From 1f7eba70ef24aad1b63f551f263ef4d06da783e8 Mon Sep 17 00:00:00 2001
From: Dmitry Bolotin <bolotin@milaboratories.com>
Date: Mon, 25 May 2026 15:45:54 +0200
Subject: [PATCH 01/19] Add fix-beta.sh: re-sync v4-beta with v4 (inverse of
 merge-beta.sh)

---
 fix-beta.sh | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100755 fix-beta.sh

diff --git a/fix-beta.sh b/fix-beta.sh
new file mode 100755
index 00000000..5ea659bf
--- /dev/null
+++ b/fix-beta.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+#
+# fix-beta.sh — re-sync v4-beta with v4 after they diverge.
+#
+# Use when:
+#   - Someone committed directly to v4 (bypassing the v4-beta → merge-beta.sh
+#     cycle) and you want v4-beta to incorporate those changes.
+#   - Post-promotion: v4 has the rename-sed commit from merge-beta.sh that
+#     v4-beta does not have; run this script to bring v4-beta back in sync.
+#
+# What it does:
+#   1. Refuses if the working tree is dirty.
+#   2. Re-execs itself from a tmp copy so the script survives the checkout.
+#   3. Switches to v4-beta, pulls latest.
+#   4. Merges v4 in with --strategy-option theirs (v4 content wins on conflict).
+#   5. Sed-flips @v4 -> @v4-beta across action.yaml + .github/workflows/*.yaml
+#      (mirrors merge-beta.sh's file scope, opposite direction).
+#   6. Commits the flip on top of the merge commit and pushes.
+#
+# Inverse of merge-beta.sh.
+#
+# Sed safety: @v4 is a prefix of @v4-beta. Naive `s|@v4|@v4-beta|g` would
+# produce @v4-beta-beta. Two scoped patterns are used instead: match @v4 at
+# end-of-line, and @v4 followed by whitespace.
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+: ${TARGET_BRANCH:="v4-beta"}    # branch being fixed
+: ${SOURCE_BRANCH:="v4"}         # branch being merged in
+
+if git status --porcelain | grep -q .; then
+    echo ""
+    echo "# -------------------------------------------------------------- #"
+    echo "# Repository has local changes. Automatic merge is not possible. #"
+    echo "# -------------------------------------------------------------- #"
+    echo ""
+    git status --porcelain
+    exit 1
+fi
+
+if [ "${__REAL_RUN:-}" != "true" ]; then
+    echo "Copying script to temporary file to not lose original code during checkouts..."
+    tmp_script="$(mktemp)"
+    cat "${0}" > "${tmp_script}"
+    chmod +x "${tmp_script}"
+    __REAL_RUN="true" "${tmp_script}"
+    exit 0
+fi
+
+echo "Updating remote repository info..."
+git fetch --prune origin
+
+echo "Switching to '${TARGET_BRANCH}'..."
+git checkout "${TARGET_BRANCH}"
+git pull --ff-only
+
+echo "Merging 'origin/${SOURCE_BRANCH}' into '${TARGET_BRANCH}' (theirs wins on conflict)..."
+git merge \
+    --no-edit \
+    --message "Merge ${SOURCE_BRANCH} into ${TARGET_BRANCH}" \
+    "origin/${SOURCE_BRANCH}" \
+    --strategy-option theirs
+
+echo "Flipping @${SOURCE_BRANCH} -> @${TARGET_BRANCH} in action.yaml and workflows..."
+{
+    find . -type f -name "action.yaml"
+    find .github/workflows -type f -name "*.yaml"
+} |
+    while read -r file; do
+        sed "s|@${SOURCE_BRANCH}\$|@${TARGET_BRANCH}|g; s|@${SOURCE_BRANCH}\([[:space:]]\)|@${TARGET_BRANCH}\1|g" "${file}" > "${file}.tmp"
+        mv "${file}.tmp" "${file}"
+    done
+
+if git diff --quiet; then
+    echo "No ref flips needed; merge alone was sufficient."
+else
+    git add -A
+    git commit -m "Re-flip @${SOURCE_BRANCH} -> @${TARGET_BRANCH} after merging ${SOURCE_BRANCH}"
+fi
+
+echo "Pushing '${TARGET_BRANCH}'..."
+git push origin "${TARGET_BRANCH}"
+
+echo "Done. ${TARGET_BRANCH} is now in sync with ${SOURCE_BRANCH}, with internal refs restored to @${TARGET_BRANCH}."

From 234cf21e845c15c49be2f7726218c01ed1d4a887 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 11:31:44 -0700
Subject: [PATCH 02/19] ci: add changeset coverage check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

New composite action `actions/changeset/check-coverage` that fails when a
PR's changesets don't bump every workspace package the PR modifies.
Catches the catalog-software gap (pnpm-workspace.yaml catalog version
bumped without a matching changeset for the consuming workflow package).

Wired into the existing `check-changesets` job in node-simple-pnpm.yaml
as a `continue-on-error: true` step on PR / merge_group events. Emits
`::error file=…,line=…::` annotations inline on the PR diff; never
blocks merge.
---
 .github/workflows/node-simple-pnpm.yaml       |   9 +
 actions/changeset/check-coverage/action.yaml  |  26 ++
 .../check-coverage/check-coverage.sh          | 267 ++++++++++++++++++
 3 files changed, 302 insertions(+)
 create mode 100644 actions/changeset/check-coverage/action.yaml
 create mode 100755 actions/changeset/check-coverage/check-coverage.sh

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index aeb9a79d..32dd875f 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -582,6 +582,15 @@ jobs:
           run: |
             pnpm changeset status --since="origin/${BRANCH_NAME}"
 
