Upgrade GitHub Actions to Node 24

.github/workflows/approve-override.yml

@@ -37,12 +37,12 @@ jobs:
     runs-on: ubuntu-latest
     environment: override-approval
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           sparse-checkout: scripts
 
       - name: Configure AWS credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-override-approver
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/build-jvm.yml

@@ -16,7 +16,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-java@v4
         with:
@@ -29,7 +29,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: test-results
           path: "**/target/surefire-reports/*.xml"

.github/workflows/build-ts.yml

@@ -16,7 +16,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: pnpm/action-setup@v4
         with:

.github/workflows/detect.yml

@@ -41,7 +41,7 @@ jobs:
       has_cdk: ${{ steps.check.outputs.has_cdk }}
       app_name: ${{ steps.check.outputs.app_name }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Detect repo contents
         id: check

.github/workflows/docker-build.yml

@@ -38,10 +38,10 @@ jobs:
       image_uri: ${{ steps.push.outputs.image_uri }}
       image_tag: ${{ steps.tags.outputs.primary_tag }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Configure AWS credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }}
           aws-region: ${{ inputs.aws_region }}

.github/workflows/eb-deploy.yml

@@ -27,10 +27,10 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Configure AWS credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }}
           aws-region: ${{ inputs.aws_region }}

.github/workflows/ecs-deploy.yml

@@ -34,14 +34,14 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.PLATFORM_APP_ID }}
           private-key: ${{ secrets.PLATFORM_APP_PRIVATE_KEY }}
           owner: javaBin
 
       - name: Checkout platform scripts
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: javaBin/platform
           token: ${{ steps.app-token.outputs.token }}
@@ -50,7 +50,7 @@ jobs:
           path: .platform
 
       - name: Configure AWS credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }}
           aws-region: ${{ inputs.aws_region }}

.github/workflows/expand-terraform.yml

@@ -27,20 +27,20 @@ jobs:
   expand:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.ref }}
 
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.PLATFORM_APP_ID }}
           private-key: ${{ secrets.PLATFORM_APP_PRIVATE_KEY }}
           owner: javaBin
 
       - name: Checkout platform scripts
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: javaBin/platform
           token: ${{ steps.app-token.outputs.token }}

.github/workflows/platform-ci.yml

@@ -47,15 +47,15 @@ jobs:
       plan_sha256: ${{ steps.upload.outputs.plan_sha256 }}
       risk_level: ${{ steps.review.outputs.risk_level }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: "1.7"
           terraform_wrapper: false
 
       - name: Configure AWS credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra-plan
           aws-region: ${{ env.AWS_REGION }}
@@ -84,7 +84,7 @@ jobs:
 
       - name: Upload Lambda ZIPs as artifact
         if: steps.plan.outputs.has_changes == 'true'
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: lambda-zips
           path: ${{ env.TF_ROOT }}/lambdas/builds/
@@ -131,14 +131,14 @@ jobs:
       needs.plan.outputs.has_changes == 'true'
     environment: production
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: "1.7"
           terraform_wrapper: false
 
-      - uses: aws-actions/configure-aws-credentials@v5
+      - uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra
           aws-region: ${{ env.AWS_REGION }}
@@ -150,7 +150,7 @@ jobs:
         run: sh scripts/check-risk-block.sh "$RISK"
 
       - name: Download Lambda ZIPs from artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v8
         with:
           name: lambda-zips
           path: ${{ env.TF_ROOT }}/lambdas/builds/
@@ -179,14 +179,14 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'schedule'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: "1.7"
           terraform_wrapper: false
 
-      - uses: aws-actions/configure-aws-credentials@v5
+      - uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/tf-apply.yml

@@ -34,7 +34,7 @@ jobs:
     env:
       PLAN_BUCKET: javabin-ci-plan-artifacts-${{ inputs.aws_account_id }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v4
         with:
@@ -43,14 +43,14 @@ jobs:
 
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.PLATFORM_APP_ID }}
           private-key: ${{ secrets.PLATFORM_APP_PRIVATE_KEY }}
           owner: javaBin
 
       - name: Checkout platform scripts
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: javaBin/platform
           token: ${{ steps.app-token.outputs.token }}
@@ -59,7 +59,7 @@ jobs:
 
       # Step 1: Lightweight OIDC role — can only invoke gate Lambda + read S3
       - name: Configure gate credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-apply-gate
           aws-region: ${{ inputs.aws_region }}

.github/workflows/tf-plan.yml

@@ -45,7 +45,7 @@ jobs:
     env:
       PLAN_BUCKET: javabin-ci-plan-artifacts-${{ inputs.aws_account_id }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.ref }}
 
@@ -55,21 +55,21 @@ jobs:
           terraform_wrapper: false
 
       - name: Configure AWS credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-${{ github.event.repository.name }}
           aws-region: ${{ inputs.aws_region }}
 
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.PLATFORM_APP_ID }}
           private-key: ${{ secrets.PLATFORM_APP_PRIVATE_KEY }}
           owner: javaBin
 
       - name: Checkout platform scripts
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: javaBin/platform
           token: ${{ steps.app-token.outputs.token }}