Hongming Wang fc59f939ac chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps) ... Consolidates the remaining safe-to-merge dependabot PRs from the 2026-04-28 wave into one consumable PR. Replaces three earlier single-bump PRs (#2245, #2230, #2231) which were closed in favor of this single batch — same pattern as #2235. GitHub Actions majors (SHA-pinned per org convention): github/codeql-action v3 → v4.35.2 (#2228) actions/setup-node v4 → v6.4.0 (#2218) actions/upload-artifact v4 → v7.0.1 (#2216) actions/setup-python v5 → v6.2.0 (#2214) npm dev deps (canvas/, lockfile regenerated in node:22-bookworm container so @emnapi/* and other Linux-only optional deps are properly resolved — Mac-native `npm install` strips them, which caused the earlier #2235 batch to drop these two): @types/node ^22 → ^25.6 (#2231) jsdom ^25 → ^29.1 (#2230) Why each is safe setup-node v4 → v6 / setup-python v5 → v6: Every consumer call pins node-version / python-version explicitly. v5 / v6 changed defaults but pinned consumers are unaffected. Confirmed via grep across .github/workflows/ — all setup-node call sites pin '20' or '22', all setup-python call sites pin '3.11'. codeql-action v3 → v4.35.2: Used as init/autobuild/analyze sub-actions in codeql.yml. v4 bundles a newer CodeQL CLI; ubuntu-latest auto-updates so functional behavior is unchanged. The deprecated CODEQL_ACTION_CLEANUP_TRAP_CACHES env var (per v4.35.2 release notes) is undocumented and we don't set it. upload-artifact v4 → v7.0.1: v6 introduced Node.js 24 runtime requiring Actions Runner >= 2.327.1. All upload-artifact users (codeql.yml, e2e-staging-canvas.yml) run on `ubuntu-latest` (GitHub- hosted), which auto-updates the runner agent. Self-hosted runners are NOT used for these jobs. @types/node 22 → 25 / jsdom 25 → 29: Both are dev-only — @types/node is type definitions, jsdom backs vitest's DOM environment. Tests pass: 79 files / 1154 tests in node:22-bookworm container. Verified locally (Linux container so the lockfile reflects what CI's `npm ci` will install): - cd canvas && npm install --include=optional → 169 packages - npm test → 1154/1154 pass - npm ci → clean install succeeds - npm run build → Next.js prerendering succeeds Closes when this lands (the 3 individual auto-merge PRs from earlier were closed): #2228 #2218 #2216 #2214 #2231 #2230 NOT included (CI failing on dependabot's own run — major framework bumps that need code-side migration tasks, not safe auto-bumps): #2233 next 15 → 16 #2232 tailwindcss 3 → 4 #2226 typescript 5 → 6		2026-04-28 17:44:55 -07:00
..
auto-promote-on-e2e.yml	fix(ci): defer promote when E2E is racing with publish (review fix)	2026-04-28 16:59:58 -07:00
auto-promote-staging.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
auto-sync-main-to-staging.yml	fix(ci): auto-sync opens a PR + uses merge queue, not direct push	2026-04-28 15:59:26 -07:00
auto-tag-runtime.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
block-internal-paths.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
canary-staging.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
canary-verify.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
check-merge-group-trigger.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
ci.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00
codeql.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00
e2e-api.yml	fix(ci): per-SHA concurrency on staging gate workflows	2026-04-28 17:18:15 -07:00
e2e-staging-canvas.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00
e2e-staging-saas.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
e2e-staging-sanity.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
pr-guards.yml	ci: add pr-guards caller that disables auto-merge on push	2026-04-27 06:39:31 -07:00
promote-latest.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
publish-canvas-image.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
publish-runtime.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00
publish-workspace-server-image.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
redeploy-tenants-on-main.yml	ci(redeploy): fire post-main tenant fleet redeploy via CP admin endpoint	2026-04-24 14:34:28 -07:00
retarget-main-to-staging.yml	ci(retarget): handle 422 'duplicate PR' by closing redundant main-PR (closes #1884)	2026-04-26 00:53:55 -07:00
runtime-pin-compat.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00
runtime-prbuild-compat.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00
secret-pattern-drift.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00
secret-scan.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
sweep-cf-orphans.yml	chore(security): pin Actions to SHAs + enable Dependabot auto-bumps	2026-04-28 15:37:06 -07:00
sweep-stale-e2e-orgs.yml	ci: hourly sweep of stale e2e-* orgs on staging	2026-04-24 23:07:57 -07:00
test-ops-scripts.yml	chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps)	2026-04-28 17:44:55 -07:00