+      - name: Check changeset coverage
+        if: |
+          always() &&
+          (github.event_name == 'pull_request' || github.event_name == 'merge_group')
+        continue-on-error: true
+        uses: milaboratory/github-ci/actions/changeset/check-coverage@v4-beta
+        with:
+          base-branch: ${{ inputs.changeset-default-branch }}
+
   pre-calculated-build:
     name: pre-build
     runs-on: ${{ inputs.gha-runner-label }}
diff --git a/actions/changeset/check-coverage/action.yaml b/actions/changeset/check-coverage/action.yaml
new file mode 100644
index 00000000..3610522e
--- /dev/null
+++ b/actions/changeset/check-coverage/action.yaml
@@ -0,0 +1,26 @@
+name: Check changeset coverage
+author: 'MiLaboratories'
+description: |
+  Fail if a PR's changesets don't cover every workspace package it modifies.
+
+  Catches the common gap: bumping a catalog version in pnpm-workspace.yaml
+  (e.g. a software package) without a matching changeset bump for the
+  workflow package that consumes it.
+
+  Runs after `pnpm install` — needs `pnpm m ls` to resolve the workspace.
+
+inputs:
+  base-branch:
+    description: Base branch to diff against (e.g. main).
+    required: true
+
+runs:
+  using: 'composite'
+
+  steps:
+    - name: Check changeset coverage
+      shell: bash
+      env:
+        ACTION_PATH: ${{ github.action_path }}
+        BASE_BRANCH: ${{ inputs.base-branch }}
+      run: '${ACTION_PATH}/check-coverage.sh'
diff --git a/actions/changeset/check-coverage/check-coverage.sh b/actions/changeset/check-coverage/check-coverage.sh
new file mode 100755
index 00000000..0f509114
--- /dev/null
+++ b/actions/changeset/check-coverage/check-coverage.sh
@@ -0,0 +1,267 @@
+#!/usr/bin/env bash
+#
+# Verify the PR's changesets bump every workspace package the PR modifies.
+# Exit 1 on a coverage gap; exit 2 on tooling failure; exit 0 otherwise.
+#
+# Two sources of "modified":
+#
+#   1. Direct edits to a workspace package's files (longest-prefix match
+#      against the workspace package roots from `pnpm m ls`).
+#
+#   2. Catalog version bumps in pnpm-workspace.yaml: for each touched
+#      catalog key, find workspace packages that consume it via
+#      `"<key>": "catalog:..."` and require those packages to bump.
+#
+# Skips private (unpublished) workspace packages — they never appear in
+# the changeset's release set.
+#
+# Runs from the repo root after `pnpm install`.
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+: "${BASE_BRANCH:?BASE_BRANCH required}"
+
+log()  { printf '%s\n' "$*" >&2; }
+err()  { printf '::error::%s\n' "$*" >&2; }
+
+# Use cwd-relative paths for tmp files — changeset's --output mis-handles
+# absolute paths on macOS (prepends cwd, causing ENOENT). Cwd-relative is
+# safe on every platform.
+status_json=".changeset-coverage-status-$$.json"
+pkg_list_json=".changeset-coverage-pkgs-$$.json"
+
+# ---------------------------------------------------------------------------
+# 1. Bumped set from `changeset status --output=...`.
+# ---------------------------------------------------------------------------
+trap 'rm -f "${status_json}" "${pkg_list_json}"' EXIT
+
+# Invoke the binary directly. `pnpm exec` and `pnpm <script>` spawn subshells
+# that lose `node_modules/.bin` from PATH on repeated invocations. The action
+# runs from the repo root after `pnpm install`, so the binary is at this
+# fixed location in CI.
+changeset_bin='./node_modules/.bin/changeset'
+if [ ! -x "${changeset_bin}" ]; then
+  err 'changeset binary not found. Did `pnpm install` run before this step?'
+  exit 2
+fi
+
+# Capture stderr to distinguish the legitimate "no changesets yet" state
+# (exit 1 + "no changesets were found" message) from a real tooling failure.
+# The former is a coverage gap to report; the latter aborts with exit 2.
+cs_stdouterr=''
+set +e
+cs_stdouterr="$(
+  "${changeset_bin}" status \
+    --output="${status_json}" \
+    --since="origin/${BASE_BRANCH}" 2>&1
+)"
+cs_exit=$?
+set -e
+
+if [ ! -s "${status_json}" ]; then
+  if printf '%s' "${cs_stdouterr}" | grep -q 'no changesets were found'; then
+    # Legitimate empty-changeset case — keep going so the coverage check
+    # surfaces every modified package as missing.
+    echo '{"releases":[]}' >"${status_json}"
+  elif [ "${cs_exit}" -ne 0 ]; then
+    err "changeset status failed (exit ${cs_exit}):"
+    printf '%s\n' "${cs_stdouterr}" | sed 's/^/    /' >&2
+    exit 2
+  else
+    echo '{"releases":[]}' >"${status_json}"
+  fi
+fi
+
+declare -A bumped_set=()
+while IFS= read -r pkg; do
+  [ -n "${pkg}" ] && bumped_set["${pkg}"]=1
+done < <(jq -r '.releases[]?.name // empty' "${status_json}")
+
+if [ "${#bumped_set[@]}" -eq 0 ]; then
+  log 'Changeset bumps: <none>'
+else
+  log "Changeset bumps: ${!bumped_set[*]}"
+fi
+
+# ---------------------------------------------------------------------------
+# 2. Workspace package map.
+# ---------------------------------------------------------------------------
+pnpm m ls --depth -1 --json >"${pkg_list_json}"
+
+# pnpm returns canonical paths (e.g. macOS resolves /var → /private/var).
+# Raw `pwd` doesn't, so the prefix-strip below would silently drop every
+# workspace package. `pwd -P` matches pnpm's view.
+workspace_root="$(pwd -P)"
+declare -A pkg_dir_to_name=()
+declare -A pkg_name_to_dir=()
+declare -A pkg_is_private=()
+
+while IFS=$'\t' read -r pkg_name pkg_path pkg_private; do
+  [ -z "${pkg_name}" ] && continue            # workspace root has no name
+  rel="${pkg_path#${workspace_root}/}"
+  [ "${rel}" = "${pkg_path}" ] && continue    # workspace root itself
+  pkg_dir_to_name["${rel}"]="${pkg_name}"
+  pkg_name_to_dir["${pkg_name}"]="${rel}"
+  pkg_is_private["${pkg_name}"]="${pkg_private}"
+done < <(jq -r '
+    .[]
+    | select(.name != null and .name != "")
+    | [.name, .path, (.private // false | tostring)]
+    | @tsv
+  ' "${pkg_list_json}")
+
+log "Workspace packages: ${#pkg_dir_to_name[@]}"
+
+# ---------------------------------------------------------------------------
+# 3. Modified files vs base branch.
+# ---------------------------------------------------------------------------
+mapfile -t changed_files < <(git diff --name-only "origin/${BASE_BRANCH}...HEAD")
+log "Changed files: ${#changed_files[@]}"
+
+# ---------------------------------------------------------------------------
+# 4. Build required-bump set.
+# ---------------------------------------------------------------------------
+declare -A required_set=()
+declare -A required_reason=()
+# Track the first (file, line) that triggered each required pkg, so the
+# `::error file=…,line=…::` annotation lands on the PR's Files Changed tab
+# rather than only in the job log.
+declare -A required_file=()
+declare -A required_line=()
+
+# Paths that never imply a package bump, regardless of which package directory
+# they happen to live under. Bash `case` globs — `*` does not cross `/`.
+ignore_patterns=(
+  '.changeset/*'
+  '.github/*'
+  'docs/*'
+  'logos/*'
+  'README*'
+  'CHANGELOG*'
+  '.gitignore'
+  '.npmrc'
+)
+
+is_ignored() {
+  local file="$1" pat
+  for pat in "${ignore_patterns[@]}"; do
+    # shellcheck disable=SC2254
+    case "${file}" in ${pat}) return 0 ;; esac
+  done
+  return 1
+}
+
+require_pkg() {
+  local pkg="$1" reason="$2" file="${3:-}" line="${4:-1}"
+  [ -z "${pkg}" ] && return 0
+  [ "${pkg_is_private[${pkg}]:-false}" = 'true' ] && return 0
+  required_set["${pkg}"]=1
+  required_reason["${pkg}"]="${required_reason[${pkg}]:-}${reason}; "
+  # Keep the first (file, line). 4a (direct edits) runs before 4b (catalog),
+  # so when both apply the annotation lands on the actual source change.
+  if [ -z "${required_file[${pkg}]:-}" ] && [ -n "${file}" ]; then
+    required_file["${pkg}"]="${file}"
+    required_line["${pkg}"]="${line}"
+  fi
+}
+
+file_to_pkg() {
+  local file="$1" dir longest=''
+  for dir in "${!pkg_dir_to_name[@]}"; do
+    if [[ "${file}" == "${dir}/"* ]]; then
+      if [ "${#dir}" -gt "${#longest}" ]; then longest="${dir}"; fi
+    fi
+  done
+  if [ -n "${longest}" ]; then
+    printf '%s' "${pkg_dir_to_name[${longest}]}"
+  fi
+  return 0
+}
+
+# 4a. Direct workspace-package edits.
+for file in "${changed_files[@]}"; do
+  [ -z "${file}" ] && continue
+  is_ignored "${file}" && continue
+  [ "${file}" = 'pnpm-workspace.yaml' ] && continue   # handled in 4b
+  pkg="$(file_to_pkg "${file}")"
+  [ -n "${pkg}" ] && require_pkg "${pkg}" "edit in ${file}" "${file}" 1
+done
+
+# 4b. Catalog version bumps in pnpm-workspace.yaml.
+if printf '%s\n' "${changed_files[@]}" | grep -qx 'pnpm-workspace.yaml'; then
+  # Extract catalog keys touched in the diff. Regex matches `'<scope>/<name>':`
+  # and `<name>:`. Structural-yaml false positives (`packages:`, `catalog:`)
+  # self-correct: no package.json depends on them via `catalog:`.
+  mapfile -t catalog_keys < <(
+    git diff "origin/${BASE_BRANCH}...HEAD" -- pnpm-workspace.yaml \
+      | grep -E "^[-+][[:space:]]+'?[@A-Za-z0-9._/-]+'?:" \
+      | sed -E "s/^[-+][[:space:]]+'?([^':]+)'?:.*/\1/" \
+      | sort -u
+  )
+
+  if [ "${#catalog_keys[@]}" -gt 0 ]; then
+    log "Catalog keys touched: ${catalog_keys[*]}"
+    # For each catalog key, find workspace pkgs that depend on it with "catalog:".
+    for key in "${catalog_keys[@]}"; do
+      # Find this key's line in pnpm-workspace.yaml so the annotation lands
+      # there. Three subtleties:
+      #   - `grep -F` (fixed string): pkg names contain regex specials (`.`, `/`, `-`).
+      #   - Search the bare key, not `key:` — quoted entries (`'foo':`) put the
+      #     closing quote between key and colon, so `grep -F 'foo:'` misses.
+      #   - `|| true` swallows grep's exit 1 on no-match; pipefail would
+      #     otherwise trip errexit. Falls through to line=1 below.
+      key_line="$(grep -nF -- "${key}" pnpm-workspace.yaml 2>/dev/null | head -1 | cut -d: -f1 || true)"
+      [ -z "${key_line}" ] && key_line=1
+
+      for name in "${!pkg_name_to_dir[@]}"; do
+        dir="${pkg_name_to_dir[${name}]}"
+        pj="${dir}/package.json"
+        [ -f "${pj}" ] || continue
+        if jq -e --arg k "${key}" '
+            [.dependencies?, .devDependencies?, .peerDependencies?, .optionalDependencies?]
+            | map(select(. != null) | to_entries) | add // []
+            | map(select(.key == $k and ((.value // "") | startswith("catalog"))))
+            | length > 0
+          ' "${pj}" >/dev/null 2>&1; then
+          require_pkg "${name}" "catalog dep '${key}' bumped" \
+            'pnpm-workspace.yaml' "${key_line}"
+        fi
+      done
+    done
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# 5. Compare required vs bumped.
+# ---------------------------------------------------------------------------
+missing=()
+for pkg in "${!required_set[@]}"; do
+  [ -z "${bumped_set[${pkg}]:-}" ] && missing+=("${pkg}")
+done
+
+if [ "${#missing[@]}" -eq 0 ]; then
+  log '✓ Changeset covers every modified package.'
+  exit 0
+fi
+
+# Per-file annotations land inline on the PR's Files Changed tab via the
+# `::error file=…,line=…::` worker protocol.
+for pkg in "${missing[@]}"; do
+  file="${required_file[${pkg}]:-}"
+  line="${required_line[${pkg}]:-1}"
+  [ -z "${file}" ] && continue
+  printf "::error file=%s,line=%s::Package '%s' is modified but missing from any changeset. Add a '%s: patch' (or minor/major) entry to a file under .changeset/.\n" \
+    "${file}" "${line}" "${pkg}" "${pkg}" >&2
+done
+
+# Summary block — appears in the step log for anyone reading job output.
+err 'Changeset coverage gap. The following packages were modified but not bumped:'
+for pkg in "${missing[@]}"; do
+  reason="${required_reason[${pkg}]%; }"
+  err "  - ${pkg}  (${reason})"
+done
+err ''
+err "Add a changeset entry — run \`pnpm changeset\` and select the missing packages."
+exit 1

From 5f79cb04dc46ac81136a6eb3516c59ff7774f598 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 11:54:38 -0700
Subject: [PATCH 03/19] ci: point new step's self-reference at this PR branch
 for canary testing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

TODO: REVERT before merging this PR — flip
@feat/changeset-coverage-check back to @v4-beta. The action only
lives on this branch right now; consumers pinning the workflow at
this branch otherwise resolve the nested uses: against v4-beta and
fail to find the action.
---
 .github/workflows/node-simple-pnpm.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 32dd875f..9475b88c 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -587,7 +587,10 @@ jobs:
           always() &&
           (github.event_name == 'pull_request' || github.event_name == 'merge_group')
         continue-on-error: true
-        uses: milaboratory/github-ci/actions/changeset/check-coverage@v4-beta
+        # TODO REVERT BEFORE MERGE: flip @feat/changeset-coverage-check back to
+        # @v4-beta. Self-reference points at this PR branch so consumer PRs can
+        # canary-test it without v4-beta containing the action yet.
+        uses: milaboratory/github-ci/actions/changeset/check-coverage@feat/changeset-coverage-check
         with:
           base-branch: ${{ inputs.changeset-default-branch }}
 

From d5f16a1d93223d62def966a9c0bea21119102b40 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 14:49:18 -0700
Subject: [PATCH 04/19] ci: restore third-party @v4 refs in
 node-simple-pnpm.yaml for canary
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The over-broad sed in merge-beta.sh/fix-beta.sh flips @v4 → @v4-beta on
every ref, including third-party actions. actions/checkout and
aws-actions/configure-aws-credentials have no @v4-beta tag upstream,
so the workflow fails to load when a consumer pins this branch.

Only this file is fixed — the minimum needed to canary-test the new
coverage check. The same bug affects 27 other files on v4-beta and
needs a separate sed-scope fix in merge-beta.sh / fix-beta.sh.
---
 .github/workflows/node-simple-pnpm.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 9475b88c..cc0043bb 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -451,7 +451,7 @@ jobs:
     needs:
       - init
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -551,7 +551,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -637,14 +637,14 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
@@ -764,7 +764,7 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -772,7 +772,7 @@ jobs:
           fetch-depth: '0'
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}

From 335ff48824cd902e412d23b7258856cc5fb197af Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 14:55:45 -0700
Subject: [PATCH 05/19] ci: restore third-party @v4 refs in prepare-pnpm and
 cache-pnpm

Same pre-existing sed-scope bug as the previous commit, now hit in the
composite actions check-changesets transitively calls. Restores
actions/setup-node, pnpm/action-setup, and actions/cache to @v4.
---
 actions/node/cache-pnpm/action.yaml   | 2 +-
 actions/node/prepare-pnpm/action.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/actions/node/cache-pnpm/action.yaml b/actions/node/cache-pnpm/action.yaml
index e17fa5cf..915e31df 100644
--- a/actions/node/cache-pnpm/action.yaml
+++ b/actions/node/cache-pnpm/action.yaml
@@ -30,7 +30,7 @@ runs:
       run: echo "dir=$(pnpm store path)" >> ${GITHUB_OUTPUT}
 
     - name: Cache Node modules
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         path: |
           ${{ steps.pnpm-store-dir.outputs.dir }}
diff --git a/actions/node/prepare-pnpm/action.yaml b/actions/node/prepare-pnpm/action.yaml
index b2f3f8f5..2fa3b238 100644
--- a/actions/node/prepare-pnpm/action.yaml
+++ b/actions/node/prepare-pnpm/action.yaml
@@ -43,7 +43,7 @@ runs:
 
   steps:
     - name: Install NodeJS - ${{ inputs.node-version }}
-      uses: actions/setup-node@v4-beta
+      uses: actions/setup-node@v4
       with:
         node-version: ${{ inputs.node-version }}
 
@@ -55,7 +55,7 @@ runs:
 
     - name: Install pnpm - ${{ inputs.pnpm-version }}
       if: inputs.pnpm-version != ''
-      uses: pnpm/action-setup@v4-beta
+      uses: pnpm/action-setup@v4
       with:
         version: ${{ inputs.pnpm-version }}
 

From 20b88fca902b165acc9b633e6a0b2da1a23d5706 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 16:09:33 -0700
Subject: [PATCH 06/19] Revert canary self-reference; restore @v4-beta for
 review

