chore: jdx/mise-action@v4

.github/actions/terragrunt/README.md

@@ -5,7 +5,7 @@ This GitHub Action sets up **Terraform** and **Terragrunt** and runs a specified
 ## Features
 
 - Installs pinned versions of Terraform and Terragrunt
-- Installs Terragrunt through `jdx/mise-action@v3`
+- Installs Terragrunt through `jdx/mise-action@v4`
 - Uses AWS credentials already configured earlier in the same job when needed
 - Optionally passes Terragrunt variables via JSON tfvars
 - Supports `plan` mode for producing local saved plan files

.github/actions/terragrunt/action.yml

@@ -40,7 +40,7 @@ runs:
         terraform_wrapper: false
 
     - name: Install Terragrunt
-      uses: jdx/mise-action@v3
+      uses: jdx/mise-action@v4
       with:
         tool_versions: |
           terragrunt ${{ inputs.tg_version }}

.github/docs/README.md

@@ -51,7 +51,7 @@ If you are unsure, the live `aws/oidc` stack in the target environment is the so
 - `release.yml`
   Creates release tags, prepares shared CI artifacts, builds release outputs, and publishes the GitHub release. Version bumps come from a repo-local action that scans commit subjects since the latest semver tag and matches configurable major/minor/patch prefixes.
 - `pull_request.yml`
-  Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job normally runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff, but manual `workflow_dispatch` runs now force every change flag on and rerun the full validation surface without a PR diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `jdx/mise-action@v3`, and TFLint setup now uses the Node 24 `terraform-linters/setup-tflint@v6` line.
+  Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job normally runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff, but manual `workflow_dispatch` runs now force every change flag on and rerun the full validation surface without a PR diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `jdx/mise-action@v4`, and TFLint setup now uses the Node 24 `terraform-linters/setup-tflint@v6` line.
 
 The local version action can also be tested outside GitHub Actions, either by running the Python entrypoint directly or through its dedicated Docker image.
 
@@ -145,7 +145,7 @@ Run these checks on every CI, workflow, or deploy-contract change.
 - `./.github/actions/terragrunt` always uploads per-stack plan artifacts on `plan` and always downloads them on `apply_plan`, using the caller-provided `PLAN_ARTIFACT_S3_PREFIX` environment variable, so graph executors like `shared_infra.yml` do not need separate `./.github/actions/just` steps for those transfers
 - both repo-local composite actions, `./.github/actions/just` and `./.github/actions/terragrunt`, now assume AWS credentials are already configured in the current job when they need AWS access. The repo pattern is to run `aws-actions/configure-aws-credentials` at the top of each AWS-using job and then call the local actions without extra auth inputs
 - `./.github/actions/just` installs the requested `just` version through `extractions/setup-crate@v2` in the same minimal composite-action shape as `extractions/setup-just`, rather than depending on `extractions/setup-just` itself
-- `./.github/actions/terragrunt` installs the requested Terragrunt version through `jdx/mise-action@v3`, while Terraform stays pinned separately through `hashicorp/setup-terraform`
+- `./.github/actions/terragrunt` installs the requested Terragrunt version through `jdx/mise-action@v4`, while Terraform stays pinned separately through `hashicorp/setup-terraform`
 - saved infra-plan storage is intentionally split into two levels:
   - one run-level metadata file at `<plan_artifact_s3_prefix>/infra-plan-metadata/plan-metadata.json`
   - one per-stack plan bundle under `<plan_artifact_s3_prefix>/terragrunt-plan-<sanitized-tg-directory>/`

.github/workflows/pull_request.yml

@@ -173,7 +173,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - uses: hashicorp/setup-terraform@v4
-      - uses: jdx/mise-action@v3
+      - uses: jdx/mise-action@v4
         with:
           tool_versions: |
             terragrunt 0.45.10