ci: Update all GitHub Actions to latest versions and enable Dependabot (#3782)

This updates all GitHub Actions to the latest versions, fixes breaking
changes where applicable, and enables Dependabot for GitHub Actions.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Updates CI to latest GitHub Actions, replaces local security scan with
reusable workflow, and enables Dependabot for GitHub Actions.
> 
> - **CI workflows (`.github/workflows/*`)**:
> - Bump actions: `MetaMask/action-checkout-and-setup` → `v2`,
`actions/checkout` → `v6`, `actions/upload-artifact` → `v6`,
`actions/download-artifact` → `v7`.
> - Adjust steps to use updated actions across build, lint, test, E2E,
platform-compat, publish, and PR update jobs; minor job/name tweaks and
secret wiring (e.g., Codecov, PR update token).
> - **Security scanning**:
> - Replace local `security-code-scanner.yml` with reusable
`MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2`
and add `paths-ignored`, permissions, and secrets.
> - **Dependabot**:
> - Enable updates for `github-actions` with allowlist for `MetaMask/*`
and `actions/*` in `.github/dependabot.yml` (in addition to existing
`npm`).
> - **Release/Publish workflows**:
> - Apply action version bumps and artifact step updates in
`publish-release.yml`, `publish-environment.yml`,
`publish-github-pages.yml`, and `publish-preview.yml` without changing
build/publish logic.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
53edfd1. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Frederik Bolding <[email protected]>

Author: Mrtenz

.github/dependabot.yml

@@ -16,3 +16,14 @@ updates:
     target-branch: 'main'
     versioning-strategy: 'increase'
     open-pull-requests-limit: 10
+
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+      time: '06:00'
+    allow:
+      - dependency-name: 'MetaMask/*'
+      - dependency-name: 'actions/*'
+    target-branch: 'main'
+    open-pull-requests-limit: 10

.github/workflows/build-lint-test.yml

@@ -20,7 +20,7 @@ jobs:
         node-version: [20.x, 22.x]
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
           node-version: ${{ matrix.node-version }}
@@ -29,7 +29,7 @@ jobs:
         run: yarn workspace @metamask/snaps-execution-environments run build:lavamoat:test
       - name: Save "@metamask/snaps-execution-environments" build
         id: cache-snaps-execution-environments-build
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }}
           retention-days: 1
@@ -52,13 +52,13 @@ jobs:
     needs: prepare
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
       - name: Build
         run: yarn build:ci
       - name: Save build files
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: build-source-${{ runner.os }}-${{ github.sha }}
           retention-days: 1
@@ -79,7 +79,7 @@ jobs:
     needs: prepare
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
       - name: Build
@@ -98,11 +98,11 @@ jobs:
     needs: build
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
       - name: Restore build files
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: build-source-${{ runner.os }}-${{ github.sha }}
       - name: Generate LavaMoat policy
@@ -121,7 +121,7 @@ jobs:
     needs: prepare
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
       - name: Lint
@@ -149,16 +149,16 @@ jobs:
         package-name: ${{ fromJson(needs.prepare.outputs.test-workspace-package-names) }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
           node-version: ${{ matrix.node-version }}
       - name: Restore "@metamask/snaps-execution-environments" build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }}
       - name: Restore build files
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: build-source-${{ runner.os }}-${{ github.sha }}
       - name: Install browsers
@@ -183,7 +183,7 @@ jobs:
         shell: bash
       - name: Upload coverage artifact
         if: ${{ matrix.node-version == '22.x' }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-${{ steps.get-coverage-folder.outputs.artifact-name }}
           path: |
@@ -204,9 +204,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: test
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Download coverage artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           pattern: coverage-*
           merge-multiple: true
@@ -229,16 +229,16 @@ jobs:
         package-name: ${{ fromJson(needs.prepare.outputs.e2e-workspace-package-names) }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
           node-version: ${{ matrix.node-version }}
       - name: Restore "@metamask/snaps-execution-environments" build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }}
       - name: Restore build files
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: build-source-${{ runner.os }}-${{ github.sha }}
       - name: Build snap
@@ -264,7 +264,7 @@ jobs:
         os: [macOS-latest, windows-latest]
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: false
           platform-specific-caching: true