---
 .github/workflows/node-simple-pnpm.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index cc0043bb..5fe19fc9 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -587,10 +587,7 @@ jobs:
           always() &&
           (github.event_name == 'pull_request' || github.event_name == 'merge_group')
         continue-on-error: true
-        # TODO REVERT BEFORE MERGE: flip @feat/changeset-coverage-check back to
-        # @v4-beta. Self-reference points at this PR branch so consumer PRs can
-        # canary-test it without v4-beta containing the action yet.
-        uses: milaboratory/github-ci/actions/changeset/check-coverage@feat/changeset-coverage-check
+        uses: milaboratory/github-ci/actions/changeset/check-coverage@v4-beta
         with:
           base-branch: ${{ inputs.changeset-default-branch }}
 

From 3efe19dc125e79fffae4d9495af5131d4e11e73f Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 16:13:15 -0700
Subject: [PATCH 07/19] Revert third-party @v4 ref restorations

The pre-existing sed-scope bug in merge-beta.sh / fix-beta.sh will be
handled in a separate ticket. Reverts d5f16a1 and 335ff48.
---
 .github/workflows/node-simple-pnpm.yaml | 12 ++++++------
 actions/node/cache-pnpm/action.yaml     |  2 +-
 actions/node/prepare-pnpm/action.yaml   |  4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 5fe19fc9..32dd875f 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -451,7 +451,7 @@ jobs:
     needs:
       - init
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4-beta
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -551,7 +551,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4-beta
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -634,14 +634,14 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4-beta
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v4-beta
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
@@ -761,7 +761,7 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4-beta
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -769,7 +769,7 @@ jobs:
           fetch-depth: '0'
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v4-beta
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
diff --git a/actions/node/cache-pnpm/action.yaml b/actions/node/cache-pnpm/action.yaml
index 915e31df..e17fa5cf 100644
--- a/actions/node/cache-pnpm/action.yaml
+++ b/actions/node/cache-pnpm/action.yaml
@@ -30,7 +30,7 @@ runs:
       run: echo "dir=$(pnpm store path)" >> ${GITHUB_OUTPUT}
 
     - name: Cache Node modules
-      uses: actions/cache@v4
+      uses: actions/cache@v4-beta
       with:
         path: |
           ${{ steps.pnpm-store-dir.outputs.dir }}
diff --git a/actions/node/prepare-pnpm/action.yaml b/actions/node/prepare-pnpm/action.yaml
index 2fa3b238..b2f3f8f5 100644
--- a/actions/node/prepare-pnpm/action.yaml
+++ b/actions/node/prepare-pnpm/action.yaml
@@ -43,7 +43,7 @@ runs:
 
   steps:
     - name: Install NodeJS - ${{ inputs.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v4-beta
       with:
         node-version: ${{ inputs.node-version }}
 
@@ -55,7 +55,7 @@ runs:
 
     - name: Install pnpm - ${{ inputs.pnpm-version }}
       if: inputs.pnpm-version != ''
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@v4-beta
       with:
         version: ${{ inputs.pnpm-version }}
 

From bff4168fbca6c85a4a155878894892edae7803d7 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 16:13:54 -0700
Subject: [PATCH 08/19] Fix incomplete revert: flip remaining two @v4 checkout
 refs back to @v4-beta

---
 .github/workflows/node-simple-pnpm.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 32dd875f..31d0dfa8 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -488,7 +488,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4-beta
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -518,7 +518,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4-beta
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}

From f2666337892aee030378fb2f41c34c1824925760 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 17:55:14 -0700
Subject: [PATCH 09/19] ci(changeset/check-coverage): simplify with pnpm filter
 + yq, add bats suite
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Refactor check-coverage.sh (267 → 213 lines):
- step 4a now uses `pnpm -r --filter '[origin/<base>]' list` instead of
  hand-rolled longest-prefix matching over the changed-files list and the
  manual ignore patterns. Root-level paths (.github/, docs/, README) aren't
  in any package directory, so pnpm's filter naturally excludes them.
- step 4b parses pnpm-workspace.yaml structurally with yq (flat key=value
  pairs from both .catalog and .catalogs.*) instead of a line-level regex
  over the diff. Avoids the regex's false-positive surface — e.g. an
  unrelated `overrides.<name>` bump no longer spuriously requires
  catalog-consumer bumps.
- workspace map is now built lazily, only when pnpm-workspace.yaml changed.
- drops the `::error file=,line=::` per-file annotation plumbing. Devs land
  on .changeset/ when fixing this anyway; the summary block still names
  every missing package.

Add bats suite under test/ with a minimal pnpm-workspace fixture and a CI
workflow (0-test-changeset-coverage.yaml) that runs the suite on PRs that
touch the action. 14 cases cover direct edits, catalog miss/hit/partial,
private packages, structural-vs-regex catalog parsing, and the no-
changesets corner.
---
 .../workflows/0-test-changeset-coverage.yaml  |  42 ++++
 actions/changeset/check-coverage/action.yaml  |   4 +-
 .../check-coverage/check-coverage.sh          | 198 +++++++-----------
 .../changeset/check-coverage/test/README.md   |  74 +++++++
 .../check-coverage/test/coverage.bats         | 134 ++++++++++++
 .../minimal-workspace/.changeset/config.json  |  12 ++
 .../test/fixtures/minimal-workspace/README.md |   9 +
 .../minimal-workspace/docs/overview.md        |   3 +
 .../fixtures/minimal-workspace/package.json   |   8 +
 .../minimal-workspace/packages/pkg-a/index.js |   1 +
 .../packages/pkg-a/package.json               |   8 +
 .../minimal-workspace/packages/pkg-b/index.js |   1 +
 .../packages/pkg-b/package.json               |   8 +
 .../minimal-workspace/packages/pkg-c/index.js |   1 +
 .../packages/pkg-c/package.json               |   8 +
 .../packages/pkg-private/index.js             |   1 +
 .../packages/pkg-private/package.json         |   9 +
 .../minimal-workspace/pnpm-workspace.yaml     |   6 +
 .../check-coverage/test/helpers.bash          |  86 ++++++++
 19 files changed, 485 insertions(+), 128 deletions(-)
 create mode 100644 .github/workflows/0-test-changeset-coverage.yaml
 create mode 100644 actions/changeset/check-coverage/test/README.md
 create mode 100644 actions/changeset/check-coverage/test/coverage.bats
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/.changeset/config.json
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/README.md
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/docs/overview.md
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/package.json
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/index.js
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/package.json
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/index.js
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/package.json
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/index.js
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/package.json
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/index.js
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/package.json
 create mode 100644 actions/changeset/check-coverage/test/fixtures/minimal-workspace/pnpm-workspace.yaml
 create mode 100644 actions/changeset/check-coverage/test/helpers.bash

diff --git a/.github/workflows/0-test-changeset-coverage.yaml b/.github/workflows/0-test-changeset-coverage.yaml
new file mode 100644
index 00000000..3facee5d
--- /dev/null
+++ b/.github/workflows/0-test-changeset-coverage.yaml
@@ -0,0 +1,42 @@
+name: 'Test: changeset/check-coverage'
+
+on:
+  workflow_call:
+  pull_request:
+    paths:
+      - 'actions/changeset/check-coverage/**'
+      - '.github/workflows/0-test-changeset-coverage.yaml'
+  push:
+    paths:
+      - 'actions/changeset/check-coverage/**'
+      - '.github/workflows/0-test-changeset-coverage.yaml'
+    branches: ['v4', 'v4-beta']
+
+jobs:
+  bats:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install bats
+        run: sudo apt-get update && sudo apt-get install -y bats
+
+      - name: Verify required tools are present
+        run: |
+          which jq yq pnpm bats
+          jq --version
+          yq --version
+          pnpm --version
+          bats --version
+
+      - name: Run changeset/check-coverage bats suite
+        working-directory: actions/changeset/check-coverage
+        run: bats test/coverage.bats
diff --git a/actions/changeset/check-coverage/action.yaml b/actions/changeset/check-coverage/action.yaml
index 3610522e..462ec85d 100644
--- a/actions/changeset/check-coverage/action.yaml
+++ b/actions/changeset/check-coverage/action.yaml
@@ -7,7 +7,9 @@ description: |
   (e.g. a software package) without a matching changeset bump for the
   workflow package that consumes it.
 
-  Runs after `pnpm install` — needs `pnpm m ls` to resolve the workspace.
+  Runs after `pnpm install`. Requires the runner to have `pnpm`, `jq`, and
+  `yq` (mikefarah, v4+) on PATH — all pre-installed on GitHub-hosted
+  ubuntu-latest images.
 
 inputs:
   base-branch:
diff --git a/actions/changeset/check-coverage/check-coverage.sh b/actions/changeset/check-coverage/check-coverage.sh
index 0f509114..f15e52ac 100755
--- a/actions/changeset/check-coverage/check-coverage.sh
+++ b/actions/changeset/check-coverage/check-coverage.sh
@@ -5,8 +5,9 @@
 #
 # Two sources of "modified":
 #
-#   1. Direct edits to a workspace package's files (longest-prefix match
-#      against the workspace package roots from `pnpm m ls`).
+#   1. Direct edits to a workspace package's files, detected via
+#      `pnpm --filter '[<base>]' list` — pnpm runs the per-package
+#      git-diff check itself.
 #
 #   2. Catalog version bumps in pnpm-workspace.yaml: for each touched
 #      catalog key, find workspace packages that consume it via
@@ -86,118 +87,83 @@ else
 fi
 
 # ---------------------------------------------------------------------------
-# 2. Workspace package map.
-# ---------------------------------------------------------------------------
-pnpm m ls --depth -1 --json >"${pkg_list_json}"
-
-# pnpm returns canonical paths (e.g. macOS resolves /var → /private/var).
-# Raw `pwd` doesn't, so the prefix-strip below would silently drop every
-# workspace package. `pwd -P` matches pnpm's view.
-workspace_root="$(pwd -P)"
-declare -A pkg_dir_to_name=()
-declare -A pkg_name_to_dir=()
-declare -A pkg_is_private=()
-
-while IFS=$'\t' read -r pkg_name pkg_path pkg_private; do
-  [ -z "${pkg_name}" ] && continue            # workspace root has no name
-  rel="${pkg_path#${workspace_root}/}"
-  [ "${rel}" = "${pkg_path}" ] && continue    # workspace root itself
-  pkg_dir_to_name["${rel}"]="${pkg_name}"
-  pkg_name_to_dir["${pkg_name}"]="${rel}"
-  pkg_is_private["${pkg_name}"]="${pkg_private}"
-done < <(jq -r '
-    .[]
-    | select(.name != null and .name != "")
-    | [.name, .path, (.private // false | tostring)]
-    | @tsv
-  ' "${pkg_list_json}")
-
-log "Workspace packages: ${#pkg_dir_to_name[@]}"
-
-# ---------------------------------------------------------------------------
-# 3. Modified files vs base branch.
-# ---------------------------------------------------------------------------
-mapfile -t changed_files < <(git diff --name-only "origin/${BASE_BRANCH}...HEAD")
-log "Changed files: ${#changed_files[@]}"
-
-# ---------------------------------------------------------------------------
-# 4. Build required-bump set.
+# 2. Required-bump set.
 # ---------------------------------------------------------------------------
 declare -A required_set=()
 declare -A required_reason=()
-# Track the first (file, line) that triggered each required pkg, so the
-# `::error file=…,line=…::` annotation lands on the PR's Files Changed tab
-# rather than only in the job log.
-declare -A required_file=()
-declare -A required_line=()
-
-# Paths that never imply a package bump, regardless of which package directory
-# they happen to live under. Bash `case` globs — `*` does not cross `/`.
-ignore_patterns=(
-  '.changeset/*'
-  '.github/*'
-  'docs/*'
-  'logos/*'
-  'README*'
-  'CHANGELOG*'
-  '.gitignore'
-  '.npmrc'
-)
-
-is_ignored() {
-  local file="$1" pat
-  for pat in "${ignore_patterns[@]}"; do
-    # shellcheck disable=SC2254
-    case "${file}" in ${pat}) return 0 ;; esac
-  done
-  return 1
-}
 
 require_pkg() {
-  local pkg="$1" reason="$2" file="${3:-}" line="${4:-1}"
+  local pkg="$1" reason="$2"
   [ -z "${pkg}" ] && return 0
-  [ "${pkg_is_private[${pkg}]:-false}" = 'true' ] && return 0
   required_set["${pkg}"]=1
   required_reason["${pkg}"]="${required_reason[${pkg}]:-}${reason}; "
-  # Keep the first (file, line). 4a (direct edits) runs before 4b (catalog),
-  # so when both apply the annotation lands on the actual source change.
-  if [ -z "${required_file[${pkg}]:-}" ] && [ -n "${file}" ]; then
-    required_file["${pkg}"]="${file}"
-    required_line["${pkg}"]="${line}"
-  fi
 }
 
