QualityUnit · yasha-dev1 · Feb 28, 2026 · Feb 28, 2026
diff --git a/.github/workflows/auto-resolve-threads.yml b/.github/workflows/auto-resolve-threads.yml
@@ -18,12 +18,12 @@ jobs:
       github.event.check_run.conclusion == 'success'
     steps:
       - name: Checkout at reviewed SHA
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.check_run.head_sha }}
 
       - name: Resolve bot-only threads
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const owner = context.repo.owner;

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -49,7 +49,7 @@ jobs:
           echo "base-ref=$(echo "$PR_JSON" | jq -r '.baseRefName')" >> "$GITHUB_OUTPUT"
 
       - name: Checkout at verified SHA
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ steps.pr-context.outputs.head-sha || github.event.pull_request.head.sha || github.sha }}
           fetch-depth: 0
@@ -105,11 +105,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.risk-gate.outputs.sha }}
 
-      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
 
@@ -124,11 +124,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.risk-gate.outputs.sha }}
 
-      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
 
@@ -143,11 +143,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.risk-gate.outputs.sha }}
 
-      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
 
@@ -159,7 +159,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: test-results
           path: test-results.xml
@@ -172,11 +172,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.risk-gate.outputs.sha }}
 
-      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
 
@@ -191,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.risk-gate.outputs.sha }}
 
@@ -205,7 +205,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.risk-gate.outputs.sha }}
 

diff --git a/.github/workflows/code-review-agent.yml b/.github/workflows/code-review-agent.yml
@@ -29,7 +29,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout at PR head SHA
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha || '' }}
           fetch-depth: 0
@@ -130,7 +130,7 @@ jobs:
 
       - name: Notify PR — review agent skipped (Tier 1)
         if: steps.tier.outputs.tier == '1'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           HEAD_SHA: ${{ steps.pr.outputs.head-sha }}
           PR_NUMBER: ${{ steps.pr.outputs.pr-number }}
@@ -178,7 +178,7 @@ jobs:
       - name: SHA deduplication check
         if: steps.tier.outputs.tier != '1'
         id: dedup
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           HEAD_SHA: ${{ steps.pr.outputs.head-sha }}
           PR_NUMBER: ${{ steps.pr.outputs.pr-number }}
@@ -209,7 +209,7 @@ jobs:
       - name: Create in-progress check run
         if: steps.tier.outputs.tier != '1' && steps.dedup.outputs.skip != 'true'
         id: check
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           HEAD_SHA: ${{ steps.pr.outputs.head-sha }}
         with:
@@ -248,7 +248,7 @@ jobs:
       - name: Build review prompt
         if: steps.tier.outputs.tier != '1' && steps.dedup.outputs.skip != 'true'
         id: build-prompt
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           REVIEW_TEMPLATE: ${{ steps.prompt-file.outputs.content }}
           TIER: ${{ steps.tier.outputs.tier }}
@@ -350,7 +350,7 @@ jobs:
       - name: Post review comment
         if: steps.tier.outputs.tier != '1' && steps.dedup.outputs.skip != 'true'
         id: post-review
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           REVIEW_TEXT: ${{ steps.extract.outputs.review || '' }}
           REVIEW_FOUND: ${{ steps.extract.outputs.found || 'false' }}
@@ -465,7 +465,7 @@ jobs:
 
       - name: Update review comment with verdict
         if: steps.tier.outputs.tier != '1' && steps.dedup.outputs.skip != 'true' && steps.post-review.outputs.comment-id
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           COMMENT_ID: ${{ steps.post-review.outputs.comment-id }}
           VERDICT: ${{ steps.verdict.outputs.verdict || 'COMMENT' }}
@@ -510,7 +510,7 @@ jobs:
 
       - name: Complete check run
         if: always() && steps.check.outputs.check-run-id
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           CHECK_RUN_ID: ${{ steps.check.outputs.check-run-id }}
           REVIEW_OUTCOME: ${{ steps.review.outcome }}
@@ -538,7 +538,7 @@ jobs:
       - name: Check review-fix eligibility
         if: steps.tier.outputs.tier != '1' && steps.dedup.outputs.skip != 'true' && steps.verdict.outputs.verdict == 'REQUEST_CHANGES'
         id: review-fix
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           PR_NUMBER: ${{ steps.pr.outputs.pr-number }}
         with:
@@ -596,7 +596,7 @@ jobs:
 
       - name: Escalate — max review-fix cycles
         if: steps.review-fix.outputs.escalate == 'true'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           PR_NUMBER: ${{ steps.pr.outputs.pr-number }}
         with:
@@ -653,7 +653,7 @@ jobs:
 
