GrayCodeAI · Patel230 · Jun 11, 2026 · Jun 11, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,6 +33,7 @@
 
 env:
   GO_VERSION: "1.26.4"
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
 jobs:
   # -------------------------------------------------------------------------
@@ -42,8 +43,8 @@
     name: fmt + vet
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6.0.3
+      - uses: actions/setup-go@v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -66,12 +67,12 @@
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6.0.3
+      - uses: actions/setup-go@v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
-      - uses: golangci/golangci-lint-action@v7
+      - uses: golangci/golangci-lint-action@v9.2.1
         with:
           version: v2.11.3
           install-mode: goinstall
@@ -85,8 +86,8 @@
     name: test (race + cover)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6.0.3
+      - uses: actions/setup-go@v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -112,7 +113,7 @@
           fi
           echo "Coverage ${COVERAGE}% meets threshold ${THRESHOLD}%"
       - name: Upload coverage
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: coverage
           path: coverage.out
@@ -124,8 +125,8 @@
     name: security
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6.0.3
+      - uses: actions/setup-go@v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -134,10 +135,11 @@
           go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
           govulncheck ./...
       - name: gosec (advisory)
-        continue-on-error: true
         run: |
           go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
-          gosec -exclude=G104,G301,G302,G304,G306 ./...
+          if ! gosec -exclude=G104,G301,G302,G304,G306 ./...; then
+            echo "gosec reported advisory findings"
+          fi
 
   # -------------------------------------------------------------------------
   # Dead code detection.
@@ -146,8 +148,8 @@
     name: deadcode
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/checkout@v6.0.3
+      - uses: actions/setup-go@v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -159,10 +161,10 @@
         # output in the logs instead.
         run: |
           go install golang.org/x/tools/cmd/deadcode@latest
-          deadcode -test ./... 2>&1 | tee deadcode.txt
-          echo "deadcode reported $(grep -c 'unreachable func' deadcode.txt || echo 0) unreachable funcs (advisory)"
+          deadcode -test -f '{{range .Funcs}}{{printf "%s\t%s\n" $.Path .Name}}{{end}}' ./... | tee deadcode.txt
+          echo "deadcode reported $(wc -l < deadcode.txt | tr -d ' ') unreachable funcs (advisory)"
       - name: upload deadcode report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7.0.1
         if: always()
         with:
           name: deadcode-report
@@ -176,8 +178,8 @@
     name: duplication
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6.0.3
+      - uses: actions/setup-node@v6.4.0
         with:
           node-version: '20'
       - name: jscpd
@@ -202,8 +204,8 @@
           - goos: windows
             goarch: arm64
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6.0.3
+      - uses: actions/setup-go@v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true