chore(security): bump vite, add per-job permissions in ci.yml

.github/workflows/ci.yml

@@ -48,17 +48,20 @@ env:
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: 0
   RUST_BACKTRACE: 1
-  # Force JS-based actions onto Node 24 ahead of GitHub's June 2026
-  # default flip. Silences the actions/checkout@v4 deprecation banner.
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
 jobs:
   build:
     name: build / test
     runs-on: ubuntu-latest
     timeout-minutes: 45
+    # Per-job permissions in addition to the workflow root block,
+    # so the auth contract stays explicit if the root default ever
+    # widens. CodeQL (actions/missing-workflow-permissions) prefers
+    # this defense-in-depth shape.
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: dorny/paths-filter@v3
         id: filter
@@ -164,8 +167,10 @@ jobs:
     if: github.event_name == 'push'
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: dtolnay/rust-toolchain@stable
 
@@ -198,8 +203,10 @@ jobs:
     name: supply chain (cargo-deny)
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       # Runs advisories + bans + licenses + sources against deny.toml.
       # See SUPPLY-CHAIN.md section 4.3 for the policy rationale.
@@ -220,8 +227,10 @@ jobs:
     name: crate graph (hot/async layering)
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: dtolnay/rust-toolchain@stable
       - name: install jq
         run: sudo apt-get update && sudo apt-get install -y jq

.github/workflows/doc-drift.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: check doc drift
         run: |

.github/workflows/docs-ci.yml

@@ -37,16 +37,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
 jobs:
   docs-ci:
     name: docs / lint + exec
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       # --- Cache lychee link-check results ---
       #
@@ -55,7 +52,7 @@ jobs:
       # entries from masking newly-broken links indefinitely while still
       # avoiding per-PR upstream traffic.
       - name: cache lychee
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: .lycheecache
           key: lychee-${{ hashFiles('.lycheeignore') }}-${{ github.run_id }}

.github/workflows/e2e.yml

@@ -23,15 +23,13 @@ env:
   CARGO_INCREMENTAL: 0
   RUST_BACKTRACE: 1
 
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
 jobs:
   e2e:
     name: e2e (workspace)
     runs-on: ubuntu-latest
     timeout-minutes: 45
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: ./.github/actions/rust-setup
         with:

.github/workflows/fixture-freshness.yml

@@ -42,15 +42,13 @@ env:
   CARGO_INCREMENTAL: 0
   RUST_BACKTRACE: 1
 
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
 jobs:
   fixture-freshness:
     name: regen + diff
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v5
 
       - uses: dtolnay/rust-toolchain@stable
 

.github/workflows/licensing-conformance.yml

@@ -52,8 +52,6 @@ env:
   RSL_XSD_URL: 'https://rsl.ai/spec/1.0/rsl.xsd'
   TDMREP_SCHEMA_URL: 'https://www.w3.org/community/reports/tdmrep/CG-FINAL-tdmrep-20240202/schema/tdmrep.json'
 
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
 jobs:
 
   # --- Upstream schema sync (tag push + dispatch) ---
@@ -67,7 +65,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v5
 
       - name: install curl + diff
         run: |
@@ -90,7 +88,7 @@ jobs:
             echo "key=licensing-schemas-${week}" >> "$GITHUB_OUTPUT"
           fi
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@v5
         id: schema_cache
         with:
           path: |

.github/workflows/perf-regression.yml

@@ -43,7 +43,6 @@ env:
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: 0
   RUST_BACKTRACE: 1
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
 jobs:
   perf-regression:
@@ -63,14 +62,14 @@ jobs:
       # one for the PR head (candidate) at ./candidate-src. The script
       # is the same for both, only the working directory differs.
       - name: checkout candidate (PR head)
-        uses: actions/checkout@v4.1.7
+        uses: actions/checkout@v5
         with:
           path: candidate-src
           # The default fetch-depth of 1 is fine; this lane does not
           # need history beyond the PR head.
 
       - name: checkout baseline (main)
-        uses: actions/checkout@v4.1.7
+        uses: actions/checkout@v5
         with:
           repository: ${{ github.event.pull_request.base.repo.full_name }}
           ref: ${{ github.event.pull_request.base.ref }}
@@ -179,7 +178,7 @@ jobs:
 
       - name: upload bench artifacts
         if: always()
-        uses: actions/upload-artifact@v4.4.0
+        uses: actions/upload-artifact@v5
         with:
           name: perf-regression-bench
           path: perf-out/
@@ -193,7 +192,7 @@ jobs:
       # comment instead of stacking new ones.
       - name: post PR comment
         if: always() && github.event.pull_request != null
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8
         env:
           COMMENT_FILE: perf-out/comment.md
         with:

.github/workflows/release-checks.yml

@@ -35,15 +35,13 @@ env:
   CARGO_INCREMENTAL: 0
   RUST_BACKTRACE: 1
 
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
 jobs:
   test-isolation:
     name: test isolation (single-threaded)
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: free disk space
         uses: jlumbroso/free-disk-space@v1.3.1
@@ -95,7 +93,7 @@ jobs:
           PEBBLE_VA_ALWAYS_VALID: "1"
           PEBBLE_VA_NOSLEEP: "1"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: dtolnay/rust-toolchain@stable
 

.github/workflows/release.yml

@@ -34,8 +34,6 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
 jobs:
   build:
     name: build / ${{ matrix.target }}
@@ -62,7 +60,7 @@ jobs:
           # `scripts/install.sh` for the same fallback message.
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: dtolnay/rust-toolchain@stable
         with:
@@ -92,7 +90,7 @@ jobs:
           (cd dist && shasum -a 256 "sbproxy_${{ matrix.platform }}.tar.gz" > "sbproxy_${{ matrix.platform }}.tar.gz.sha256")
 
       - name: upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: bin-${{ matrix.platform }}
           path: dist/
@@ -103,7 +101,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: generate cyclonedx sbom
         uses: anchore/sbom-action@v0
@@ -114,7 +112,7 @@ jobs:
           output-file: sbom.cyclonedx.json
 
       - name: upload sbom
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: sbom
           path: sbom.cyclonedx.json
@@ -131,10 +129,10 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: artifacts
 
@@ -191,16 +189,16 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: download binaries
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: artifacts
           pattern: bin-*
 
       - name: download sbom
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: sbom
           path: artifacts/sbom

.github/workflows/reproducible-build.yml

@@ -22,7 +22,6 @@ env:
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: 0
   RUST_BACKTRACE: 1
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
 jobs:
   build:
@@ -34,7 +33,7 @@ jobs:
       matrix:
         build_id: [a, b]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: free disk space
         uses: jlumbroso/free-disk-space@v1.3.1
@@ -70,7 +69,7 @@ jobs:
           sha256sum "dist/sbproxy-${{ matrix.build_id }}" | tee "dist/sbproxy-${{ matrix.build_id }}.sha256"
 
       - name: upload independent build artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: reproducible-build-${{ matrix.build_id }}
           path: dist/
@@ -82,7 +81,7 @@ jobs:
     needs: [build]
     timeout-minutes: 10
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v5
         with:
           pattern: reproducible-build-*
           path: artifacts
@@ -114,7 +113,7 @@ jobs:
           } | tee reproducible-build-report.md
 
       - name: upload comparison report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: reproducible-build-report
           path: reproducible-build-report.md