-file_to_pkg() {
-  local file="$1" dir longest=''
-  for dir in "${!pkg_dir_to_name[@]}"; do
-    if [[ "${file}" == "${dir}/"* ]]; then
-      if [ "${#dir}" -gt "${#longest}" ]; then longest="${dir}"; fi
-    fi
-  done
-  if [ -n "${longest}" ]; then
-    printf '%s' "${pkg_dir_to_name[${longest}]}"
-  fi
-  return 0
-}
+# 2a. Direct workspace-package edits.
+#
+# `pnpm --filter '[<since>]' list` selects packages whose own files changed
+# (pnpm runs the per-package `git diff` itself). Root-level paths like
+# `.github/`, `docs/`, `pnpm-workspace.yaml`, or `README.md` are not in any
+# package directory and so don't trigger inclusion — no manual ignore list
+# needed.
+#
+# The jq filter drops private packages here (they never appear in a
+# changeset's release set), so `require_pkg` doesn't need to re-check.
+while IFS= read -r pkg; do
+  [ -n "${pkg}" ] && require_pkg "${pkg}" 'direct edit'
+done < <(
+  pnpm -r --filter "[origin/${BASE_BRANCH}]" list --depth -1 --json 2>/dev/null \
+    | jq -r '.[] | select(.name != null and .name != "" and .private != true) | .name'
+)
 
-# 4a. Direct workspace-package edits.
-for file in "${changed_files[@]}"; do
-  [ -z "${file}" ] && continue
-  is_ignored "${file}" && continue
-  [ "${file}" = 'pnpm-workspace.yaml' ] && continue   # handled in 4b
-  pkg="$(file_to_pkg "${file}")"
-  [ -n "${pkg}" ] && require_pkg "${pkg}" "edit in ${file}" "${file}" 1
-done
+log "Direct-edit packages: ${#required_set[@]}"
 
-# 4b. Catalog version bumps in pnpm-workspace.yaml.
-if printf '%s\n' "${changed_files[@]}" | grep -qx 'pnpm-workspace.yaml'; then
-  # Extract catalog keys touched in the diff. Regex matches `'<scope>/<name>':`
-  # and `<name>:`. Structural-yaml false positives (`packages:`, `catalog:`)
-  # self-correct: no package.json depends on them via `catalog:`.
+# 2b. Catalog version bumps in pnpm-workspace.yaml.
+#
+# Only runs when the workspace yaml itself changed. Builds a full
+# workspace map so we can find every consumer of each touched catalog key.
+if git diff --name-only "origin/${BASE_BRANCH}...HEAD" | grep -qx 'pnpm-workspace.yaml'; then
+  pnpm -r list --depth -1 --json >"${pkg_list_json}"
+
+  # pnpm returns canonical absolute paths; strip the workspace root via
+  # `pwd -P` so the result matches the workspace's view on either platform.
+  workspace_root="$(pwd -P)"
+  declare -A pkg_name_to_dir=()
+  declare -A pkg_is_private=()
+
+  while IFS=$'\t' read -r pkg_name pkg_path pkg_private; do
+    [ -z "${pkg_name}" ] && continue           # workspace root has no name
+    rel="${pkg_path#${workspace_root}/}"
+    [ "${rel}" = "${pkg_path}" ] && continue   # workspace root itself
+    pkg_name_to_dir["${pkg_name}"]="${rel}"
+    pkg_is_private["${pkg_name}"]="${pkg_private}"
+  done < <(jq -r '
+      .[]
+      | select(.name != null and .name != "")
+      | [.name, .path, (.private // false | tostring)]
+      | @tsv
+    ' "${pkg_list_json}")
+
+  # Extract catalog keys whose value changed (added, removed, or bumped).
+  # Parse both the base and head versions structurally with yq, flatten the
+  # default catalog and any named catalogs to `key=value` lines, then take
+  # entries unique to either side. Avoids the false-positive surface of a
+  # line-level regex on the raw diff.
+  cat_pairs() {
+    yq -e '
+      [
+        (.catalog // {} | to_entries[]),
+        (.catalogs // {} | to_entries[].value // {} | to_entries[])
+      ] | .[] | .key + "=" + .value
+    ' 2>/dev/null || true
+  }
+  old_pairs="$(git show "origin/${BASE_BRANCH}:pnpm-workspace.yaml" 2>/dev/null | cat_pairs || true)"
+  new_pairs="$(cat_pairs <pnpm-workspace.yaml || true)"
   mapfile -t catalog_keys < <(
-    git diff "origin/${BASE_BRANCH}...HEAD" -- pnpm-workspace.yaml \
-      | grep -E "^[-+][[:space:]]+'?[@A-Za-z0-9._/-]+'?:" \
-      | sed -E "s/^[-+][[:space:]]+'?([^':]+)'?:.*/\1/" \
+    { printf '%s\n' "${old_pairs}"; printf '%s\n' "${new_pairs}"; } \
+      | sed '/^$/d' \
+      | sort | uniq -u \
+      | sed -E 's/=.*//' \
       | sort -u
   )
 
@@ -205,19 +171,9 @@ if printf '%s\n' "${changed_files[@]}" | grep -qx 'pnpm-workspace.yaml'; then
     log "Catalog keys touched: ${catalog_keys[*]}"
     # For each catalog key, find workspace pkgs that depend on it with "catalog:".
     for key in "${catalog_keys[@]}"; do
-      # Find this key's line in pnpm-workspace.yaml so the annotation lands
-      # there. Three subtleties:
-      #   - `grep -F` (fixed string): pkg names contain regex specials (`.`, `/`, `-`).
-      #   - Search the bare key, not `key:` — quoted entries (`'foo':`) put the
-      #     closing quote between key and colon, so `grep -F 'foo:'` misses.
-      #   - `|| true` swallows grep's exit 1 on no-match; pipefail would
-      #     otherwise trip errexit. Falls through to line=1 below.
-      key_line="$(grep -nF -- "${key}" pnpm-workspace.yaml 2>/dev/null | head -1 | cut -d: -f1 || true)"
-      [ -z "${key_line}" ] && key_line=1
-
       for name in "${!pkg_name_to_dir[@]}"; do
-        dir="${pkg_name_to_dir[${name}]}"
-        pj="${dir}/package.json"
+        [ "${pkg_is_private[${name}]:-false}" = 'true' ] && continue
+        pj="${pkg_name_to_dir[${name}]}/package.json"
         [ -f "${pj}" ] || continue
         if jq -e --arg k "${key}" '
             [.dependencies?, .devDependencies?, .peerDependencies?, .optionalDependencies?]
@@ -225,8 +181,7 @@ if printf '%s\n' "${changed_files[@]}" | grep -qx 'pnpm-workspace.yaml'; then
             | map(select(.key == $k and ((.value // "") | startswith("catalog"))))
             | length > 0
           ' "${pj}" >/dev/null 2>&1; then
-          require_pkg "${name}" "catalog dep '${key}' bumped" \
-            'pnpm-workspace.yaml' "${key_line}"
+          require_pkg "${name}" "catalog dep '${key}' bumped"
         fi
       done
     done
@@ -234,7 +189,7 @@ if printf '%s\n' "${changed_files[@]}" | grep -qx 'pnpm-workspace.yaml'; then
 fi
 
 # ---------------------------------------------------------------------------
-# 5. Compare required vs bumped.
+# 3. Compare required vs bumped.
 # ---------------------------------------------------------------------------
 missing=()
 for pkg in "${!required_set[@]}"; do
@@ -246,17 +201,6 @@ if [ "${#missing[@]}" -eq 0 ]; then
   exit 0
 fi
 
-# Per-file annotations land inline on the PR's Files Changed tab via the
-# `::error file=…,line=…::` worker protocol.
-for pkg in "${missing[@]}"; do
-  file="${required_file[${pkg}]:-}"
-  line="${required_line[${pkg}]:-1}"
-  [ -z "${file}" ] && continue
-  printf "::error file=%s,line=%s::Package '%s' is modified but missing from any changeset. Add a '%s: patch' (or minor/major) entry to a file under .changeset/.\n" \
-    "${file}" "${line}" "${pkg}" "${pkg}" >&2
-done
-
-# Summary block — appears in the step log for anyone reading job output.
 err 'Changeset coverage gap. The following packages were modified but not bumped:'
 for pkg in "${missing[@]}"; do
   reason="${required_reason[${pkg}]%; }"
diff --git a/actions/changeset/check-coverage/test/README.md b/actions/changeset/check-coverage/test/README.md
new file mode 100644
index 00000000..e959a052
--- /dev/null
+++ b/actions/changeset/check-coverage/test/README.md
@@ -0,0 +1,74 @@
+# `check-coverage` tests
+
+Bats suite for `../check-coverage.sh`.
+
+## Run locally
+
+From the action directory:
+
+```bash
+cd actions/changeset/check-coverage
+bats test/coverage.bats
+```
+
+Or from anywhere in the worktree:
+
+```bash
+bats actions/changeset/check-coverage/test/coverage.bats
+```
+
+The first run takes ~30s (one `pnpm install` into the shared fixture).
+Subsequent assertions reuse that install — each test only does a tar copy
+and a couple of git ops.
+
+## Dependencies
+
+| Tool   | macOS                 | ubuntu-latest |
+| ------ | --------------------- | ------------- |
+| `bats` | `brew install bats-core` | `apt-get install -y bats` |
+| `yq`   | `brew install yq`     | preinstalled  |
+| `jq`   | preinstalled          | preinstalled  |
+| `pnpm` | `brew install pnpm`   | `pnpm/action-setup@v4` |
+| `node` | any modern version    | `actions/setup-node@v4` |
+
+## How it works
+
+- `helpers.bash` builds a single base workspace under `$BATS_FILE_TMPDIR/base`
+  in `setup_file`: copies the fixture, runs `pnpm install`, inits a git repo
+  with `gc.auto=0` (suppresses the async repack that would otherwise race
+  the tar copy), commits, and synthesizes an `origin/main` ref.
+- Each test (`setup`) tars the base into `$BATS_TEST_TMPDIR/ws`, switches
+  to a `feature` branch, applies mutations via the helpers
+  (`touch_file`, `add_changeset`, `bump_catalog`), and runs the script
+  with `BASE_BRANCH=main`. The test asserts on the script's exit code and
+  the captured `$output`.
+
+## Fixture
+
+`fixtures/minimal-workspace/` — small pnpm workspace:
+
+- `packages/pkg-a`, `packages/pkg-b` — both consume `is-number` via `catalog:`
+- `packages/pkg-c` — consumes `is-string` via `catalog:`
+- `packages/pkg-private` — `"private": true`, never requires a bump
+
+## CI
+
+`.github/workflows/0-test-changeset-coverage.yaml` runs the suite on
+`pull_request` and `push` (`v4`, `v4-beta`) whenever files under
+`actions/changeset/check-coverage/**` or the workflow itself change.
+
+## Adding a test
+
+```bats
+@test "describe the contract" {
+  touch_file 'packages/pkg-a/index.js'        # mutate
+  add_changeset '"@check-coverage-test/pkg-a": patch' 'edit pkg-a'
+  run_check                                   # sets $status, $output
+  [ "${status}" -eq 0 ]
+  [[ "${output}" == *'expected substring'* ]]
+}
+```
+
+The helpers in `helpers.bash` cover the common mutations. Drop down to
+raw `git -C "${WORKSPACE}"` calls or `yq -i` edits when you need
+something they don't.
diff --git a/actions/changeset/check-coverage/test/coverage.bats b/actions/changeset/check-coverage/test/coverage.bats
new file mode 100644
index 00000000..0b0c098a
--- /dev/null
+++ b/actions/changeset/check-coverage/test/coverage.bats
@@ -0,0 +1,134 @@
+#!/usr/bin/env bats
+
+load helpers.bash
+
+setup_file() {
+  _build_base_workspace "${BATS_FILE_TMPDIR}/base"
+}
+
+setup() {
+  new_workspace
+}
+
+# ---------------------------------------------------------------------------
+# Direct edits.
+# ---------------------------------------------------------------------------
+
+@test "passes when nothing under any package changes" {
+  touch_file 'README.md' 'workspace-root readme edit'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+@test "passes when only docs/ at workspace root changes" {
+  touch_file 'docs/overview.md' 'doc update'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+@test "fails when a package is edited without a changeset" {
+  touch_file 'packages/pkg-a/index.js'
+  run_check
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-a'* ]]
+}
+
+@test "passes when a package is edited and a matching changeset is added" {
+  touch_file 'packages/pkg-a/index.js'
+  add_changeset '"@check-coverage-test/pkg-a": patch' 'edit pkg-a'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+@test "edit to a private package never requires a bump" {
+  touch_file 'packages/pkg-private/index.js'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+@test "reports every missing package, not just the first" {
+  touch_file 'packages/pkg-a/index.js'
+  touch_file 'packages/pkg-b/index.js'
+  run_check
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-a'* ]]
+  [[ "${output}" == *'@check-coverage-test/pkg-b'* ]]
+}
+
+@test "reports only the still-missing package when one of many is covered" {
+  touch_file 'packages/pkg-a/index.js'
+  touch_file 'packages/pkg-b/index.js'
+  add_changeset '"@check-coverage-test/pkg-a": patch' 'edit pkg-a'
+  run_check
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-b'* ]]
+  # The covered package should not appear in the missing list.
+  [[ "${output}" != *'- @check-coverage-test/pkg-a'* ]]
+}
+
+# ---------------------------------------------------------------------------
+# Catalog bumps.
+# ---------------------------------------------------------------------------
+
+@test "catalog bump without consumer bumps fails and names every consumer" {
+  bump_catalog 'is-number' '^7.0.1'
+  run_check
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-a'* ]]
+  [[ "${output}" == *'@check-coverage-test/pkg-b'* ]]
+  # pkg-c consumes is-string, not is-number — should not be flagged.
+  [[ "${output}" != *'@check-coverage-test/pkg-c'* ]]
+}
+
+@test "catalog bump with both consumers bumped passes" {
+  bump_catalog 'is-number' '^7.0.1'
+  add_changeset '"@check-coverage-test/pkg-a": patch
+"@check-coverage-test/pkg-b": patch' 'bump is-number'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+@test "catalog bump where only one consumer is bumped still fails for the other" {
+  bump_catalog 'is-number' '^7.0.1'
+  add_changeset '"@check-coverage-test/pkg-a": patch' 'bump is-number partial'
+  run_check
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-b'* ]]
+  [[ "${output}" != *'- @check-coverage-test/pkg-a'* ]]
+}
+
+@test "non-catalog YAML edits in pnpm-workspace.yaml don't trigger requirements" {
+  # An `overrides` entry that happens to share a name with a catalog key.
+  # Bumping it must NOT be treated as a catalog change — yq's structural
+  # parse ignores anything outside .catalog / .catalogs.
+  yq -i '.overrides."is-number" = "^7.0.5"' "${WORKSPACE}/pnpm-workspace.yaml"
+  git -C "${WORKSPACE}" commit --quiet -am 'bump override (not catalog)'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+@test "catalog bump for an unused key does not require any package" {
+  # Add then bump a catalog entry no one consumes.
+  yq -i '.catalog."unused-pkg" = "^1.0.0"' "${WORKSPACE}/pnpm-workspace.yaml"
+  git -C "${WORKSPACE}" commit --quiet -am 'add unused catalog key'
+  bump_catalog 'unused-pkg' '^1.0.1'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+# ---------------------------------------------------------------------------
+# Empty-changeset corner case.
+# ---------------------------------------------------------------------------
+
+@test "no changesets at all + irrelevant edit passes" {
+  touch_file 'README.md' 'no-package change'
+  run_check
+  [ "${status}" -eq 0 ]
+}
+
+@test "no changesets at all + package edit fails" {
+  touch_file 'packages/pkg-c/index.js'
+  run_check
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-c'* ]]
+}
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/.changeset/config.json b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/.changeset/config.json
new file mode 100644
index 00000000..d71982fe
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/.changeset/config.json
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3.0.3/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "restricted",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "privatePackages": false,
+  "ignore": []
+}
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/README.md b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/README.md
new file mode 100644
index 00000000..2f5885ba
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/README.md
@@ -0,0 +1,9 @@
+# Test fixture workspace
+
+Minimal pnpm workspace used by `check-coverage` bats tests.
+
+- `packages/pkg-a` and `packages/pkg-b` both consume `is-number` via the catalog.
+- `packages/pkg-c` consumes `is-string` via the catalog.
+- `packages/pkg-private` is marked `private: true` and should never require a bump.
+
+Tests mutate this fixture inside a temp clone — the originals stay untouched.
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/docs/overview.md b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/docs/overview.md
new file mode 100644
index 00000000..224c0ef7
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/docs/overview.md
@@ -0,0 +1,3 @@
+# Overview
+
+Placeholder doc inside the workspace-root `docs/` directory.
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/package.json b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/package.json
new file mode 100644
index 00000000..ec7e4356
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "@check-coverage-test/root",
+  "private": true,
+  "version": "0.0.0",
+  "devDependencies": {
+    "@changesets/cli": "^2.27.0"
+  }
+}
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/index.js b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/index.js
new file mode 100644
index 00000000..02d53827
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/index.js
@@ -0,0 +1 @@
+module.exports = require('is-number');
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/package.json b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/package.json
new file mode 100644
index 00000000..1a24dfaa
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-a/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "@check-coverage-test/pkg-a",
+  "version": "1.0.0",
+  "main": "index.js",
+  "dependencies": {
+    "is-number": "catalog:"
+  }
+}
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/index.js b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/index.js
new file mode 100644
index 00000000..02d53827
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/index.js
@@ -0,0 +1 @@
+module.exports = require('is-number');
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/package.json b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/package.json
new file mode 100644
index 00000000..7652bbeb
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-b/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "@check-coverage-test/pkg-b",
+  "version": "1.0.0",
+  "main": "index.js",
+  "dependencies": {
+    "is-number": "catalog:"
+  }
+}
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/index.js b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/index.js
new file mode 100644
index 00000000..8d900016
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/index.js
@@ -0,0 +1 @@
+module.exports = require('is-string');
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/package.json b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/package.json
new file mode 100644
index 00000000..52c31ddf
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-c/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "@check-coverage-test/pkg-c",
+  "version": "1.0.0",
+  "main": "index.js",
+  "dependencies": {
+    "is-string": "catalog:"
+  }
+}
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/index.js b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/index.js
new file mode 100644
index 00000000..02d53827
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/index.js
@@ -0,0 +1 @@
+module.exports = require('is-number');
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/package.json b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/package.json
new file mode 100644
index 00000000..fdd11a1f
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/packages/pkg-private/package.json
@@ -0,0 +1,9 @@
+{
+  "name": "@check-coverage-test/pkg-private",
+  "version": "1.0.0",
+  "private": true,
+  "main": "index.js",
+  "dependencies": {
+    "is-number": "catalog:"
+  }
+}
diff --git a/actions/changeset/check-coverage/test/fixtures/minimal-workspace/pnpm-workspace.yaml b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/pnpm-workspace.yaml
new file mode 100644
index 00000000..31318b20
--- /dev/null
+++ b/actions/changeset/check-coverage/test/fixtures/minimal-workspace/pnpm-workspace.yaml
@@ -0,0 +1,6 @@
+packages:
+  - packages/*
+
+catalog:
+  is-number: ^7.0.0
+  is-string: ^1.0.7
diff --git a/actions/changeset/check-coverage/test/helpers.bash b/actions/changeset/check-coverage/test/helpers.bash
new file mode 100644
index 00000000..25f22f6c
--- /dev/null
+++ b/actions/changeset/check-coverage/test/helpers.bash
@@ -0,0 +1,86 @@
+# Shared helpers for check-coverage bats tests.
+#
+# The expensive step is `pnpm install`. setup_file builds one shared install
+# under $BATS_FILE_TMPDIR/base and each test rsyncs from it — keeps the suite
+# under a few seconds even with many cases.
+
+TEST_DIR="${BATS_TEST_DIRNAME:-$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)}"
+SCRIPT_UNDER_TEST="${TEST_DIR}/../check-coverage.sh"
+FIXTURE_SRC="${TEST_DIR}/fixtures/minimal-workspace"
+
+# Build the shared, pnpm-installed base workspace with an initial git commit
+# on `main` and a synthesized `origin/main` ref. Setting gc.auto=0 BEFORE the
+# first commit suppresses git's async auto-gc, which would otherwise repack
+# `.git/objects` mid-test and break the per-test tar copy.
+_build_base_workspace() {
+  local base="$1"
+  rm -rf "${base}"
+  cp -R "${FIXTURE_SRC}" "${base}"
+
+  (
+    cd "${base}"
+    pnpm install --silent --ignore-scripts >/dev/null
+    git init --quiet --initial-branch=main
+    git config gc.auto 0
+    git config gc.autoDetach false
+    git config user.email 'test@example.com'
+    git config user.name  'Test'
+    git add -A
+    git commit --quiet -m 'initial'
+    git update-ref refs/remotes/origin/main main
+  ) >/dev/null 2>&1
+}
+
+# Per-test: copy the base into a fresh workspace and switch to a feature
+# branch. The tar pipe avoids macOS xattr warnings that `cp -R` and
+# openrsync emit when cloning `.git/objects`.
+new_workspace() {
+  WORKSPACE="${BATS_TEST_TMPDIR}/ws"
+  rm -rf "${WORKSPACE}"
+  mkdir -p "${WORKSPACE}"
+  ( cd "${BATS_FILE_TMPDIR}/base" && tar -cf - . ) | ( cd "${WORKSPACE}" && tar -xf - )
+  git -C "${WORKSPACE}" checkout --quiet -b feature
+}
+
+# Run the script in $WORKSPACE with BASE_BRANCH=main. Sets $status and $output.
+run_check() {
+  cd "${WORKSPACE}"
+  BASE_BRANCH=main run "${SCRIPT_UNDER_TEST}"
+}
+
+# Drop a changeset markdown file. Args: bump-spec, then "title".
+# bump-spec is the YAML front-matter body, e.g. '@check-coverage-test/pkg-a: patch'.
+add_changeset() {
+  local body="$1"
+  local title="${2:-test changeset}"
+  local slug
+  slug="$(printf '%s' "${title}" | tr -cs 'a-z0-9' '-' | sed 's/^-\|-$//g')"
+  cat >"${WORKSPACE}/.changeset/${slug}.md" <<EOF
+---
+${body}
+---
+
+${title}
+EOF
+  git -C "${WORKSPACE}" add ".changeset/${slug}.md"
+  git -C "${WORKSPACE}" commit --quiet -m "add changeset: ${title}"
+}
+
+# Edit a file under $WORKSPACE, stage and commit. Args: relpath, content (or
+# defaults to appending a comment).
+touch_file() {
+  local rel="$1" content="${2:-// edit}"
+  mkdir -p "$(dirname "${WORKSPACE}/${rel}")"
+  printf '%s\n' "${content}" >>"${WORKSPACE}/${rel}"
+  git -C "${WORKSPACE}" add "${rel}"
+  git -C "${WORKSPACE}" commit --quiet -m "edit ${rel}"
+}
+
+# Bump a default-catalog entry in pnpm-workspace.yaml. Args: key, new-version.
+bump_catalog() {
+  local key="$1" version="$2"
+  # yq edits in place.
+  yq -i ".catalog.\"${key}\" = \"${version}\"" "${WORKSPACE}/pnpm-workspace.yaml"
+  git -C "${WORKSPACE}" add pnpm-workspace.yaml
+  git -C "${WORKSPACE}" commit --quiet -m "bump catalog ${key} to ${version}"
+}

