diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 80708d4..b422210 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       # Stage only the served files into _site/ so that:
       #   1. The repo's root .gitignore (which ignores install.sh) is NOT
@@ -44,7 +44,10 @@ jobs:
           cp -r assets _site/
 
       - name: Deploy to gh-pages branch
-        uses: JamesIves/github-pages-deploy-action@v4
+        # Pinned to v4.8.0 — the first release on Node.js 24 runtime.
+        # GitHub forces Node 24 from 2026-06-02; @v4 floats but pinning here
+        # keeps the upgrade explicit in git history.
+        uses: JamesIves/github-pages-deploy-action@v4.8.0
         with:
           folder: _site
           branch: gh-pages
diff --git a/.github/workflows/nightly-mutation.yml b/.github/workflows/nightly-mutation.yml
index 4608aba..b5c4165 100644
--- a/.github/workflows/nightly-mutation.yml
+++ b/.github/workflows/nightly-mutation.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-24.04
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
@@ -38,6 +38,6 @@ jobs:
     runs-on: ubuntu-24.04
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Run bash mutator
         run: bash tests/mutation/bash-mutator.sh || echo "::warning::bash-mutator below target (advisory in v0.3.0)"
diff --git a/.github/workflows/nightly-qemu.yml b/.github/workflows/nightly-qemu.yml
index fc4da5b..6c1495c 100644
--- a/.github/workflows/nightly-qemu.yml
+++ b/.github/workflows/nightly-qemu.yml
@@ -33,7 +33,7 @@ jobs:
       matrix:
         ubuntu: ['22.04', '24.04']
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       # Skip the matrix leg when workflow_dispatch targeted a single version.
       # Cron runs (github.event_name == 'schedule') always exercise both.
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index ae31d51..597ef76 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -27,23 +27,41 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR head
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         if: github.event.action != 'closed'
 
-      # Mirrors deploy.yml so the preview ships the same install.sh bytes
-      # served at agentlinux.org/install.sh.
-      - name: Stage install.sh (mirror deploy.yml)
+      # Stage only the served files into _site/ — mirrors deploy.yml. Two
+      # reasons it must be a subfolder, not the repo root:
+      #   1. JamesIves/github-pages-deploy-action (used internally by
+      #      rossjrw/pr-preview-action) rsyncs source-dir to its own temp
+      #      folder. With source-dir: ./ it recurses into the temp folder
+      #      until the path overflows OS max-path-length and the deploy
+      #      fails (observed on the dummy/preview-smoke-test branch).
+      #   2. The repo's root .gitignore (which ignores install.sh) would
+      #      otherwise ship to gh-pages and the action's `git add --all`
+      #      would skip the staged install.sh — same regression that broke
+      #      production after #4.
+      - name: Assemble site bundle
         if: github.event.action != 'closed'
-        run: cp packaging/curl-installer/install.sh install.sh
+        run: |
+          mkdir -p _site
+          cp packaging/curl-installer/install.sh _site/install.sh
+          cp index.html _site/
+          cp CNAME _site/
+          cp sitemap.xml _site/
+          cp robots.txt _site/
+          cp -r assets _site/
 
       # rossjrw/pr-preview-action publishes to gh-pages/pr-preview/pr-N/
       # on opened/reopened/synchronize, and removes that directory on closed.
       # The umbrella-dir matches deploy.yml's clean-exclude so prod deploys
-      # do not wipe open previews.
+      # do not wipe open previews. The action is composite, so its Node 24
+      # readiness depends on its sub-action marocchino/sticky-pull-request-comment;
+      # rossjrw/pr-preview-action issues #135/#136 track that bump upstream.
       - name: Deploy PR preview
         uses: rossjrw/pr-preview-action@v1
         with:
-          source-dir: ./
+          source-dir: ./_site/
           preview-branch: gh-pages
           umbrella-dir: pr-preview
           action: auto
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 905934e..b46d45b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,7 +49,7 @@ jobs:
     outputs:
       tag: ${{ steps.tag.outputs.value }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Resolve and validate tag
         id: tag
         env:
@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'
@@ -132,7 +132,7 @@ jobs:
       matrix:
         ubuntu: [ubuntu-22.04, ubuntu-24.04]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Docker bats matrix (incl. 51-*.bats — TST-05 inside Docker)
         run: bash tests/docker/run.sh ${{ matrix.ubuntu }}
 
@@ -149,7 +149,7 @@ jobs:
       matrix:
         ubuntu: ['22.04', '24.04']
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
@@ -226,7 +226,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Pinned catalog combo + 50-agents.bats + 51-*.bats (TST-08)
         run: bash tests/docker/run.sh ubuntu-24.04
 
@@ -239,7 +239,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b14ea2c..a506447 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -28,7 +28,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'
@@ -51,7 +51,7 @@ jobs:
   cli-unit:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
@@ -98,7 +98,7 @@ jobs:
       # without pull-requests: read the API call returns 403.
       pull-requests: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           # Full history so gitleaks can scan every commit, not just the
           # PR's tip.
@@ -127,7 +127,7 @@ jobs:
           - ubuntu-22.04
           - ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       # Empty-plugin guard from Phase 1: still useful. After Phase 2 lands the
       # tests/bats/*.bats files the guard falls through to the real run. If a
       # future revert removes the bats suite the job short-circuits rather