Upgrade GitHub Actions to address CVE-2024-42471

[initharrington]

Upgrade GitHub Actions to address CVE-2024-42471

One-line summary

Upgrade all GitHub Actions to current major versions to fix a known zip-slip vulnerability in actions/download-artifact@v2.

Description

The actions/download-artifact@v2 action used in npm-publish.yml is vulnerable to an arbitrary file write via path traversal during artifact extraction (CVE-2024-42471, GHSA-cxww-7g56-2vh6). This PR upgrades it to v4, which includes proper path sanitization. All other outdated actions across the three workflow files are also upgraded to their current major versions to stay on supported releases.

Workflow	Action	Old	New
all	actions/checkout	v2	v4
test, npm-publish	actions/setup-node	v1	v4
npm-publish	actions/upload-artifact	v2	v4
npm-publish	actions/download-artifact	v2	v4
docker	docker/setup-buildx-action	v1	v3
docker	docker/login-action	v1	v3
docker	docker/build-push-action	v2	v6

Types of Changes

• Bug fix (non-breaking change which fixes an issue)
• Configuration change

Tasks

• Upgrade actions/download-artifact v2 → v4 (CVE-2024-42471)
• Upgrade actions/upload-artifact v2 → v4
• Upgrade actions/checkout v2 → v4
• Upgrade actions/setup-node v1 → v4
• Upgrade Docker actions to current major versions

Review

• Verify action version tags resolve to valid releases
• Confirm no breaking changes in action inputs between major versions
• Trigger a test workflow run to validate CI still passes

Deployment Notes

No migrations or feature toggles. These are CI-only changes. The npm-publish.yml workflow is workflow_dispatch only, so it will need a manual trigger to verify. The test.yml workflow will run automatically on the next push/PR.

[diemol]

@initharrington I believe this is not maintained anymore, and I removed it from the Sauce docs some weeks ago. I think we can archive this repository. What do you think?