From 978fede5331f0d452f7f8d8f9054ceaecc9df431 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 17:57:45 -0700
Subject: [PATCH 10/19] =?UTF-8?q?ci(changeset/check-coverage):=20drop=20pn?=
 =?UTF-8?q?pm=20version=20pin=20=E2=80=94=20repo's=20packageManager=20wins?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/0-test-changeset-coverage.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/0-test-changeset-coverage.yaml b/.github/workflows/0-test-changeset-coverage.yaml
index 3facee5d..dc811d03 100644
--- a/.github/workflows/0-test-changeset-coverage.yaml
+++ b/.github/workflows/0-test-changeset-coverage.yaml
@@ -18,9 +18,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      # No `version:` — the repo's root package.json sets `packageManager`,
+      # and pnpm/action-setup errors if both are specified.
       - uses: pnpm/action-setup@v4
-        with:
-          version: 9
 
       - uses: actions/setup-node@v4
         with:

From 36cf08ba05b5e8699e89ee56f6cb2dc328fa4ce4 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 19:15:30 -0700
Subject: [PATCH 11/19] ci(changeset/check-coverage): scope test workflow to
 action changes only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drop the workflow-self path from the trigger filter — the suite should
only run when the action it tests actually changes. Add workflow_dispatch
as a manual escape hatch for re-running after a workflow edit.
---
 .github/workflows/0-test-changeset-coverage.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/0-test-changeset-coverage.yaml b/.github/workflows/0-test-changeset-coverage.yaml
index dc811d03..6d8a2d23 100644
--- a/.github/workflows/0-test-changeset-coverage.yaml
+++ b/.github/workflows/0-test-changeset-coverage.yaml
@@ -2,14 +2,13 @@ name: 'Test: changeset/check-coverage'
 
 on:
   workflow_call:
+  workflow_dispatch:   # manual escape hatch — also lets us re-run after a workflow edit
   pull_request:
     paths:
       - 'actions/changeset/check-coverage/**'
-      - '.github/workflows/0-test-changeset-coverage.yaml'
   push:
     paths:
       - 'actions/changeset/check-coverage/**'
-      - '.github/workflows/0-test-changeset-coverage.yaml'
     branches: ['v4', 'v4-beta']
 
 jobs:

From c26ec3277a45a27fd3f18e69815c2747f16c9a08 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 19:26:27 -0700
Subject: [PATCH 12/19] ci(changeset/check-coverage): fail fast on bash < 4

declare -A is bash 4+. macOS ships 3.2 at /bin/bash; without homebrew's
bash earlier on PATH the script aborts at the first declare with a
cryptic 'invalid option'. Detect at start and emit a useful error
instead.
---
 actions/changeset/check-coverage/check-coverage.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/actions/changeset/check-coverage/check-coverage.sh b/actions/changeset/check-coverage/check-coverage.sh
index f15e52ac..3af31bad 100755
--- a/actions/changeset/check-coverage/check-coverage.sh
+++ b/actions/changeset/check-coverage/check-coverage.sh
@@ -27,6 +27,15 @@ set -o pipefail
 log()  { printf '%s\n' "$*" >&2; }
 err()  { printf '::error::%s\n' "$*" >&2; }
 
+# Associative arrays (`declare -A`) require bash 4+. macOS ships bash 3.2 at
+# /bin/bash; without homebrew's bash earlier on PATH, the script would abort
+# at the first `declare -A` with a cryptic `invalid option`. Fail fast with
+# a useful message instead.
+if [ "${BASH_VERSINFO[0]:-0}" -lt 4 ]; then
+  err "check-coverage requires bash 4+ (found ${BASH_VERSION:-unknown})."
+  exit 2
+fi
+
 # Use cwd-relative paths for tmp files — changeset's --output mis-handles
 # absolute paths on macOS (prepends cwd, causing ENOENT). Cwd-relative is
 # safe on every platform.

From 7f82c4849f298ea35fd7920f0e8ca2fd85abad86 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 19:28:34 -0700
Subject: [PATCH 13/19] ci(changeset/check-coverage): clarify bash-guard
 comment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Note that ubuntu-latest runners ship bash 5+ — so the guard is a no-op
in CI; it exists to help local runs on macOS, whose /bin/bash is still
3.2 and would otherwise produce a cryptic 'invalid option' error.
---
 actions/changeset/check-coverage/check-coverage.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/actions/changeset/check-coverage/check-coverage.sh b/actions/changeset/check-coverage/check-coverage.sh
index 3af31bad..78111283 100755
--- a/actions/changeset/check-coverage/check-coverage.sh
+++ b/actions/changeset/check-coverage/check-coverage.sh
@@ -27,8 +27,10 @@ set -o pipefail
 log()  { printf '%s\n' "$*" >&2; }
 err()  { printf '::error::%s\n' "$*" >&2; }
 
-# Associative arrays (`declare -A`) require bash 4+. macOS ships bash 3.2 at
-# /bin/bash; without homebrew's bash earlier on PATH, the script would abort
+# Associative arrays (`declare -A`) require bash 4+. The GitHub-hosted
+# ubuntu-latest runners ship bash 5+, so this guard is a no-op in CI today.
+# It matters when running locally on macOS: /bin/bash is still 3.2, and
+# without homebrew's bash earlier on PATH the script would otherwise abort
 # at the first `declare -A` with a cryptic `invalid option`. Fail fast with
 # a useful message instead.
 if [ "${BASH_VERSINFO[0]:-0}" -lt 4 ]; then

From 5baba6258b8792590576717c4179632ff17a0807 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 19:36:04 -0700
Subject: [PATCH 14/19] Revert "Fix incomplete revert: flip remaining two @v4
 checkout refs back to @v4-beta"

This reverts commit bff4168fbca6c85a4a155878894892edae7803d7.
---
 .github/workflows/node-simple-pnpm.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 31d0dfa8..32dd875f 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -488,7 +488,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -518,7 +518,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}

From 06ff85c8254b34af9cbdfe816032da52edfb2248 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Tue, 26 May 2026 21:19:32 -0700
Subject: [PATCH 15/19] ci(changeset/check-coverage): address review feedback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- check-coverage.sh: tighten catalog detection to `startswith("catalog:")`
  (was `startswith("catalog")`) — pnpm's protocol prefix is the literal
  `catalog:`.

- node-simple-pnpm.yaml: add `!cancelled()` to the coverage-check
  conditional so the step skips on cancelled jobs (manual cancel,
  concurrency-group eviction) instead of burning runner minutes.

- test/helpers.bash: harden `_build_base_workspace` — `set -e` inside
  the subshell, capture output to a log file, dump only on failure.
  Without this, a silently failing `pnpm install` corrupts the base
  workspace and every test then fails with a confusing error pointing
  at the script under test, not the install.

- test/coverage.bats: three new tests.
  - BASE_BRANCH input: production callers pass `v4` (or `master`),
    not `main`. Five `origin/${BASE_BRANCH}` references in the script
    could regress to hardcoded `main`; this guards against it.
  - exit 2 on missing changeset binary: locks down the tooling-failure
    contract distinct from exit 1 (coverage gap).
  - named-catalog over-flagging: skip-marked, documents the deferred
    bug from the PR body with a runnable fixture for the follow-up.
---
 .github/workflows/node-simple-pnpm.yaml       |  2 +-
 .../check-coverage/check-coverage.sh          |  2 +-
 .../check-coverage/test/coverage.bats         | 72 +++++++++++++++++++
 .../check-coverage/test/helpers.bash          | 16 ++++-
 4 files changed, 87 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 32dd875f..3a707d38 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -584,7 +584,7 @@ jobs:
 
       - name: Check changeset coverage
         if: |
-          always() &&
+          always() && !cancelled() &&
           (github.event_name == 'pull_request' || github.event_name == 'merge_group')
         continue-on-error: true
         uses: milaboratory/github-ci/actions/changeset/check-coverage@v4-beta
diff --git a/actions/changeset/check-coverage/check-coverage.sh b/actions/changeset/check-coverage/check-coverage.sh
index 78111283..a7ad8311 100755
--- a/actions/changeset/check-coverage/check-coverage.sh
+++ b/actions/changeset/check-coverage/check-coverage.sh
@@ -189,7 +189,7 @@ if git diff --name-only "origin/${BASE_BRANCH}...HEAD" | grep -qx 'pnpm-workspac
         if jq -e --arg k "${key}" '
             [.dependencies?, .devDependencies?, .peerDependencies?, .optionalDependencies?]
             | map(select(. != null) | to_entries) | add // []
-            | map(select(.key == $k and ((.value // "") | startswith("catalog"))))
+            | map(select(.key == $k and ((.value // "") | startswith("catalog:"))))
             | length > 0
           ' "${pj}" >/dev/null 2>&1; then
           require_pkg "${name}" "catalog dep '${key}' bumped"
diff --git a/actions/changeset/check-coverage/test/coverage.bats b/actions/changeset/check-coverage/test/coverage.bats
index 0b0c098a..369a6d98 100644
--- a/actions/changeset/check-coverage/test/coverage.bats
+++ b/actions/changeset/check-coverage/test/coverage.bats
@@ -132,3 +132,75 @@ setup() {
   [ "${status}" -eq 1 ]
   [[ "${output}" == *'@check-coverage-test/pkg-c'* ]]
 }
+
+# ---------------------------------------------------------------------------
+# Base-branch input.
+# ---------------------------------------------------------------------------
+
+# Production callers pass `inputs.changeset-default-branch` (typically `v4`
+# in this repo, `master` in others). The script touches `origin/${BASE_BRANCH}`
+# in five places — this guards against any of them regressing to a hardcoded
+# `main`.
+@test "respects BASE_BRANCH input (works against origin/v4, not just main)" {
+  git -C "${WORKSPACE}" update-ref refs/remotes/origin/v4 refs/remotes/origin/main
+  git -C "${WORKSPACE}" update-ref -d refs/remotes/origin/main
+  touch_file 'packages/pkg-a/index.js'
+  cd "${WORKSPACE}"
+  BASE_BRANCH=v4 run "${SCRIPT_UNDER_TEST}"
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-a'* ]]
+}
+
+# ---------------------------------------------------------------------------
+# Tooling failures.
+# ---------------------------------------------------------------------------
+
+# Exit 2 is the contract for "tooling broken, can't determine coverage" —
+# distinct from exit 1 ("gap found"). Without this, a regression that turns
+# a missing binary into a silent pass-through wouldn't be caught.
+@test "exit 2 when changeset binary is missing" {
+  rm -f "${WORKSPACE}/node_modules/.bin/changeset"
+  touch_file 'packages/pkg-a/index.js'
+  run_check
+  [ "${status}" -eq 2 ]
+  [[ "${output}" == *'changeset binary not found'* ]]
+}
+
+# ---------------------------------------------------------------------------
+# Known limitations (skipped — document deferred follow-ups).
+# ---------------------------------------------------------------------------
+
+# Documents the deferred bug from PR #168: the catalog-key flatten in
+# check-coverage.sh collapses `.catalogs.alpha.<key>` and `.catalogs.beta.<key>`
+# into a single key=value stream, losing which named catalog owns each entry.
+# When two named catalogs both pin the same package and only one bumps, the
+# symmetric diff still emits the bare key — so consumers of the *unchanged*
+# catalog get spuriously flagged. Un-skip once the script tracks the
+# catalog-name discriminator.
+@test "named-catalog change should not flag consumers of unchanged catalog" {
+  skip "Known limitation: catalog flatten loses named-catalog discriminator (PR #168 follow-up)"
+
+  yq -i '
+    .catalogs.alpha."is-number" = "^7.0.0" |
+    .catalogs.beta."is-number"  = "^7.0.0"
+  ' "${WORKSPACE}/pnpm-workspace.yaml"
+
+  # pkg-a → catalog:alpha; pkg-b → catalog:beta.
+  for pair in 'pkg-a:alpha' 'pkg-b:beta'; do
+    name="${pair%:*}"; cat="${pair#*:}"
+    pj="${WORKSPACE}/packages/${name}/package.json"
+    jq --arg c "catalog:${cat}" '.dependencies."is-number" = $c' "${pj}" >"${pj}.tmp"
+    mv "${pj}.tmp" "${pj}"
+  done
+  git -C "${WORKSPACE}" commit --quiet -am 'add named catalogs (alpha, beta)'
+
+  # Bump alpha only — beta is untouched.
+  yq -i '.catalogs.alpha."is-number" = "^7.0.1"' "${WORKSPACE}/pnpm-workspace.yaml"
+  git -C "${WORKSPACE}" commit --quiet -am 'bump alpha catalog only'
+
+  run_check
+  [ "${status}" -eq 1 ]
+  [[ "${output}" == *'@check-coverage-test/pkg-a'* ]]
+  # Currently fails: pkg-b is also flagged because of the catalog flatten.
+  [[ "${output}" != *'@check-coverage-test/pkg-b'* ]]
+}
diff --git a/actions/changeset/check-coverage/test/helpers.bash b/actions/changeset/check-coverage/test/helpers.bash
index 25f22f6c..3df0476e 100644
--- a/actions/changeset/check-coverage/test/helpers.bash
+++ b/actions/changeset/check-coverage/test/helpers.bash
@@ -17,9 +17,15 @@ _build_base_workspace() {
   rm -rf "${base}"
   cp -R "${FIXTURE_SRC}" "${base}"
 
