Upgrade GitHub Actions to latest versions

[salmanmkc]

Summary

Upgrade GitHub Actions to their latest versions for improved features, bug fixes, and security updates.

Changes

Action	Old Version(s)	New Version	Release	Files
codecov/codecov-action	v2	v5	Release	ci.yaml

Why upgrade?

Keeping GitHub Actions up to date ensures:

• Security: Latest security patches and fixes
• Features: Access to new functionality and improvements
• Compatibility: Better support for current GitHub features
• Performance: Optimizations and efficiency improvements

Security Note

Actions that were previously pinned to commit SHAs remain pinned to SHAs (updated to the latest release SHA) to maintain the security benefits of immutable references.

Testing

These changes only affect CI/CD workflow configurations and should not impact application functionality. The workflows should be tested by running them on a branch before merging.

[JiwaniZakir]

Jumping from codecov/codecov-action@v2 to v5 skips two major versions (v3 and v4), which introduced several breaking changes — notably, v4 made the token field required for public repos (previously optional), and v5 changed how tokenless uploads are handled. Since the workflow already supplies secrets.CODECOV_TOKEN, the token requirement is satisfied, but it's worth verifying that the file parameter (used here) hasn't been deprecated in favor of files (plural) in the v4/v5 API, as that rename was introduced in v3. Additionally, v5 added a slug input for disambiguation in forks; without it, coverage uploads from fork-based PRs may fail silently. It would be safer to pin to a specific SHA or at minimum a patch version (e.g., codecov/codecov-action@v5.4.3) rather than a floating major tag, to avoid unexpected behavior from future upstream changes.

[salmanmkc]

Jumping from codecov/codecov-action@v2 to v5 skips two major versions (v3 and v4), which introduced several breaking changes — notably, v4 made the token field required for public repos (previously optional), and v5 changed how tokenless uploads are handled. Since the workflow already supplies secrets.CODECOV_TOKEN, the token requirement is satisfied, but it's worth verifying that the file parameter (used here) hasn't been deprecated in favor of files (plural) in the v4/v5 API, as that rename was introduced in v3. Additionally, v5 added a slug input for disambiguation in forks; without it, coverage uploads from fork-based PRs may fail silently. It would be safer to pin to a specific SHA or at minimum a patch version (e.g., codecov/codecov-action@v5.4.3) rather than a floating major tag, to avoid unexpected behavior from future upstream changes.

Good point, I've just had another check and they now have a v6.0.0: I've updated it to use this SHA for v6.0.0. The reason I thought going to 6.0.0 would be helpful is because of the node 24 upgrade it includes as well. It currently would be showing a warning about the node 20 deprecation as per https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/ and they just added node 24 support in v6.0.0.