Update actions that run on Node.js 20

[BlackYps]

Node.js 20 is deprecated

Checklist

• [] Changes are annotated, including comments where useful Not applicable
• [ ] Changes are documented in a changelog snippet according to the guidelines. Not applicable
• Request 2-3 reviewers from the list of reviewers and their areas of knowledge.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions to newer versions across all continuous integration and deployment workflows, including checkout (v4→v6), download-artifact (v4→v7), upload-artifact (v4→v7), and other action dependencies.

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumps GitHub Actions versions across 18 workflow files: actions/checkout from v4 to v6, actions/download-artifact from v4 to v7, actions/upload-artifact from v4 to v7, actions/setup-python from v5 to v6, actions/configure-pages from v5 to v6, actions/deploy-pages from v4 to v5, and actions/github-script from v7 to v8. No workflow logic is changed.

Changes

GitHub Actions Version Bumps

Layer / File(s)	Summary
actions/checkout v4→v6 .github/workflows/bake-blueprints.yaml, .github/workflows/deploy-faf.yaml, .github/workflows/deploy-fafbeta.yaml, .github/workflows/deploy-fafdevelop.yaml, .github/workflows/docs-build.yml, .github/workflows/docs-convert-changelog.yaml, .github/workflows/docs-generate-changelog.yaml, .github/workflows/docs-spelling-check.yaml, .github/workflows/docs-synchronize-changelog.yaml, .github/workflows/docs-url-check.yaml, .github/workflows/etfreeman-db-update.yaml, .github/workflows/spookydb-update.yaml, .github/workflows/stage-fafbeta.yaml, .github/workflows/stage-fafdevelop.yaml, .github/workflows/tests.yaml, .github/workflows/wiki-generate-blueprints.yaml, .github/workflows/wiki-generate-changelogs.yaml, .github/workflows/wiki-generate-icons.yaml	Every actions/checkout@v4 reference across all 18 workflow files is replaced with actions/checkout@v6; inline version-reference comments are updated to match.
download-artifact v4→v7, upload-artifact v4→v7, and other action bumps .github/workflows/deploy-fafbeta.yaml, .github/workflows/deploy-fafdevelop.yaml, .github/workflows/docs-build.yml, .github/workflows/docs-convert-changelog.yaml, .github/workflows/docs-generate-changelog.yaml, .github/workflows/docs-synchronize-changelog.yaml, .github/workflows/etfreeman-db-update.yaml, .github/workflows/prepare-release.yaml, .github/workflows/spookydb-update.yaml, .github/workflows/wiki-generate-blueprints.yaml, .github/workflows/wiki-generate-icons.yaml	actions/download-artifact is bumped v4→v7, actions/upload-artifact v4→v7, actions/setup-python v5→v6, actions/configure-pages v5→v6, actions/deploy-pages v4→v5, and actions/github-script v7→v8 in the relevant workflow files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• FAForever/fa#6958: Introduces the etfreeman-db-update.yaml workflow whose actions/checkout and actions/download-artifact step versions are bumped in this PR.
• FAForever/fa#7005: Defines the same ETFreeman DB deployment workflow steps that this PR updates with newer action versions.

Suggested reviewers

• lL1l1

Poem

🐇 Hop, hop, hooray for versions new!
From v4 to v6, the checkout flew,
Artifacts download at v7's pace,
Deploy-pages leaps with extra grace.
A bunny bumped them, row by row —
Now all the workflows gleam and glow! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete and does not follow the template structure. It lacks a proper 'Description of the proposed changes' section, testing information, and additional context beyond a brief statement.	Expand the description to explain what Node.js 20 deprecation means and which actions were updated. Add details about testing performed to verify the workflow changes work correctly.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating GitHub Actions to versions compatible with Node.js 20, which directly reflects the core objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 10

🧹 Nitpick comments (2)

.github/workflows/wiki-generate-icons.yaml (1)

38-38: 🧹 Nitpick | 🔵 Trivial

Consider pinning actions to immutable SHAs for enhanced supply chain security.

