stranske · stranske · Jan 1, 2026 · Jan 1, 2026
@@ -39,15 +39,15 @@ jobs:
       security_reason: ${{ steps.security_gate.outputs.reason }}
     steps:
       - name: Checkout (for security gate)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           sparse-checkout: |
             .github/scripts/prompt_injection_guard.js
           sparse-checkout-cone-mode: false
 
       - name: Security gate - prompt injection guard
         id: security_gate
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -102,7 +102,7 @@ jobs:
 
       - name: Evaluate workflow_run
         id: evaluate
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const run = context.payload.workflow_run;
@@ -318,7 +318,7 @@ jobs:
     environment: agent-standard
     steps:
       - name: Add needs-human label and comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const prNumber = Number('${{ needs.prepare.outputs.pr_number }}');
@@ -372,7 +372,7 @@ jobs:
     steps:
       - name: Collect metrics
         id: collect
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

@@ -61,7 +61,7 @@ jobs:
     steps:
       - name: Resolve PR number and check conditions
         id: resolve
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const eventName = context.eventName;
@@ -162,7 +162,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Remove trigger label
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             try {

@@ -33,7 +33,7 @@ jobs:
     steps:
       - name: Checkout base ref for safety validation
         if: github.event_name == 'pull_request_target'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.base.sha }}
           sparse-checkout: |
@@ -42,7 +42,7 @@ jobs:
 
       - name: Verify pull_request_target safety invariants
         if: github.event_name == 'pull_request_target'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const path = require('path');
@@ -58,15 +58,15 @@ jobs:
 
       - name: Checkout PR head for pull_request event
         if: github.event_name == 'pull_request'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           sparse-checkout: |
             .github/scripts/agents-guard.js
             .github/workflows/agents-guard.yml
 
       - name: Evaluate protected file changes
         id: evaluate
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const fs = require('fs');
@@ -281,7 +281,7 @@ jobs:
 
       - name: Post guard failure comment
         if: steps.evaluate.outputs.blocked == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           COMMENT_BODY_B64: ${{ steps.evaluate.outputs.comment_body_b64 }}
           COMMENT_MARKER: ${{ steps.evaluate.outputs.marker }}
@@ -399,7 +399,7 @@ jobs:
 
       - name: Report agents guard commit status
         if: always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           BLOCKED: ${{ steps.evaluate.outputs.blocked || 'false' }}
           SUMMARY: ${{ steps.evaluate.outputs.summary }}

@@ -65,7 +65,7 @@ jobs:
     steps:
       - name: Check labels and extract info
         id: check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const eventName = context.eventName;

@@ -72,12 +72,12 @@ jobs:
     steps:
       # Dual checkout pattern: consumer repo for context, Workflows repo for scripts
       - name: Checkout consumer repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           path: consumer
 
       - name: Checkout Workflows scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: stranske/Workflows
           ref: main
@@ -97,7 +97,7 @@ jobs:
 
       - name: Security gate - prompt injection guard
         id: security_gate
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           INPUT_PR_NUMBER: ${{ inputs.pr_number || '' }}
         with:
@@ -180,7 +180,7 @@ jobs:
       - name: Evaluate keepalive conditions
         id: evaluate
         if: steps.security_gate.outputs.blocked != 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           INPUT_PR_NUMBER: ${{ inputs.pr_number || '' }}
         with:
@@ -282,7 +282,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Workflows scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: stranske/Workflows
           ref: main
@@ -292,7 +292,7 @@ jobs:
           fetch-depth: 1
 
       - name: Update summary with running status
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -342,7 +342,7 @@ jobs:
     environment: agent-standard
     steps:
       - name: Checkout Workflows scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: stranske/Workflows
           ref: main
@@ -428,7 +428,7 @@ jobs:
 
       - name: Auto-reconcile task checkboxes
         if: needs.run-codex.outputs.changes-made == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -461,7 +461,7 @@ jobs:
             core.setOutput('reconciliation_details', result.details);
 
       - name: Update summary comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           CODEX_SUMMARY: ${{ needs.run-codex.outputs.final-message-summary || '' }}
         with:

@@ -106,7 +106,7 @@ jobs:
     steps:
       - name: Resolve PR from workflow_run
         id: resolve
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const run = context.payload.workflow_run;

@@ -35,11 +35,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Locate latest Gate workflow run
         id: discover
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |