Add GitHub Actions upgrade guide with breaking changes reference #35
Description
Summary
When upgrading GitHub Actions to SHA-pinned versions, it's important to understand breaking changes across major versions. The skill currently mentions SHA pinning in security-config.md but lacks a reference for common breaking changes when upgrading actions.
Proposed Addition
A new references/actions-upgrade-guide.md covering:
Node.js Runtime Deprecation Timeline
- Node 16: fully removed
- Node 20: deprecated Sep 2025, runners default to Node 24 from Mar 4 2026, removal summer 2026
- Node 24: current target
Common Breaking Changes by Action
| Action | Version | Breaking Change |
|---|---|---|
| actions/checkout | v6 | Credentials stored in $RUNNER_TEMP instead of .git/config |
| actions/download-artifact | v5 | Path behavior change for downloads by ID |
| actions/cache | v5 | New cache backend (old retired Apr 2025) |
| ramsey/composer-install | v3 | Requires Node.js 20+ (internal cache v4) |
| docker/setup-buildx-action | v3.12 | install input deprecated |
Security Fixes Worth Tracking
| Action | Fix |
|---|---|
| actions/checkout v6 | Credential isolation prevents token leaks |
| actions/cache v5.0.3 | Security fix in @actions/cache |
| docker/login-action v3.7 | lodash prototype pollution, cross-spawn CVE-2024-21538 |
Also
- Example references in
actionlint-guide.mdstill useactions/checkout@v4— should be updated to v6 with SHA tag-validation.mdusesactions/checkout@v6(tag only, no SHA)
Context
Learned from upgrading all GitHub Actions in TYPO3-Documentation/render-guides#1184.