ci: update some actions to the latest version

.github/workflows/changeset-reporter.yml

@@ -25,7 +25,8 @@ jobs:
           persist-credentials: false
 
       - name: Download results
-        uses: dawidd6/action-download-artifact@bd10f381a96414ce2b13a11bfa89902ba7cea07f # ratchet:dawidd6/[email protected]
+        # release notes: https://github.com/dawidd6/action-download-artifact/releases/tag/v11
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # ratchet:dawidd6/action-download-artifact@v11
         with:
           workflow: pr-check-changeset.yml
           run_id: ${{ github.event.workflow_run.id }}
@@ -37,17 +38,17 @@ jobs:
 
       - name: Required but missing
         if: fromJson(steps.changeset.outputs.CHANGESET).required == true && fromJson(steps.changeset.outputs.CHANGESET).changesetFound == false
-        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.0
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # ratchet:marocchino/sticky-pull-request-comment@v2.9.0
+        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.4
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # ratchet:marocchino/sticky-pull-request-comment@v2
         with:
           header: changeset
           number: ${{ fromJson(steps.changeset.outputs.CHANGESET).pr }}
           path: ${{ github.workspace }}/.github/workflows/data/changeset-missing.md
 
       - name: Required and present
         if: fromJson(steps.changeset.outputs.CHANGESET).required == true && fromJson(steps.changeset.outputs.CHANGESET).changesetFound == true
-        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.0
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # ratchet:marocchino/sticky-pull-request-comment@v2.9.0
+        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.4
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # ratchet:marocchino/sticky-pull-request-comment@v2
         with:
           header: changeset
           number: ${{ fromJson(steps.changeset.outputs.CHANGESET).pr }}
@@ -57,8 +58,8 @@ jobs:
 
       - name: Changeset not required
         if: fromJson(steps.changeset.outputs.CHANGESET).required == false && fromJson(steps.changeset.outputs.CHANGESET).changesetFound == true
-        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.0
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # ratchet:marocchino/sticky-pull-request-comment@v2.9.0
+        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.4
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # ratchet:marocchino/sticky-pull-request-comment@v2
         with:
           header: changeset
           number: ${{ fromJson(steps.changeset.outputs.CHANGESET).pr }}

.github/workflows/linkcheck-reporter.yml

@@ -7,16 +7,17 @@ on:
 
 permissions:
   contents: read
-  actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+  actions: read # for dawidd6/action-download-artifact to query and download artifacts
 
 jobs:
   load_report:
     permissions:
-      pull-requests: write  # for marocchino/sticky-pull-request-comment to create or update PR comment
+      pull-requests: write # for marocchino/sticky-pull-request-comment to create or update PR comment
     runs-on: ubuntu-latest
     steps:
       - name: Download results
-        uses: dawidd6/action-download-artifact@bd10f381a96414ce2b13a11bfa89902ba7cea07f # ratchet:dawidd6/[email protected]
+        # release notes: https://github.com/dawidd6/action-download-artifact/releases/tag/v11
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # ratchet:dawidd6/action-download-artifact@v11
         with:
           workflow: website-validation.yml
           # workflow_conclusion: completed
@@ -28,8 +29,8 @@ jobs:
         run: echo "pr=$(cat pr)" >> $GITHUB_OUTPUT
         working-directory: ./results
       - name: Post report in comment
-        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.0
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # ratchet:marocchino/sticky-pull-request-comment@v2.9.0
+        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.4
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # ratchet:marocchino/sticky-pull-request-comment@v2
         with:
           header: linkreport
           recreate: true

.github/workflows/pr-changeset-review.yml

@@ -29,7 +29,9 @@ jobs:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           persist-credentials: false
-      - uses: errata-ai/vale-action@d89dee975228ae261d22c15adcd03578634d429c # ratchet:errata-ai/[email protected]
+
+      # release notes: https://github.com/errata-ai/vale-action/releases/tag/v2.1.1
+      - uses: errata-ai/vale-action@d89dee975228ae261d22c15adcd03578634d429c # ratchet:errata-ai/vale-action@v2
         with:
           files: .changeset
           vale_flags: "--glob=*-*-*.md"

.github/workflows/pr-check-changeset.yml

@@ -72,8 +72,8 @@ jobs:
           echo $(jq -c '. += {required: false}' changeset-metadata.json) > changeset-metadata.json
 
       - name: Upload changeset metadata
-        # release notes: https://github.com/actions/upload-artifact/releases/tag/v4.4.3
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4
+        # release notes: https://github.com/actions/upload-artifact/releases/tag/v5.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # ratchet:actions/upload-artifact@v5
         with:
           name: changeset-metadata
           path: ./changeset-metadata.json
@@ -98,8 +98,8 @@ jobs:
           echo $(jq -c '. += { pr: "${{ github.event.number }}" }' changeset-metadata.json) > changeset-metadata.json
 