-  (
+  # Capture output to a log file; only emit on failure. Without `set -e`
+  # inside the subshell, a failing `pnpm install` would corrupt the base
+  # silently and every test would then fail with a confusing error pointing
+  # at the script under test, not the install.
+  local log="${BATS_FILE_TMPDIR}/base-setup.log"
+  if ! (
+    set -e
     cd "${base}"
-    pnpm install --silent --ignore-scripts >/dev/null
+    pnpm install --silent --ignore-scripts
     git init --quiet --initial-branch=main
     git config gc.auto 0
     git config gc.autoDetach false
@@ -28,7 +34,11 @@ _build_base_workspace() {
     git add -A
     git commit --quiet -m 'initial'
     git update-ref refs/remotes/origin/main main
-  ) >/dev/null 2>&1
+  ) >"${log}" 2>&1; then
+    echo "base workspace setup failed; full log:" >&2
+    cat "${log}" >&2
+    return 1
+  fi
 }
 
 # Per-test: copy the base into a fresh workspace and switch to a feature

From 5789c1ede782d697a49c6ab89b42aec13f34058d Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Wed, 27 May 2026 08:06:36 -0700
Subject: [PATCH 16/19] =?UTF-8?q?ci(changeset/check-coverage):=20clarify?=
 =?UTF-8?q?=20description=20=E2=80=94=20direct=20edit=20is=20the=20primary?=
 =?UTF-8?q?=20case?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The prior description led with the catalog-version gap, but the more
common case the action catches is the simple one: edit files inside a
workspace package, forget to add that package to the changeset. List
both, with the direct-edit case first.
---
 actions/changeset/check-coverage/action.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/actions/changeset/check-coverage/action.yaml b/actions/changeset/check-coverage/action.yaml
index 462ec85d..07f97209 100644
--- a/actions/changeset/check-coverage/action.yaml
+++ b/actions/changeset/check-coverage/action.yaml
@@ -3,9 +3,11 @@ author: 'MiLaboratories'
 description: |
   Fail if a PR's changesets don't cover every workspace package it modifies.
 
-  Catches the common gap: bumping a catalog version in pnpm-workspace.yaml
-  (e.g. a software package) without a matching changeset bump for the
-  workflow package that consumes it.
+  Catches two common gaps:
+    - editing files inside a workspace package (e.g. block code under
+      packages/<pkg>/) without adding that package to the changeset;
+    - bumping a catalog version in pnpm-workspace.yaml without a matching
+      bump for the workflow packages that consume it via `catalog:`.
 
   Runs after `pnpm install`. Requires the runner to have `pnpm`, `jq`, and
   `yq` (mikefarah, v4+) on PATH — all pre-installed on GitHub-hosted

From 59b1aabb579d19ab370bcbe5fd6c80f886b009bc Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Thu, 28 May 2026 09:04:28 -0700
Subject: [PATCH 17/19] fix: restore third-party action refs mangled by
 sed-scope bug
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

merge-beta.sh and fix-beta.sh perform a blanket sed flip of @v4 ↔
@v4-beta across action.yaml and .github/workflows/*.yaml. The intent
is to keep self-references (milaboratory/github-ci/...) on the right
ref for each branch. The sed pattern is too greedy: it also rewrites
third-party action refs that happen to be pinned to @v4 — for example
actions/checkout@v4 becomes actions/checkout@v4-beta, a tag that
doesn't exist in the upstream repo.

Symptom on v4-beta runs:

  Unable to resolve action `actions/checkout@v4-beta`,
  unable to find version `v4-beta`

This blocks the `get run metadata` and `preflight (require-latest)`
jobs in node-simple-pnpm.yaml and similar workflows, cascading skips
into downstream jobs (`check for changesets`, `pre-build`, etc.).
Caught while canary-testing PR #168 (changeset coverage check).

This commit flips back, on v4-beta only, the 107 third-party refs that
were incorrectly rewritten across 36 files. Affected action repos:

  actions/checkout              (41 lines)
  aws-actions/configure-aws-credentials (24)
  actions/cache                 (13)
  actions/download-artifact     (12)
  actions/upload-artifact       (8, incl. one /merge subpath)
  actions/setup-java            (3)
  actions/setup-node            (2)
  pnpm/action-setup             (1)
  azure/setup-kubectl           (1)
  azure/setup-helm              (1)

milaboratory/github-ci/...@v4-beta self-refs are unchanged.

Follow-up: the underlying sed scope in merge-beta.sh / fix-beta.sh
should be tightened so this doesn't recur on the next promotion.
Tracked separately.
---
 .github/workflows/0-automerge.yaml            |  2 +-
 .github/workflows/0-build-docker.yaml         |  6 +--
 .github/workflows/0-merge-beta.yaml           |  2 +-
 .github/workflows/0-scan-containers.yaml      | 10 ++--
 .github/workflows/0-test.yaml                 |  2 +-
 .github/workflows/block-mark-stable.yaml      |  6 +--
 .github/workflows/deploy-docs.yaml            |  6 +--
 .github/workflows/docker-github.yaml          |  2 +-
 .github/workflows/java-gradle.yaml            | 46 +++++++++----------
 .../node-docker-simple-fast-pnpm.yaml         |  6 +--
 .github/workflows/node-go-simple.yaml         |  8 ++--
 .github/workflows/node-matrix-pnpm.yaml       | 14 +++---
 .github/workflows/node-matrix.yaml            | 12 ++---
 .github/workflows/node-simple-pnpm-k8s.yaml   |  8 ++--
 .github/workflows/node-simple-pnpm.yaml       | 12 ++---
 .github/workflows/node-simple.yaml            |  6 +--
 actions/artifact/create-empty/action.yaml     |  4 +-
 actions/artifact/restore/action.yaml          |  2 +-
 actions/artifact/save/action.yaml             |  2 +-
 actions/aws/cloudfront/action.yaml            |  2 +-
 actions/golang/cache/action.yaml              |  6 +--
 actions/matrix/read/action.yaml               |  2 +-
 actions/node/cache-pnpm/action.yaml           |  2 +-
 actions/node/cache/action.yaml                |  6 +--
 actions/node/prepare-pnpm/action.yaml         |  4 +-
 actions/node/prepare/action.yaml              |  2 +-
 actions/python/cache/action.yaml              |  2 +-
 actions/rust/cache/action.yaml                |  2 +-
 blocks/java/build/action.yaml                 |  6 +--
 blocks/java/test/action.yaml                  |  4 +-
 blocks/node/build-and-publish/action.yaml     |  4 +-
 blocks/release/registry-bin/action.yaml       |  4 +-
 blocks/release/s3/action.yaml                 |  4 +-
 blocks/signing-tools/windows-sign/action.yaml |  2 +-
 blocks/update-cdn-link/action.yaml            |  2 +-
 blocks/update-s3-latest/action.yaml           |  4 +-
 36 files changed, 107 insertions(+), 107 deletions(-)

diff --git a/.github/workflows/0-automerge.yaml b/.github/workflows/0-automerge.yaml
index 18ff8e48..a5d7256b 100644
--- a/.github/workflows/0-automerge.yaml
+++ b/.github/workflows/0-automerge.yaml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/0-build-docker.yaml b/.github/workflows/0-build-docker.yaml
index cff7d8a9..49710758 100644
--- a/.github/workflows/0-build-docker.yaml
+++ b/.github/workflows/0-build-docker.yaml
@@ -21,7 +21,7 @@ jobs:
       IMAGE_NAME: 'hook'
 
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
 
       - name: Log in to the Container registry
         uses: docker/login-action@v2
@@ -45,7 +45,7 @@ jobs:
       IMAGE_NAME: 'git-crypt'
 
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
 
       - name: Log in to the Container registry
         uses: docker/login-action@v2
@@ -69,7 +69,7 @@ jobs:
       IMAGE_NAME: 'nginx-spa'
 
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
 
       - name: Log in to the Container registry
         uses: docker/login-action@v2
diff --git a/.github/workflows/0-merge-beta.yaml b/.github/workflows/0-merge-beta.yaml
index 14ff7204..8904b284 100644
--- a/.github/workflows/0-merge-beta.yaml
+++ b/.github/workflows/0-merge-beta.yaml
@@ -30,7 +30,7 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.target_branch || 'v4' }}
           token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/0-scan-containers.yaml b/.github/workflows/0-scan-containers.yaml
index 616f85dc..b3045936 100644
--- a/.github/workflows/0-scan-containers.yaml
+++ b/.github/workflows/0-scan-containers.yaml
@@ -43,7 +43,7 @@ jobs:
           repository: ${{ github.event.inputs.repository || 'milaboratories/pl-containers' }}
           concurrency: ${{ github.event.inputs.concurrency || 3 }}
 
-      - uses: actions/upload-artifact@v4-beta
+      - uses: actions/upload-artifact@v4
         with:
           name: 00-scanning-plan
           path: ${{ steps.plan.outputs.plan-dir }}
@@ -63,7 +63,7 @@ jobs:
 
     steps:
       - name: Download plan
-        uses: actions/download-artifact@v4-beta
+        uses: actions/download-artifact@v4
         with:
           name: 00-scanning-plan
           path: "scan-chunks"
@@ -87,13 +87,13 @@ jobs:
     if: always()
     steps:
       - name: Download skipped list
-        uses: actions/download-artifact@v4-beta
+        uses: actions/download-artifact@v4
         with:
           name: skipped-images
           path: ./consolidated
 
