ci(workflows): repin dead actions/setup-node and actions/setup-go SHAs

[KooshaPari]

User description

Summary

Repin two dead GitHub Actions SHAs so the Multi-ecosystem dependency audit and cargo-deny & go-mod check workflows can resolve their setup actions on main.

Context

The most recent CI run on main (#28062557392 and #28062557429) failed at the "Set up job" step with Unable to resolve action … unable to find version <sha> annotations on two pinned action references:

• actions/setup-node@1d0ff469b7ec7b138cb3bdcbe74e5672f63d3013 (# v4) in Multi-ecosystem dependency audit → npm audit (Node)
• actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496718a5831 (# v5) in cargo-deny & go-mod check → go mod check

Both SHAs no longer resolve on the Actions runner, which is the same class of failure that the previous commit (5feb611 — ci: repin dead actions/checkout SHAs to @v4) fixed for actions/checkout. This PR completes the same hygiene for the remaining dead setup SHAs, keeping the pinning discipline intact (only the SHA + version comment change).

Changes

• .github/workflows/audit.yml:74 — actions/setup-node repinned to 49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
• .github/workflows/deny.yml:60 — actions/setup-go repinned to 40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0

Both SHAs were resolved against repos/actions/setup-{node,go}/git/matching-refs/tags/v{4,5} for the latest matching major, preserving the original major-version policy.

Testing

1. Push to fix/wave8-tasken-ci (done).
2. Re-run the failed workflows on the PR via the Run workflow dropdown, or wait for the PR-triggered pull_request runs.
3. Expected: the npm audit (Node) job in Multi-ecosystem dependency audit and the go mod check job in cargo-deny & go-mod check now pass Set up job and proceed to their actual work.

Manual verification of the new SHAs:

gh api repos/actions/setup-node/git/matching-refs/tags/v4 | jq -r '.[] | "\(.ref) -> \(.object.sha)"'
gh api repos/actions/setup-go/git/matching-refs/tags/v5 | jq -r '.[] | "\(.ref) -> \(.object.sha)"'

Links

• Failing runs: Multi-ecosystem dependency audit #28062557392, cargo-deny & go-mod check #28062557429
• Prior same-class fix: commit 5feb611 (PR ci: repin dead actions/checkout SHAs to @v4 #60) — actions/checkout repin
• Wave: 8 / Tasken CI red

---

CodeAnt-AI Description

Restore CI workflows that depended on dead setup action pins

What Changed

• Updated the Node setup step in the npm audit workflow so it can run again on main
• Updated the Go setup step in the go mod check workflow so it can run again on main
• Kept both workflows pinned to specific action versions

Impact

✅ Fewer CI setup failures
✅ Reliable npm audit runs
✅ Reliable go mod checks

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Repo admins can enable using credits for code reviews in their settings.

[codeant-ai]

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud