chore(deps): update github actions (major)

.github/workflows/reusable-ci-go.yml

@@ -180,7 +180,7 @@ jobs:
           fail_ci_if_error: false
       - name: Hand coverage to the SonarQube job
         if: inputs.enable-sonar && inputs.enable-coverage
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: sonar-coverage-${{ inputs.sonar-project-key || github.event.repository.name }}
           path: ${{ inputs.working-directory }}/coverage.out
@@ -192,7 +192,7 @@ jobs:
       # SF: rebase is needed — Sonar resolves them against projectBaseDir directly.
       - name: Upload coverage for repo-level scan
         if: inputs.coverage-upload-as != '' && inputs.enable-coverage
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ inputs.coverage-upload-as }}
           path: ${{ inputs.working-directory }}/coverage.out

.github/workflows/reusable-ci-node.yml

@@ -173,7 +173,7 @@ jobs:
           working-directory: ${{ inputs.working-directory }}
       - name: Hand lcov to the SonarQube job
         if: inputs.enable-sonar && inputs.enable-test
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: sonar-coverage-${{ inputs.sonar-project-key || github.event.repository.name }}
           path: ${{ inputs.working-directory }}/${{ inputs.sonar-lcov-path }}
@@ -202,7 +202,7 @@ jobs:
           ' "$LCOV" > "${{ runner.temp }}/sonarcov/${{ inputs.coverage-upload-as }}.lcov"
       - name: Upload rebased lcov
         if: inputs.coverage-upload-as != '' && inputs.enable-test
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ inputs.coverage-upload-as }}
           path: ${{ runner.temp }}/sonarcov/${{ inputs.coverage-upload-as }}.lcov

.github/workflows/reusable-ci-rust.yml

@@ -300,7 +300,7 @@ jobs:
           working-directory: ${{ inputs.working-directory }}
       - name: Hand coverage to the SonarQube job
         if: inputs.enable-sonar
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: sonar-coverage-${{ inputs.sonar-project-key || github.event.repository.name }}
           path: ${{ inputs.working-directory }}/${{ inputs.coverage-tool == 'llvm-cov' && 'lcov.info' || 'cobertura.xml' }}
@@ -328,7 +328,7 @@ jobs:
           ' lcov.info > "${{ runner.temp }}/sonarcov/${{ inputs.coverage-upload-as }}.lcov"
       - name: Upload rebased lcov
         if: inputs.coverage-upload-as != '' && inputs.coverage-tool == 'llvm-cov'
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ inputs.coverage-upload-as }}
           path: ${{ runner.temp }}/sonarcov/${{ inputs.coverage-upload-as }}.lcov

.github/workflows/reusable-sonarqube-scan.yml

@@ -57,23 +57,23 @@ jobs:
       # to projectBaseDir) and the lcov's own SF: paths both resolve correctly.
       - name: Download coverage report
         if: inputs.coverage-artifact != ''
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         continue-on-error: true
         with:
           name: ${{ inputs.coverage-artifact }}
           path: ${{ inputs.working-directory }}/.sonarcov
 
       - name: Download coverage reports (multi-component)
         if: inputs.coverage-artifact-pattern != ''
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         continue-on-error: true
         with:
           pattern: ${{ inputs.coverage-artifact-pattern }}
           merge-multiple: true
           path: ${{ inputs.working-directory }}/.sonarcov
 
       - name: SonarQube scan
-        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6
+        uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL || 'https://sonar.ferrlabs.com' }}

workflow-templates/release.yml

@@ -26,7 +26,7 @@ jobs:
       (github.event_name == 'push' && github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'chore(release):')) ||
       github.event_name == 'workflow_dispatch'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           persist-credentials: false