.github/workflows/main.yml

@@ -16,7 +16,8 @@ jobs:
     name: Check workflows
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v6
       - name: Download actionlint
         id: download-actionlint
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.7.7
@@ -26,16 +27,40 @@ jobs:
         shell: bash
 
   analyse-code:
-    name: Code scanner
+    name: Analyse code
     needs: check-workflows
-    uses: ./.github/workflows/security-code-scanner.yml
+    uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2
+    with:
+      scanner-ref: v2
+      paths-ignored: |
+        .storybook/
+        **/__snapshots__/
+        **/*.snap
+        **/*.stories.js
+        **/*.stories.tsx
+        **/*.test.browser.ts*
+        **/*.test.js*
+        **/*.test.ts*
+        **/fixtures/
+        **/__fixtures__/
+        **/jest.config.js
+        **/jest.environment.js
+        **/mocks/
+        **/__mocks__/
+        **/test*/
+        docs/
+        e2e/
+        merged-packages/
+        node_modules/
+        storybook/
+        test*/
+    secrets:
+      project-metrics-token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
+      slack-webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
     permissions:
       actions: read
       contents: read
       security-events: write
-    secrets:
-      SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
-      APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
 
   update-pull-request:
     name: Update pull request

.github/workflows/publish-environment.yml

@@ -20,7 +20,7 @@ jobs:
         if: ${{ inputs.destination_dir == '' }}
         run: exit 1
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
       - name: Build dependencies

.github/workflows/publish-github-pages.yml

@@ -34,7 +34,7 @@ jobs:
         if: ${{ inputs.publish_dir == '' }}
         run: exit 1
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
       - name: Run build script

.github/workflows/publish-preview.yml

@@ -12,7 +12,7 @@ jobs:
     outputs:
       IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Determine whether this PR is from a fork
         id: is-fork
         run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT"
@@ -29,14 +29,14 @@ jobs:
     if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Checkout pull request
         run: gh pr checkout "${PR_NUMBER}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.issue.number }}
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
       - name: Get commit SHA

.github/workflows/publish-release.yml

@@ -34,7 +34,7 @@ jobs:
       tag: ${{ steps.get-release-tag.outputs.tag }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
           ref: ${{ github.sha }}
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
           ref: ${{ github.sha }}
@@ -69,7 +69,7 @@ jobs:
       - name: Build test-snaps
         run: yarn workspace @metamask/test-snaps build
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: publish-release-artifacts-${{ github.sha }}
           include-hidden-files: true
@@ -84,12 +84,12 @@ jobs:
     needs: publish-release
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
           ref: ${{ github.sha }}
       - name: Restore build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: publish-release-artifacts-${{ github.sha }}
       - name: Dry run publish to NPM
@@ -108,12 +108,12 @@ jobs:
       - get-release-tag
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
           ref: ${{ github.sha }}
       - name: Restore build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: publish-release-artifacts-${{ github.sha }}
       - name: Publish ${{ needs.get-release-tag.outputs.tag }} to NPM
@@ -130,7 +130,7 @@ jobs:
       IS_ENVIRONMENT_RELEASE: ${{ steps.is-environment-release.outputs.IS_ENVIRONMENT_RELEASE }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
           ref: ${{ github.sha }}
@@ -152,7 +152,7 @@ jobs:
       version: ${{ steps.version.outputs.VERSION }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
           ref: ${{ github.sha }}
@@ -219,7 +219,7 @@ jobs:
       TEST_SNAPS_VERSION: ${{ steps.set-output.outputs.TEST_SNAPS_VERSION }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v1
+        uses: MetaMask/action-checkout-and-setup@v2
         with:
           is-high-risk-environment: true
           ref: ${{ github.sha }}