fix(ci): upgrade GitHub Actions to Node 24 and harden supply chain (#11)

thepixelabs · semantic-release-bot · claude · web-flow · commit a3458488db46 · 2026-04-06T16:32:18.000+03:00
## Summary - Upgrade all GitHub first-party actions from Node 20 to Node 24 runtime - SHA-pin third-party actions (TruffleHog, OSV Scanner) to prevent tag substitution attacks ## Changes ### Node 24 upgrades | Action | Before | After | |---|---|---| | `actions/checkout` | `@v4` | `@v6` | | `actions/setup-node` | `@v4` | `@v6` | | `actions/cache` | `@v4` | `@v5` | | `actions/dependency-review-action` | `@v4` | `@v4.9.0` (latest, still Node 20) | Node 20 support is removed from GitHub runners on 2026-09-16, with forced default switch to Node 24 on 2026-06-02. ### Supply chain hardening Third-party actions pinned by commit SHA instead of tag to prevent tag substitution attacks (as exploited in the [Trivy supply chain compromise](GHSA-69fq-xp46-6x23) of March 2026). First-party `actions/*` remain tag-pinned — compromising them requires compromising GitHub itself, which is a different threat model. ## Test plan - [ ] All security jobs pass without Node 20 deprecation warnings - [ ] TruffleHog and OSV Scanner resolve correctly via SHA pins --------- Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -18,13 +18,13 @@ jobs:
     name: npm audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: '.node-version'
           check-latest: false
       - name: Cache node_modules
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         id: cache-node-modules
         with:
           path: node_modules
@@ -44,8 +44,8 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/checkout@v6
+      - uses: actions/dependency-review-action@v4.9.0
         with:
           fail-on-severity: high
           deny-licenses: GPL-3.0, AGPL-3.0
@@ -57,7 +57,7 @@ jobs:
     name: OSV Scanner
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: google/osv-scanner-action/osv-scanner-action@c51854704019a247608d928f370c98740469d4b5 # v2.3.5
         with:
           scan-args: |-
@@ -70,12 +70,12 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: TruffleHog scan
         id: trufflehog
-        uses: trufflesecurity/trufflehog@v3.94.2
+        uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2
         continue-on-error: true
         with:
           path: ./
@@ -95,11 +95,11 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: TruffleHog full history scan
-        uses: trufflesecurity/trufflehog@v3.94.2
+        uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2
         with:
           path: ./
           extra_args: >-
diff --git a/agents/ceo.md b/agents/ceo.md
@@ -121,12 +121,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/compliance-counsel.md b/agents/compliance-counsel.md
@@ -126,12 +126,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/creative-technologist.md b/agents/creative-technologist.md
@@ -127,12 +127,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/cto.md b/agents/cto.md
@@ -124,12 +124,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/data-engineer.md b/agents/data-engineer.md
@@ -133,12 +133,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/devops.md b/agents/devops.md
@@ -131,12 +131,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/product-engineer.md b/agents/product-engineer.md
@@ -135,12 +135,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/qa-architect.md b/agents/qa-architect.md
@@ -140,12 +140,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
diff --git a/agents/qa-engineer.md b/agents/qa-engineer.md
@@ -127,12 +127,12 @@ EOF
 ```
 Using `>>` is atomic at the filesystem level and avoids overwriting prior entries.
 
-8. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
+9. **Block:** If you cannot proceed, edit the phase to `status: BLOCKED` and append explanation to execution-log.md via the same `>>` pattern.
 
-9. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
+10. **Idle:** If no phases match your persona with TODO status (and prior phases DONE), report "No active tasks found for @<persona>" and stop.
 
 ### Stuck task recovery
-If a phase has been `IN_PROGRESS` for over 30 minutes with no new execution-log entries, a planner may reset it to `TODO` for reassignment.
+Stale recovery is now handled automatically by step 3 of the executor workflow. Every agent that activates will reset phases that have been IN_PROGRESS for over 30 minutes (based on `claimed_at` timestamp). Phases without a `claimed_at` field are treated as stale immediately.
 
 ### Security rules
 - Never write `.env` file contents, API keys, credentials, or secrets into any `.tasks/` file.
