chore(deps): update github-actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/setup-go	action	minor	v6.0.0 → v6.4.0
anthropics/claude-code-action (changelog)	action	digest	1c8b699 → 5fb8995

---

Release Notes

actions/setup-go (actions/setup-go)

v6.4.0

Compare Source

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in #​721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in #​724
• Fix Microsoft build of Go link by @​gdams in #​734

New Contributors

• @​gdams made their first contribution in #​721

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

• Update default Go module caching to use go.mod by @​priyagupta108 in #​705
• Fix golang download url to go.dev by @​178inaba in #​469

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Enhancements

• Example for restore-only cache in documentation by @​aparnajyothi-y in #​696
• Update Node.js version in action.yml by @​ccoVeille in #​691
• Documentation update of actions/checkout by @​deining in #​683

Dependency updates

• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot in #​682
• Upgrade @​actions/cache to v5 by @​salmanmkc in #​695
• Upgrade actions/checkout from 5 to 6 by @​dependabot in #​686
• Upgrade qs from 6.14.0 to 6.14.1 by @​dependabot in #​703

New Contributors

• @​ccoVeille made their first contribution in #​691
• @​deining made their first contribution in #​683

Full Changelog: actions/setup-go@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancements

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​nicholasngai in #​665
• Add support for .tool-versions file and update workflow by @​priya-kinthali in #​673
• Add comprehensive breaking changes documentation for v6 by @​mahabaleshwars in #​674

Dependency updates

• Upgrade eslint-config-prettier from 10.0.1 to 10.1.8 and document breaking changes in v6 by @​dependabot in #​617
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in #​641
• Upgrade semver and @​types/semver by @​dependabot in #​652

New Contributors

• @​nicholasngai made their first contribution in #​665
• @​priya-kinthali made their first contribution in #​673
• @​mahabaleshwars made their first contribution in #​674

Full Changelog: actions/setup-go@v6...v6.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Claude finished @renovate[bot]'s task in 18s —— View job

---

PR Review

• Gather context and analyze changes

This PR updates anthropics/claude-code-action from digest 1c8b699 to 5fb8995 across 3 workflow files.

No issues found. The changes are purely a pinned-digest bump to a first-party Anthropic action. Using pinned SHA digests is the correct security practice for third-party actions — it prevents supply chain attacks from tag mutation. The new digest 5fb8995 corresponds to the same v1 tag and comes from the upstream changelog linked in the PR body.

Nothing to flag.

[github-actions]

Claude finished @renovate[bot]'s task in 39s —— View job

---

PR Review

• Gather context and analyze changes
• Review changed files

No issues found. The changes are pinned SHA digest bumps for two actions:

• anthropics/claude-code-action: 1c8b699 → 5fb8995 (3 workflow files)
• actions/setup-go: 44694675 → 4a360112 (v6.0.0 → v6.4.0, 1 workflow file)

Using pinned commit SHAs is the correct security practice — prevents supply chain attacks via tag mutation. The setup-go v6.1.0–v6.4.0 changes are additive enhancements (fallback download URL, .tool-versions support, cache improvements) with no breaking changes.