       - name: Upload changeset metadata
-        # release notes: https://github.com/actions/upload-artifact/releases/tag/v4.4.3
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4
+        # release notes: https://github.com/actions/upload-artifact/releases/tag/v5.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # ratchet:actions/upload-artifact@v5
         with:
           name: changeset-metadata
           path: ./changeset-metadata.json

.github/workflows/pr-labeler.yml

@@ -5,12 +5,12 @@ on:
     branches: [main, next, release/**/*]
 
 permissions:
-  contents: read  # for actions/labeler to determine modified files
+  contents: read # for actions/labeler to determine modified files
 
 jobs:
   areas_label:
     permissions:
-      pull-requests: write  # for actions/labeler to add labels to PRs
+      pull-requests: write # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     name: Label areas
     # Skip labeling main-next merge PRs. The area labels are noisy and distracting for main-next PRs because they can
@@ -20,7 +20,8 @@ jobs:
     # This is implemented by comparing the PR title because at creation time, the PR has no labels (and the GItHub API
     # does not have a way to set labels at creation either), so skipping based on labels does not work.
     steps:
-      - uses: actions/labeler@5c7539237e04b714afd8ad9b4aed733815b9fab4 # ratchet:actions/[email protected]
+      # release notes: https://github.com/actions/labeler/releases/tag/v6.0.1
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # ratchet:actions/labeler@v6
         if: "github.event.pull_request.title != 'Automation: main-next integrate'"
         with:
           configuration-path: ".github/labeler-areas.yml"
@@ -30,21 +31,23 @@ jobs:
   # this CI job calls the labeler action wuth sync-labels=false, so the label won't be removed automatically.
   changesets_label:
     permissions:
-      pull-requests: write  # for actions/labeler to add labels to PRs
+      pull-requests: write # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     name: Label changeset-required
     steps:
-      - uses: actions/labeler@5c7539237e04b714afd8ad9b4aed733815b9fab4 # ratchet:actions/[email protected]
+      # release notes: https://github.com/actions/labeler/releases/tag/v6.0.1
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # ratchet:actions/labeler@v6
         with:
           configuration-path: ".github/labeler-changesets.yml"
           repo-token: "${{ github.token }}"
           sync-labels: false # The changeset-required label is often added manually, so don't remove it.
   branches_label:
     permissions:
-      pull-requests: write  # for actions/labeler to add labels to PRs
+      pull-requests: write # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     name: Label base branches and external contributors
     steps:
-      - uses: srvaroa/labeler@9c29ad1ef33d169f9ef33c52722faf47a566bcf3 # ratchet:srvaroa/labeler@v1
+      # release notes: https://github.com/srvaroa/labeler/releases/tag/v1.13.0
+      - uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # ratchet:srvaroa/labeler@v1
         env:
           GITHUB_TOKEN: "${{ github.token }}"

.github/workflows/pr-release-branch-warning.yml

@@ -18,7 +18,7 @@ permissions:
 jobs:
   warning:
     permissions:
-      pull-requests: write  # for marocchino/sticky-pull-request-comment to create or update PR comment
+      pull-requests: write # for marocchino/sticky-pull-request-comment to create or update PR comment
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
@@ -27,8 +27,8 @@ jobs:
           submodules: false
 
       - name: Post warning in comment
-        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.0
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # ratchet:marocchino/sticky-pull-request-comment@v2.9.0
+        # release notes: https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.9.4
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # ratchet:marocchino/sticky-pull-request-comment@v2
         with:
           header: release-warning
           path: ${{ github.workspace }}/.github/workflows/data/release-branch-warning.md

.github/workflows/pr-validation.yml

@@ -22,7 +22,9 @@ jobs:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           persist-credentials: false
-      - uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f # ratchet:mszostok/[email protected]
+
+      # release notes: https://github.com/mszostok/codeowners-validator/releases/tag/v0.7.4
+      - uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f # ratchet:mszostok/codeowners-validator@v0
         with:
           github_access_token: "${{ secrets.GITHUB_TOKEN }}"
           checks: "files,duppatterns,syntax"
@@ -34,7 +36,8 @@ jobs:
     name: PR template placeholder content
     runs-on: ubuntu-latest
     steps:
-      - uses: sitezen/pr-comment-checker@f1e956fac00c6d1163d15841886ae80b7ae58ecb # ratchet:sitezen/[email protected]
+      # release notes: https://github.com/sitezen/pr-comment-checker/releases/tag/v1.0.1
+      - uses: sitezen/pr-comment-checker@f1e956fac00c6d1163d15841886ae80b7ae58ecb # ratchet:sitezen/pr-comment-checker@v1
         with:
           pr_description_should_not_contain: |
             Feel free to remove or alter parts of this template that do not offer value for your specific change

