chore: bump GHA workflow versions

[Strum355]

User description

Description

Closes #365, #364, #363, #356, #348, #346, #345 and #344

This pins Syft version in CI to v1.41.1 to help stabilize CI when versions change. We should do something similar for skopeo :|

Checklist

• I have followed this repository's contributing guidelines.
• I will adhere to the project's code of conduct.

---

PR Type

Enhancement

---

Description

• Bump GitHub Actions workflow dependencies to latest versions

• Update actions/setup-node from v5 to v6 across all workflows

• Update actions/download-artifact to v7 and actions/upload-artifact to v6

• Upgrade gradle/actions/setup-gradle from v4 to v5

• Bump npm dependencies: node-fetch to v3.3.2 and yargs to v18.0.0

• Update eslint dev dependency to v9.39.2

• Upgrade jaxxstorm/action-install-gh-release to v2.1.0

---

Diagram Walkthrough

flowchart LR
  GHA["GitHub Actions<br/>Workflows"]
  NPM["npm<br/>Dependencies"]
  GHA -->|"setup-node v5→v6"| Updated1["Updated<br/>Workflows"]
  GHA -->|"artifact actions v5/4→v6/7"| Updated1
  GHA -->|"gradle/setup v4→v5"| Updated1
  GHA -->|"install-gh-release v1→v2"| Updated1
  NPM -->|"node-fetch, yargs,<br/>eslint bumped"| Updated2["Updated<br/>Dependencies"]

Loading

File Walkthrough

Relevant files

Dependencies

pr-validation.yml Bump setup-node action to v6                                                          .github/workflows/pr-validation.yml Updated actions/setup-node from v5 to v6 +1/-1      publish.yml Bump setup-node and download-artifact actions                        .github/workflows/publish.yml Updated actions/setup-node from v5 to v6 in publish-ea job Updated actions/setup-node from v5 to v6 in publish-release job Updated actions/download-artifact from v5 to v7 +3/-3      release.yml Bump setup-node and upload-artifact actions                            .github/workflows/release.yml Updated actions/setup-node from v5 to v6 Updated actions/upload-artifact from v5 to v6 +2/-2      test.yml Bump multiple GitHub Actions to latest versions                    .github/workflows/test.yml Updated actions/setup-node from v5 to v6 Updated gradle/actions/setup-gradle from v4 to v5 Updated jaxxstorm/action-install-gh-release from v1.10.0 to v2.1.0 Updated actions/upload-artifact from v4 to v6 +4/-4      package.json Upgrade npm dependencies to latest versions                            package.json Bumped node-fetch from v2.7.0 to v3.3.2 Bumped yargs from v17.7.2 to v18.0.0 Bumped eslint from v8.42.0 to v9.39.2 +3/-3

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Actions supply chain Description: GitHub Actions are referenced by mutable version tags (e.g., actions/setup-node@v6, gradle/actions/setup-gradle@v5, jaxxstorm/action-install-gh-release@v2.1.0, actions/upload-artifact@v6) instead of being pinned to an immutable commit SHA, leaving the workflows potentially exposed to upstream tag retargeting/supply-chain compromise (similar non-SHA uses: updates also occur in .github/workflows/pr-validation.yml, .github/workflows/publish.yml, and .github/workflows/release.yml). test.yml [31-100] Referred Code uses: actions/setup-node@v6 with: node-version: ${{ matrix.node }} cache: npm - name: Enable Corepack run: corepack enable - name: Prepare Yarn run: corepack prepare yarn@4.9.1 --activate - name: Prepare PNPM run: corepack prepare pnpm@latest --activate - name: Setup Java 17 uses: actions/setup-java@v5 with: distribution: temurin java-version: 17 cache: maven ... (clipped 49 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Correct download-artifact input name In the actions/download-artifact step, rename the run-id input to run_id to align with breaking changes in v7. .github/workflows/publish.yml [82] -run-id: ${{ github.event.workflow_run.id }} +run_id: ${{ github.event.workflow_run.id }} Apply / Chat Suggestion importance[1-10]: 10 __ Why: This suggestion correctly identifies a critical breaking change in actions/download-artifact@v7 where the run-id input was renamed to run_id, preventing a workflow failure.	High
High-level	Address breaking changes from dependency upgrades The PR upgrades node-fetch and yargs to major versions that are ESM-only, which will break the current CommonJS project. The suggestion is to either revert these dependency upgrades or refactor the project to support ESM. Examples: package.json [53-55] "node-fetch": "^3.3.2", "packageurl-js": "~1.0.2", "yargs": "^18.0.0" Solution Walkthrough: Before: // package.json { "dependencies": { ... "node-fetch": "^3.3.2", "yargs": "^18.0.0" ... }, ... } After: // package.json { "dependencies": { ... "node-fetch": "^2.7.0", // Reverted to CJS-compatible version "yargs": "^17.7.2" // Reverted to previous version ... }, ... } Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a critical breaking change in the node-fetch dependency upgrade to an ESM-only version, which will break the application in a CommonJS project.	High
Update