ci: remove node20 workflow action warnings

.github/workflows/changed-scope-quality-nightly.yml

@@ -36,7 +36,7 @@ jobs:
           echo "RUNNER_TOOL_CACHE=${RUNNER_TEMP}/hostedtoolcache-${GITHUB_JOB}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" >> "${GITHUB_ENV}"
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -123,7 +123,7 @@ jobs:
 
       - name: Upload changed-scope quality artifacts
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: changed-scope-quality-nightly-${{ github.run_id }}
           retention-days: 14

.github/workflows/ci-smoke.yml

@@ -23,7 +23,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           clean: true

.github/workflows/ci.yml

@@ -172,7 +172,7 @@ jobs:
           CLOUD_BOOTSTRAP_ALLOWED: ${{ steps.decide.outputs.sensitive_dispatch_allowed }}
 
       - name: Upload route seed artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ci-route-seed-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14
@@ -206,7 +206,7 @@ jobs:
           echo "RUNNER_TOOL_CACHE=${RUNNER_TEMP}/hostedtoolcache-${GITHUB_JOB}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" >> "${GITHUB_ENV}"
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -353,7 +353,7 @@ jobs:
       - name: Upload quick-feedback artifacts
         if: always()
         continue-on-error: true
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ci-quick-feedback-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14
@@ -381,16 +381,21 @@ jobs:
           echo "RUNNER_TOOL_CACHE=${RUNNER_TEMP}/hostedtoolcache-${GITHUB_JOB}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" >> "${GITHUB_ENV}"
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
           clean: true
 
       - name: Run dependency review
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48
-        with:
-          config-file: .github/dependency-review-config.yml
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          bash scripts/run_governance_py.sh scripts/check_dependency_review_gate.py \
+            --config-file .github/dependency-review-config.yml \
+            --base-sha "${{ github.event.pull_request.base.sha }}" \
+            --head-sha "${{ github.event.pull_request.head.sha }}"
 
   untrusted-pr-basic-gates:
     name: PR Low-Privilege Gates
@@ -412,14 +417,14 @@ jobs:
           echo "RUNNER_TOOL_CACHE=${RUNNER_TEMP}/hostedtoolcache-${GITHUB_JOB}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" >> "${GITHUB_ENV}"
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
           clean: true
 
       - name: Download route seed artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ci-route-seed-${{ github.run_id }}-${{ github.run_attempt }}
           path: .runtime-cache/openvibecoding/reports/ci/routes
@@ -486,7 +491,7 @@ jobs:
 
       - name: Upload low-privilege artifacts
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ci-pr-low-priv-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14
@@ -498,7 +503,7 @@ jobs:
 
       - name: Upload untrusted route report artifact
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ${{ steps.finalize_untrusted_route.outputs.route_report_artifact_name }}
           retention-days: 14
@@ -538,7 +543,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -578,7 +583,7 @@ jobs:
 
       - name: Upload policy/security artifacts
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ci-policy-and-security-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14
@@ -618,7 +623,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -653,7 +658,7 @@ jobs:
 
       - name: Upload core-tests artifacts
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ci-core-tests-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14
@@ -698,7 +703,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -731,7 +736,7 @@ jobs:
 
       - name: Upload ui-truth artifacts
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ci-ui-truth-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14
@@ -777,7 +782,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -862,35 +867,35 @@ jobs:
           clean: true
 
       - name: Download quick-feedback artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ci-quick-feedback-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           path: .runtime-cache
           merge-multiple: true
 
       - name: Download policy-and-security artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ci-policy-and-security-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           path: .runtime-cache
           merge-multiple: true
 
       - name: Download core-tests artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ci-core-tests-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           path: .runtime-cache
           merge-multiple: true
 
       - name: Download resilience-and-e2e artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ci-resilience-and-e2e-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           path: .runtime-cache
           merge-multiple: true
 
       - name: Download route seed artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ci-route-seed-${{ github.run_id }}-${{ github.run_attempt }}
           path: .runtime-cache/openvibecoding/reports/ci/routes
@@ -961,7 +966,7 @@ jobs:
 