       - name: Report skip as success
         if: steps.tier.outputs.tier == '1' || steps.dedup.outputs.skip == 'true'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           HEAD_SHA: ${{ steps.pr.outputs.head-sha }}
         with:

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

diff --git a/.github/workflows/harness-smoke.yml b/.github/workflows/harness-smoke.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Validate harness.config.json schema
         run: |

diff --git a/.github/workflows/issue-implementer.yml b/.github/workflows/issue-implementer.yml
@@ -45,13 +45,13 @@ jobs:
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: 22
 
@@ -121,7 +121,7 @@ jobs:
 
       - name: Set up Python
         if: steps.guard.outputs.should-implement == 'true'
-        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
 
@@ -138,7 +138,7 @@ jobs:
 
       - name: Ensure implementer labels exist
         if: steps.guard.outputs.should-implement == 'true' && steps.guard.outputs.review-fix == 'false'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const labels = [
@@ -260,7 +260,7 @@ jobs:
       - name: Build implementation prompt (issue mode)
         if: steps.guard.outputs.should-implement == 'true' && steps.guard.outputs.review-fix == 'false'
         id: build-prompt
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           IMPLEMENTER_TEMPLATE: ${{ steps.prompt-file.outputs.content }}
           ISSUE_JSON: ${{ github.event_name == 'workflow_dispatch' && inputs.pr_number == '' && steps.fetch-issue.outputs.json || toJSON(github.event.issue) }}
@@ -324,7 +324,7 @@ jobs:
       - name: Build review-fix prompt (review-fix mode)
         if: steps.guard.outputs.should-implement == 'true' && steps.guard.outputs.review-fix == 'true'
         id: build-fix-prompt
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           IMPLEMENTER_TEMPLATE: ${{ steps.prompt-file.outputs.content }}
           REVIEW_BODY: ${{ steps.review-feedback.outputs.body }}
@@ -385,7 +385,7 @@ jobs:
 
       - name: Post start comment on issue
         if: steps.guard.outputs.should-implement == 'true' && steps.guard.outputs.review-fix == 'false' && steps.guard.outputs.issue-number != ''
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const issueNumber = parseInt('${{ steps.guard.outputs.issue-number }}', 10);
@@ -581,7 +581,7 @@ jobs:
       - name: Create pull request
         if: steps.commit.outputs.new-sha != ''
         id: pr
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           ISSUE_NUMBER: ${{ steps.guard.outputs.issue-number }}
           ISSUE_TITLE: ${{ steps.guard.outputs.issue-title }}
@@ -686,7 +686,7 @@ jobs:
 
       - name: Comment PR link on issue
         if: steps.pr.outputs.pr-url != ''
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const issueNumber = parseInt('${{ steps.guard.outputs.issue-number }}', 10);
@@ -743,7 +743,7 @@ jobs:
 
       - name: Add review-fix-cycle label
         if: steps.guard.outputs.review-fix == 'true' && steps.fix-commit.outputs.new-sha != ''
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const prNumber = parseInt('${{ inputs.pr_number }}', 10);
@@ -776,7 +776,7 @@ jobs:
 
       - name: Failure handler
         if: failure() && steps.guard.outputs.should-implement == 'true'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const reviewFix = '${{ steps.guard.outputs.review-fix }}' === 'true';

diff --git a/.github/workflows/issue-planner.yml b/.github/workflows/issue-planner.yml
@@ -30,12 +30,12 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
 
       - name: Setup Node.js
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: 22
 
@@ -86,7 +86,7 @@ jobs:
 
       - name: Ensure planner labels exist
         if: steps.guard.outputs.should-plan == 'true'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const labels = [
@@ -124,7 +124,7 @@ jobs:
       - name: Build planning prompt
         if: steps.guard.outputs.should-plan == 'true'
         id: build-prompt
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           PLANNER_TEMPLATE: ${{ steps.prompt-file.outputs.content }}
           ISSUE_JSON: ${{ github.event_name == 'workflow_dispatch' && steps.fetch-issue.outputs.json || toJSON(github.event.issue) }}
@@ -222,7 +222,7 @@ jobs:
 
       - name: Post plan comment and add agent:implement label
         if: steps.guard.outputs.should-plan == 'true'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           PLAN_TEXT: ${{ steps.extract-plan.outputs.plan || '' }}
           PLAN_FOUND: ${{ steps.extract-plan.outputs.found || 'false' }}
@@ -269,7 +269,7 @@ jobs:
 
       - name: Failure handler
         if: failure() && steps.guard.outputs.should-plan == 'true'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const issueNumber = parseInt('${{ steps.guard.outputs.issue-number }}', 10);