While the version tags actions/checkout@v6 and actions/upload-artifact@v7 are standard practice in this repository, pinning GitHub Actions to full SHAs rather than mutable version tags would provide better protection against compromised releases. This is a security best practice rather than a current repository requirement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/wiki-generate-icons.yaml at line 38, Replace the mutable
version tags in the GitHub Actions uses statements with their corresponding full
commit SHAs. Change actions/checkout@v6 and actions/upload-artifact@v7 to use
the immutable SHA format (e.g., actions/checkout@<full-sha> and
actions/upload-artifact@<full-sha>) to ensure that the exact versions of these
actions are always used, preventing potential supply chain attacks from
compromised or modified versions of these actions.

Source: Linters/SAST tools

.github/workflows/spookydb-update.yaml (1)

39-39: 🧹 Nitpick | 🔵 Trivial

Consider pinning actions to commit SHAs instead of major version tags.

Both actions/checkout@v6 and actions/download-artifact@v7 use mutable version tags. Since this workflow uses SSH credentials to deploy to the gh-pages branch, pinning to immutable commit SHAs would reduce the risk of unexpected behavioral changes from upstream action updates.

Note: This pattern applies repo-wide—other deployment workflows use the same unpinned approach.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/spookydb-update.yaml at line 39, Replace the mutable
version tags in the workflow file with specific commit SHAs for both
actions/checkout and actions/download-artifact. Instead of using `@v6` and `@v7`
respectively, pin each action to its full commit SHA (typically a 40-character
hexadecimal string). This reduces the risk of unexpected behavioral changes from
upstream action updates, which is especially important for workflows that use
SSH credentials for deployment operations like pushing to the gh-pages branch.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-fafdevelop.yaml:
- Line 60: Replace the mutable version tag references in the GitHub Actions
workflow with immutable full-length commit SHAs. For the actions/checkout action
at line 60 (currently using `@v6`) and the other action at line 99 (currently
using `@v7`), replace the `@vX` tags with their corresponding full-length commit
SHAs to prevent supply chain attacks. You can optionally include the version tag
as a comment after the SHA (e.g., `actions/checkout@<commit-SHA> # v6`) to
maintain readability while using the immutable reference.

In @.github/workflows/docs-build.yml:
- Line 74: Replace all mutable major version tags on lines 74, 89, 96, 129, and
152 in the GitHub Actions workflow with immutable commit SHAs. For each action
reference (such as actions/checkout@v6, actions/upload-artifact@v7, and
actions/download-artifact@v5), determine the specific commit SHA corresponding
to that version and replace the version tag with the full commit SHA in the
format actions/name@<full-40-character-commit-sha>.

In @.github/workflows/docs-generate-changelog.yaml:
- Around line 53-60: The workflow file uses mutable action version tags that
should be pinned to specific commit SHAs for security compliance. Replace all
instances of actions/checkout@v6 (on lines 53 and 60) with the corresponding
commit SHA, and replace actions/upload-artifact@v7 (on line 93) with its
corresponding commit SHA. For each action, look up the latest commit SHA for the
specified major version and update the uses field to reference that specific SHA
instead of the version tag.

In @.github/workflows/docs-spelling-check.yaml:
- Line 37: The actions/checkout action is pinned to the mutable tag `@v6` which
poses a supply chain security risk and can be reassigned. Replace `@v6` with a
specific commit SHA to ensure the action version is immutable and reproducible.
Additionally, the check-spelling/check-spelling action uses `@main` which has the
same vulnerability and should also be pinned to a specific commit SHA instead of
the branch reference.

In @.github/workflows/docs-synchronize-changelog.yaml:
- Line 57: The GitHub Actions workflow uses mutable version tags (`@v6` and `@v7`)
instead of immutable commit SHAs for the actions/checkout and
actions/download-artifact actions, which creates a supply-chain security risk.
Replace the version tag references with their corresponding full commit SHA
hashes. For actions/checkout@v6 on line 57 and actions/download-artifact@v7 on
line 66, look up the commit SHA for each action version and pin each action to
its specific immutable commit hash instead of the mutable version tag.

In @.github/workflows/etfreeman-db-update.yaml:
- Line 43: Replace the tag-based references for third-party actions with pinned
commit SHAs to mitigate supply-chain risks. Update the `actions/checkout@v6`
action to use its full commit SHA instead of the v6 tag (e.g.,
`actions/checkout@a5ac7e51b41094c5405359c7b978efb4088d5ed8`). Similarly, update
the `actions/download-artifact@v7` action on line 52 to use its corresponding
commit SHA instead of the v7 tag. This ensures the workflow uses specific,
immutable versions of these actions rather than mutable tag references.