       - name: Upload release-evidence artifacts
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ci-release-evidence-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14
@@ -974,7 +979,7 @@ jobs:
 
       - name: Upload trusted route report artifact
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ${{ steps.finalize_release_route.outputs.route_report_artifact_name }}
           retention-days: 14
@@ -1010,14 +1015,14 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
           clean: true
 
       - name: Download route seed artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ci-route-seed-${{ github.run_id }}-${{ github.run_attempt }}
           path: .runtime-cache/openvibecoding/reports/ci/routes
@@ -1064,7 +1069,7 @@ jobs:
 
       - name: Upload trusted PR route report artifact
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ${{ steps.finalize_trusted_pr_route.outputs.route_report_artifact_name }}
           retention-days: 14
@@ -1142,14 +1147,14 @@ jobs:
           } >> "${GITHUB_ENV}"
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           fetch-depth: 0
           clean: true
 
       - name: Download route report artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: ${{ env.ROUTE_ARTIFACT_NAME }}
           path: .runtime-cache/openvibecoding/reports/ci/routes

.github/workflows/codeql.yml

@@ -14,7 +14,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           clean: true
           persist-credentials: false

.github/workflows/continuous-governance.yml

@@ -57,7 +57,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           persist-credentials: false
           clean: true
@@ -124,7 +124,7 @@ jobs:
 
       - name: Upload Continuous Governance Artifacts
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: continuous-governance-artifacts-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14

.github/workflows/github-control-plane.yml

@@ -12,7 +12,7 @@ jobs:
     environment: owner-approved-sensitive
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
         with:
           clean: true
           persist-credentials: false
@@ -25,7 +25,7 @@ jobs:
 
       - name: Upload control-plane report
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: github-control-plane-report-${{ github.run_id }}-${{ github.run_attempt }}
           retention-days: 14

CHANGELOG.md

@@ -6,6 +6,12 @@ All notable changes to this repository will be documented in this file.
 
 ### Changed
 
+- replaced the Node 20-pinned GitHub Dependency Review action with the
+  repo-owned `check_dependency_review_gate.py` wrapper over GitHub's official
+  dependency-graph compare API, then bumped the pinned `actions/checkout`,
+  `actions/upload-artifact`, and `actions/download-artifact` workflow SHAs onto
+  their Node 24-based majors so hosted CI stops carrying avoidable deprecation
+  warnings on the active PR path
 - corrected the default localhost full-stack operator path so `npm run dev`
   now truthfully pairs the dashboard with a localhost-only API lane, while
   `dashboard:dev` stays a dashboard-only shell on the expected port; the same

README.md

@@ -271,8 +271,9 @@ static security (`bash scripts/check_workflow_static_security.sh`), repo
 filesystem/dependency scanning (`bash scripts/check_trivy_repo_scan.sh`), and
 current-tree plus fresh-clone secret scanning
 (`bash scripts/check_secret_scan_closeout.sh --mode both`), while pull
-requests also run the official GitHub Dependency Review action with the
-repo-owned `.github/dependency-review-config.yml` policy.
+requests also run a repo-owned dependency review gate against GitHub's
+official dependency-graph compare API, driven by the same
+`.github/dependency-review-config.yml` policy.
 GitHub-hosted `trusted_pr`, `untrusted_pr`, and hosted-first `push_main`
 routes keep the live alerts query in advisory mode for Quick Feedback and the
 hosted policy slice, because the integration token cannot always read the

apps/dashboard/tests/search_page.test.tsx

@@ -76,7 +76,7 @@ describe("search page copy and interaction", () => {
     await waitFor(() => {
       expect(screen.getByTestId("search-promote-status-message")).toHaveTextContent("Promoted to EvidenceBundle");
     });
-    expect(screen.getByTestId("search-evidence-bundle-card")).toHaveTextContent("bundle-1");
+    expect(await screen.findByTestId("search-evidence-bundle-card")).toHaveTextContent("bundle-1");
   });
 
   it("shows promote failure when backend returns non-ok result", async () => {