fix(configure-plugin): refresh stale version pins across configure skills

[laurigates]

Summary

Audited every version-pinned reference in the configure-plugin configuration skills (GitHub Action pins, pre-commit rev: pins, Docker base/service image tags, runtime versions, and package-manager tool versions) and bumped stale pins to current upstream stable. Verified against upstream release pages / Docker Hub. 27 files changed, a symmetric 207/207 line swap (pure version replacements).

The audit was fanned out across a team of six subagents, each owning a disjoint set of files; all findings were then reviewed against the actual git diff before committing.

What changed

GitHub Actions (major tags)

• actions/checkout v4 → v6, setup-node v4 → v6, setup-python v5 → v6
• actions/upload-artifact / download-artifact v4 → v7, actions/cache v4 → v5
• configure-pages v5 → v6, upload-pages-artifact v3 → v5, deploy-pages v4 → v5
• dependency-review-action v4 → v5, github/codeql-action v3 → v4
• docker/setup-buildx v3 → v4, docker/login v3 → v4, docker/metadata v5 → v6, docker/build-push v6 → v7
• googleapis/release-please-action v4 → v5, gitleaks/gitleaks-action v2 → v3
• getsentry/action-release v1 → v3, codecov/codecov-action v4 → v6, astral-sh/setup-uv v4 → v8

pre-commit rev: pins

• pre-commit-hooks v5 → v6, ruff-pre-commit → v0.15.15, gitleaks v8.22.1 → v8.30.1
• biomejs/pre-commit → v2.4.16 (+ @biomejs/biome 1.9.4 → 2.4.16), conventional-pre-commit v4.3.0 → v4.4.0, actionlint v1.7.7 → v1.7.12, gruntwork-io v0.1.29 → v0.1.30

Docker images / runtimes

• python 3.12/3.13 → 3.14, node 22 → 24 (LTS), golang 1.23 → 1.26, rust 1.84 → 1.96, nginx 1.27 → 1.30, alpine 3.21 → 3.23
• postgres 16 → 17, redis 7 → 8, rabbitmq 3 → 4
• MkDocs/Sphinx Pages templates python 3.12 → 3.13

🔒 Security-relevant

• aquasecurity/trivy-action SHA-pin moved off 0.34.0 — which falls inside the compromised range (0.0.1–0.34.2) from the March 2026 trivy supply-chain attack — to v0.36.0 (ed142fd0673e97e23eac54620cfb913e5ce36c25, post-incident, verified to resolve to the v0.36.0 tag).

Frontmatter modified:/reviewed: dates refreshed to 2026-06-01 on edited SKILL.md files.

Left intentionally unchanged

• pre-commit/mirrors-prettier v4.0.0-alpha.8 — repo archived (Apr 2024); no stable v4 exists.
• trufflesecurity/trufflehog@main, dtolnay/rust-toolchain@stable — intentional floating refs.
• Library version floors (ruff>=0.8.0, pytest>=8.0, typescript ^5.7.0, etc.) — minimum constraints, not stale pins.

Follow-up worth a maintainer's eye (not changed here)

• configure-workflows/REFERENCE.md contains a claude-sonnet-4-20250514 model ID in a claude-code-action example — a stale model reference (current is claude-sonnet-4-6). Left as-is since model IDs are a different category from package version pins; flagging in case you'd like it updated.

🤖 Generated with Claude Code

---

Generated by Claude Code

[github-actions]

Plugin Compliance Review

Plugin	plugin.json	Frontmatter	Body	Marketplace	Release Config	Bash Patterns	Descriptions	When-to-Use	Size	Overall
configure-plugin	✅	✅	✅	✅	✅	⚠️	✅	✅	⚠️	⚠️

Recommendations

• ⚠️ configure-plugin/configure-claude-plugins: 3 shell utility Bash patterns (test, jq, mkdir) — consider consolidating into scripts/ with Bash(bash *)
• ⚠️ configure-plugin/configure-ux-testing: SKILL.md is 281 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/claude-security-settings: SKILL.md is 349 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/configure-dockerfile: SKILL.md is 263 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/ci-workflows: SKILL.md is 379 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/openfeature: SKILL.md is 383 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/config-sync: SKILL.md is 358 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/skaffold-standards: SKILL.md is 383 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/configure-claude-plugins: SKILL.md is 389 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/readme-standards: SKILL.md is 473 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/configure-justfile: SKILL.md is 355 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/pre-commit-standards: SKILL.md is 256 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)
• ⚠️ configure-plugin/go-feature-flag: SKILL.md is 382 lines (>250) — consider extracting to REFERENCE.md or scripts/ (Anthropic ideal: 200, ceiling: 500)