In @.github/workflows/stage-fafbeta.yaml:
- Line 38: The `actions/checkout` action on line 38 uses a version tag (`@v6`)
instead of a pinned commit SHA, which creates a security vulnerability for this
sensitive workflow that handles SSH authentication and force-pushes. Replace
`actions/checkout@v6` with `actions/checkout@` followed by the full-length
commit SHA of the desired version to ensure the exact version is executed and
prevent tag tampering attacks.

In @.github/workflows/stage-fafdevelop.yaml:
- Line 38: The actions/checkout action is currently using a mutable version tag
(v6) which creates a supply chain security risk for the force-push operation to
staging/fafdevelop. Replace the mutable tag reference in the actions/checkout
action from `@v6` to pin it to a specific immutable commit digest (full SHA) to
ensure that only the exact version of the action you intend to use gets
executed, preventing potential malicious code injection if the upstream action
is compromised.

In @.github/workflows/tests.yaml:
- Line 24: Replace all three occurrences of `actions/checkout@v6` with pinned
commit SHAs in the format `actions/checkout@<SHA> # v6` where SHA is the
full-length commit hash for v6, and include the `# v6` comment to maintain
version context. This applies to all uses statements that reference
`actions/checkout@v6` throughout the workflow file to harden CI against supply
chain attacks by preventing tag-retargeting and code injection vulnerabilities.

In @.github/workflows/wiki-generate-changelogs.yaml:
- Line 32: Replace all three instances of `actions/checkout@v6` with the
full-length commit SHA format `actions/checkout@<full-commit-sha>` followed by a
comment indicating the version (e.g., `# v6.x.x`). This applies to all
occurrences of the `uses: actions/checkout@v6` line throughout the workflow file
to ensure immutability and prevent supply chain attacks from mutable version
tags.

---

Nitpick comments:
In @.github/workflows/spookydb-update.yaml:
- Line 39: Replace the mutable version tags in the workflow file with specific
commit SHAs for both actions/checkout and actions/download-artifact. Instead of
using `@v6` and `@v7` respectively, pin each action to its full commit SHA
(typically a 40-character hexadecimal string). This reduces the risk of
unexpected behavioral changes from upstream action updates, which is especially
important for workflows that use SSH credentials for deployment operations like
pushing to the gh-pages branch.

In @.github/workflows/wiki-generate-icons.yaml:
- Line 38: Replace the mutable version tags in the GitHub Actions uses
statements with their corresponding full commit SHAs. Change actions/checkout@v6
and actions/upload-artifact@v7 to use the immutable SHA format (e.g.,
actions/checkout@<full-sha> and actions/upload-artifact@<full-sha>) to ensure
that the exact versions of these actions are always used, preventing potential
supply chain attacks from compromised or modified versions of these actions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a745a64-bb69-41c8-858e-932aa03cbab1

📥 Commits

Reviewing files that changed from the base of the PR and between c80d63c and a7e2d15.

⛔ Files ignored due to path filters (1)

• lua/ui/lobby/changelog/generated/overview.lua is excluded by !**/generated/**

📒 Files selected for processing (19)

• .github/workflows/bake-blueprints.yaml
• .github/workflows/deploy-faf.yaml
• .github/workflows/deploy-fafbeta.yaml
• .github/workflows/deploy-fafdevelop.yaml
• .github/workflows/docs-build.yml
• .github/workflows/docs-convert-changelog.yaml
• .github/workflows/docs-generate-changelog.yaml
• .github/workflows/docs-spelling-check.yaml
• .github/workflows/docs-synchronize-changelog.yaml
• .github/workflows/docs-url-check.yaml
• .github/workflows/etfreeman-db-update.yaml
• .github/workflows/prepare-release.yaml
• .github/workflows/spookydb-update.yaml
• .github/workflows/stage-fafbeta.yaml
• .github/workflows/stage-fafdevelop.yaml
• .github/workflows/tests.yaml
• .github/workflows/wiki-generate-blueprints.yaml
• .github/workflows/wiki-generate-changelogs.yaml
• .github/workflows/wiki-generate-icons.yaml

[BlackYps]

We should merge #7124 first, to get rid of the useless overview.lua diff