite	No change (major pinned)
actions/deploy-pages	v5	v5.0.0	node24	No change (major pinned)
actions/dependency-review-action	v4	v4.9.0	node20	No change — GitHub first-party, no v5 yet
actions/labeler	v6	v6.0.1	node24	No change (major pinned)
actions/stale	v10	v10.2.0	node24	No change (major pinned)
actions/attest-sbom	v4	v4.1.0	composite	No change (major pinned)
codecov/codecov-action	v6	v6.0.0	composite	No change (major pinned)
softprops/action-gh-release	v3	v3.0.0	node24	No change (major pinned)
github/codeql-action	v4	latest bundle	node24	No change (major pinned)
docker/login-action	v4	v4.1.0	node24	No change (major pinned)
docker/metadata-action	v6	v6.0.0	node24	No change (major pinned)
docker/build-push-action	v7	v7.1.0	node24	No change (major pinned)
anchore/sbom-action	v0	v0.24.0	node24	No change (major pinned)
marocchino/sticky-pull-request-comment	v3	v3.0.4	node24	No change (major pinned)
EnricoMi/publish-unit-test-result-action	v2	v2.23.0	docker	No change (major pinned)
codelytv/pr-size-labeler	v1	v1.10.4	docker	No change (major pinned)

nbgv Node 24 Status

dotnet/nbgv has not cut a new release with node24. The master branch was updated to node24 but the latest tag (v0.5.1, released 2026-03-25) still uses node20.

Resolution: Pinned to full commit SHA b944774b6878ef950cc14d1a72bf9c0ffafbb839 (master HEAD as of 2026-04-18), which uses node24. This is the standard security practice for referencing unreleased action changes. Once v0.5.2 (or later) is released with node24, the SHA should be swapped back to the tag.

Files Changed

• .github/workflows/ci.yml — nbgv step bumped to SHA
• .github/workflows/pr-validation.yml — nbgv step bumped to SHA

Test Plan

• PR Validation workflow passes on this PR
• CI workflow passes on merge to main
• No Value cannot be null (Parameter 'name') errors in nbgv steps

🤖 Generated with Claude Code

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/pr-validation.yml

Package	Version	License	Issue Type
dotnet/nbgv	b944774b6878ef950cc14d1a72bf9c0ffafbb839	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/dotnet/nbgv	b944774b6878ef950cc14d1a72bf9c0ffafbb839	🟢 4.6	Details Check Score Reason Code-Review 🟢 3 Found 4/11 approved changesets -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/pr-validation.yml

[github-actions]

Code Coverage

Summary
  Generated on: 04/18/2026 - 20:47:05
  Coverage date: 04/18/2026 - 20:45:12 - 04/18/2026 - 20:46:56
  Parser: MultiReport (7x Cobertura)
  Assemblies: 23
  Classes: 1067
  Files: 591
  Line coverage: 74.7%
  Covered lines: 36839
  Uncovered lines: 12473
  Coverable lines: 49312
  Total lines: 97268
  Branch coverage: 63.6% (14329 of 22512)
  Covered branches: 14329
  Total branches: 22512
  Method coverage: 86.4% (6320 of 7308)
  Full method coverage: 74.2% (5428 of 7308)
  Covered methods: 6320
  Fully covered methods: 5428
  Total methods: 7308

[github-actions]

Test Results

7 641 tests   7 622 ✅  2m 25s ⏱️
    7 suites     19 💤
    7 files        0 ❌

Results for commit 0f29a84.