.github/workflows/push-tag-create-release.yml

@@ -26,7 +26,7 @@ permissions:
 jobs:
   create-release:
     permissions:
-      contents: write  # for ncipollo/release-action to create a release
+      contents: write # for ncipollo/release-action to create a release
     name: Create GitHub release
     runs-on: ubuntu-latest
     steps:
@@ -73,8 +73,8 @@ jobs:
         run: |
           flub release fromTag $TAG_NAME --json | jq -c > release-metadata.json
       - name: Upload release metadata JSON
-        # release notes: https://github.com/actions/upload-artifact/releases/tag/v4.4.3
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4
+        # release notes: https://github.com/actions/upload-artifact/releases/tag/v5.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # ratchet:actions/upload-artifact@v5
         with:
           name: release-metadata
           path: release-metadata.json
@@ -113,8 +113,8 @@ jobs:
           mkdir reports
           flub release report -g ${{ fromJson(env.RELEASE_JSON).packageOrReleaseGroup }} -o reports
       - name: Upload release reports
-        # release notes: https://github.com/actions/upload-artifact/releases/tag/v4.4.3
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4
+        # release notes: https://github.com/actions/upload-artifact/releases/tag/v5.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # ratchet:actions/upload-artifact@v5
         with:
           name: release-reports
           path: reports
@@ -149,7 +149,8 @@ jobs:
       # Only creates GH releases for client, server, and build-tools releases.
       - name: Create GH release
         if: fromJson(env.RELEASE_JSON).packageOrReleaseGroup == 'client' || fromJson(env.RELEASE_JSON).packageOrReleaseGroup == 'build-tools' || fromJson(env.RELEASE_JSON).packageOrReleaseGroup == 'server'
-        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # ratchet:ncipollo/release-action@v1
+        # release notes: https://github.com/ncipollo/release-action/releases/tag/v1.20.0
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # ratchet:ncipollo/release-action@v1
         with:
           # Allow updates to existing releases.
           allowUpdates: true

.github/workflows/release-approval.yml

@@ -21,8 +21,8 @@ on:
         required: true
 
 permissions:
-  actions: read  # Needed to download artifacts from the release-branches workflow
-  pull-requests: read  # Needed to read the PR details, such as the head commit SHA and the PR number.
+  actions: read # Needed to download artifacts from the release-branches workflow
+  pull-requests: read # Needed to read the PR details, such as the head commit SHA and the PR number.
 
 jobs:
   metadata:
@@ -37,8 +37,8 @@ jobs:
       ### These steps run on workflow_run event only ###
       - name: Download metadata
         if: github.event_name == 'workflow_run'
-        # release notes: https://github.com/dawidd6/action-download-artifact/releases/tag/v6
-        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # ratchet:dawidd6/action-download-artifact@v6
+        # release notes: https://github.com/dawidd6/action-download-artifact/releases/tag/v11
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # ratchet:dawidd6/action-download-artifact@v11
         with:
           workflow: release-branches.yml
           run_id: ${{ github.event.workflow_run.id }}
@@ -79,8 +79,8 @@ jobs:
       - name: "workflow_dispatch: Load commit_sha"
         id: workflow_dispatch_load_commit_sha
         if: github.event_name == 'workflow_dispatch'
-        # release notes: https://github.com/actions/github-script/releases/tag/v7.0.1
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # ratchet:actions/github-script@v7.0.1
+        # release notes: https://github.com/actions/github-script/releases/tag/v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # ratchet:actions/github-script@v8
         env:
           PR_NUMBER: ${{ steps.workflow_dispatch_load_pr.outputs.pr_num }}
         with:
@@ -107,15 +107,15 @@ jobs:
       # workflow is not directly triggered by the PR.
       - name: Set commit status as pending
         # release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
-        uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2.0.1
+        uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           sha: ${{ needs.metadata.outputs.commit_sha }}
           status: pending
           context: Check PR approval
 
       # release notes: https://github.com/actions/checkout/releases/tag/v4.1.7
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4
         with:
           # The default ref when triggered by the workflow_run event is the default branch -- main
           # This means the build-tools from the main branch will always be used.
@@ -169,7 +169,7 @@ jobs:
       - name: Set commit status as success
         if: steps.check-pr.outcome == 'success'
         # release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
-        uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2.0.1
+        uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           sha: ${{ needs.metadata.outputs.commit_sha }}
@@ -179,7 +179,7 @@ jobs:
       - name: Set commit status as failure
         if: steps.check-pr.outcome != 'success'
         # release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
-        uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2.0.1
+        uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           sha: ${{ needs.metadata.outputs.commit_sha }}

.github/workflows/release-branches.yml

@@ -79,8 +79,8 @@ jobs:
         run: echo ${{ github.event.pull_request.head.sha }} > ./artifacts/commit_sha
 
       - name: Upload artifact
-        # release notes: https://github.com/actions/upload-artifact/releases/tag/v4.4.3
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4
+        # release notes: https://github.com/actions/upload-artifact/releases/tag/v5.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # ratchet:actions/upload-artifact@v5
         with:
           name: release-branch-pr-metadata
           path: ./artifacts