       - name: Download all reports
-        uses: actions/download-artifact@v4-beta
+        uses: actions/download-artifact@v4
         with:
           pattern: 'report-*'
           merge-multiple: true
@@ -106,7 +106,7 @@ jobs:
           summarize-dir: ./consolidated
 
       - name: Upload consolidated report
-        uses: actions/upload-artifact@v4-beta
+        uses: actions/upload-artifact@v4
         with:
           name: 00-consolidated-report
           path: ./consolidated
diff --git a/.github/workflows/0-test.yaml b/.github/workflows/0-test.yaml
index 21bd6046..1bc23225 100644
--- a/.github/workflows/0-test.yaml
+++ b/.github/workflows/0-test.yaml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/block-mark-stable.yaml b/.github/workflows/block-mark-stable.yaml
index 643051f4..b4d14481 100644
--- a/.github/workflows/block-mark-stable.yaml
+++ b/.github/workflows/block-mark-stable.yaml
@@ -171,7 +171,7 @@ jobs:
     needs:
       init
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -204,11 +204,11 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
-      - uses: aws-actions/configure-aws-credentials@v4-beta
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           aws-region: ${{ inputs.aws-region }}
diff --git a/.github/workflows/deploy-docs.yaml b/.github/workflows/deploy-docs.yaml
index d9546500..7184f4cb 100644
--- a/.github/workflows/deploy-docs.yaml
+++ b/.github/workflows/deploy-docs.yaml
@@ -189,7 +189,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -237,7 +237,7 @@ jobs:
             mkdocs build
 
       - id: artifact
-        uses: actions/upload-artifact@v4-beta
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ inputs.app-name-slug }}
           path: ${{ inputs.dist-archive-path }}
@@ -282,7 +282,7 @@ jobs:
       - id: context
         uses: milaboratory/github-ci/actions/context@v4-beta
 
-      - uses: actions/download-artifact@v4-beta
+      - uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.app-name-slug }}
           path: ${{ inputs.app-name-slug }}
diff --git a/.github/workflows/docker-github.yaml b/.github/workflows/docker-github.yaml
index c646e05e..90076f2e 100644
--- a/.github/workflows/docker-github.yaml
+++ b/.github/workflows/docker-github.yaml
@@ -191,7 +191,7 @@ jobs:
       - init
 
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
diff --git a/.github/workflows/java-gradle.yaml b/.github/workflows/java-gradle.yaml
index e68378c8..5058a90d 100644
--- a/.github/workflows/java-gradle.yaml
+++ b/.github/workflows/java-gradle.yaml
@@ -1058,7 +1058,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -1069,7 +1069,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.dist-archive-s3-iam-role-to-assume }}
           aws-region: ${{ inputs.dist-archive-s3-region }}
@@ -1132,7 +1132,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -1184,7 +1184,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -1195,7 +1195,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.test-s3-iam-role-to-assume  }}
           aws-region: ${{ inputs.test-s3-region }}
@@ -1295,7 +1295,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -1306,7 +1306,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.test-s3-iam-role-to-assume  }}
           aws-region: ${{ inputs.test-s3-region }}
@@ -1409,7 +1409,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
           fetch-depth: 0
@@ -1421,7 +1421,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.test-s3-iam-role-to-assume  }}
           aws-region: ${{ inputs.test-s3-region }}
@@ -1491,7 +1491,7 @@ jobs:
             echo "Wait random number of second before saving the artifact."
             sleep "${RAN_SEC}"
 
-      - uses: actions/upload-artifact@v4-beta
+      - uses: actions/upload-artifact@v4
         if: steps.verify-changed-files.outputs.files_changed == 'true'
         with:
           name: test-regression-${{ matrix.test }}
@@ -1524,7 +1524,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -1547,14 +1547,14 @@ jobs:
       - uses: milaboratory/github-ci/actions/artifact/create-empty@v4-beta
 
       - id: merged-artifact
-        uses: actions/upload-artifact/merge@v4-beta
+        uses: actions/upload-artifact/merge@v4
         with:
           name: test-regression
           pattern: test-regression-*
           separate-directories: false
           delete-merged: true
 
-      - uses: actions/download-artifact@v4-beta
+      - uses: actions/download-artifact@v4
         if: steps.merged-artifact.outputs.artifact-id != ''
         with:
           name: test-regression
@@ -1694,7 +1694,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -1705,7 +1705,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.dist-archive-s3-iam-role-to-assume }}
           aws-region: ${{ inputs.dist-archive-s3-region }}
@@ -1813,7 +1813,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -1824,7 +1824,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.dist-archive-s3-iam-role-to-assume }}
           aws-region: ${{ inputs.dist-archive-s3-region }}
@@ -1914,7 +1914,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -1925,7 +1925,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.dist-library-s3-iam-role-to-assume }}
           aws-region: ${{ inputs.dist-library-s3-region }}
@@ -2023,7 +2023,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -2217,7 +2217,7 @@ jobs:
       - id: context
         uses: milaboratory/github-ci/actions/context@v4-beta
 
-      - uses: actions/download-artifact@v4-beta
+      - uses: actions/download-artifact@v4
         if: inputs.dist-archive
         with:
           name: ${{ inputs.product-name-slug }}
@@ -2294,7 +2294,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -2305,7 +2305,7 @@ jobs:
           gpg-key-password: ${{ secrets.GIT_CRYPT_KEY_PASSWORD }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ inputs.release-s3-iam-role-to-assume }}
           aws-region: ${{ inputs.release-s3-region }}
diff --git a/.github/workflows/node-docker-simple-fast-pnpm.yaml b/.github/workflows/node-docker-simple-fast-pnpm.yaml
index f3fdc578..e6e9ee50 100644
--- a/.github/workflows/node-docker-simple-fast-pnpm.yaml
+++ b/.github/workflows/node-docker-simple-fast-pnpm.yaml
@@ -406,7 +406,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -415,7 +415,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -431,7 +431,7 @@ jobs:
             ghwa_set_output npm-pkg-version "${NPM_PKG_VERSION}"
             ghwa_set_output pnpm-pkg-version "${PNPM_PKG_VERSION}"
 
-      - uses: aws-actions/configure-aws-credentials@v4-beta
+      - uses: aws-actions/configure-aws-credentials@v4
         if: inputs.aws-login-enable
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE || env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
diff --git a/.github/workflows/node-go-simple.yaml b/.github/workflows/node-go-simple.yaml
index 07b50176..3005dfda 100644
--- a/.github/workflows/node-go-simple.yaml
+++ b/.github/workflows/node-go-simple.yaml
@@ -353,7 +353,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -443,7 +443,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -589,7 +589,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -627,7 +627,7 @@ jobs:
           npmrc-config: ${{ inputs.npmrc-config }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         if: inputs.aws-login-enable
           && steps.npm-pkg-status.outputs.exist == '0'
           && steps.context.outputs.is-release == 'true'
diff --git a/.github/workflows/node-matrix-pnpm.yaml b/.github/workflows/node-matrix-pnpm.yaml
index ade8ee8c..f6b2b9da 100644
--- a/.github/workflows/node-matrix-pnpm.yaml
+++ b/.github/workflows/node-matrix-pnpm.yaml
@@ -479,7 +479,7 @@ jobs:
     needs:
       - init
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -513,7 +513,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
           fetch-depth: '0'
@@ -575,7 +575,7 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
           token: ${{ steps.app-token.outputs.token }}
@@ -590,7 +590,7 @@ jobs:
             sudo apt-get install -y build-essential gfortran libopenblas-dev liblapack-dev cmake pkg-config
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
@@ -655,7 +655,7 @@ jobs:
           options: ${{ inputs.ccache-options }}
 
       - name: Cache additional paths
-        uses: actions/cache@v4-beta
+        uses: actions/cache@v4
         if: inputs.cache-paths != ''
         with:
           path: ${{ inputs.cache-paths }}
@@ -793,7 +793,7 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
           token: ${{ steps.app-token.outputs.token }}
@@ -809,7 +809,7 @@ jobs:
             sudo apt-get install -y build-essential gfortran libopenblas-dev liblapack-dev cmake pkg-config
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
diff --git a/.github/workflows/node-matrix.yaml b/.github/workflows/node-matrix.yaml
index 52b986de..a5b67f85 100644
--- a/.github/workflows/node-matrix.yaml
+++ b/.github/workflows/node-matrix.yaml
@@ -467,7 +467,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -494,7 +494,7 @@ jobs:
           options: ${{ inputs.ccache-options }}
 
       - name: Cache additional paths
-        uses: actions/cache@v4-beta
+        uses: actions/cache@v4
         if: inputs.cache-paths != ''
         with:
           path: ${{ inputs.cache-paths }}
@@ -552,7 +552,7 @@ jobs:
           access-token: ${{ steps.gcp-auth.outputs.access_token }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         if: inputs.aws-login-enable
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -656,7 +656,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -748,7 +748,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
 
@@ -784,7 +784,7 @@ jobs:
           pattern: build-artifacts-*
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         if: inputs.aws-login-enable
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
diff --git a/.github/workflows/node-simple-pnpm-k8s.yaml b/.github/workflows/node-simple-pnpm-k8s.yaml
index 72400087..fb68598a 100644
--- a/.github/workflows/node-simple-pnpm-k8s.yaml
+++ b/.github/workflows/node-simple-pnpm-k8s.yaml
@@ -301,17 +301,17 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: azure/setup-kubectl@v4-beta
+      - uses: azure/setup-kubectl@v4
         with:
           version: ${{ inputs.kubectl-version }}
 
-      - uses: azure/setup-helm@v4-beta
+      - uses: azure/setup-helm@v4
         with:
           version: ${{ inputs.helm-version }}
 
       - uses: google-github-actions/setup-gcloud@v2
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           submodules: ${{ inputs.checkout-submodules }}
           fetch-depth: "0"
@@ -346,7 +346,7 @@ jobs:
 
       - name: Configure AWS credentials
         if: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE != '' }}
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 3a707d38..9eaaed22 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -451,7 +451,7 @@ jobs:
     needs:
       - init
     steps:
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -551,7 +551,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -634,14 +634,14 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
@@ -761,7 +761,7 @@ jobs:
           app-id: ${{ secrets.GH_ZEN_APP_ID }}
           private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-git-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -769,7 +769,7 @@ jobs:
           fetch-depth: '0'
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4-beta
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
           role-duration-seconds: ${{ inputs.aws-login-duration }}
diff --git a/.github/workflows/node-simple.yaml b/.github/workflows/node-simple.yaml
index 39e19fac..56c903ba 100644
--- a/.github/workflows/node-simple.yaml
+++ b/.github/workflows/node-simple.yaml
@@ -363,7 +363,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -454,7 +454,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
@@ -616,7 +616,7 @@ jobs:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
 
-      - uses: actions/checkout@v4-beta
+      - uses: actions/checkout@v4
         with:
           lfs: ${{ inputs.checkout-lfs }}
           submodules: ${{ inputs.checkout-submodules }}
diff --git a/actions/artifact/create-empty/action.yaml b/actions/artifact/create-empty/action.yaml
index f22a40dc..543eb466 100644
--- a/actions/artifact/create-empty/action.yaml
+++ b/actions/artifact/create-empty/action.yaml
@@ -2,14 +2,14 @@ name: Create empty artifact for regression tests
 author: 'MiLaboratories'
 description: |
   Create empty artifact for regression tests because now
-  actions/upload-artifact/merge@v4-beta doesn't support option
+  actions/upload-artifact/merge@v4 doesn't support option
   if-no-files-found: ignore
 
 runs:
   using: "composite"
 
   steps:
-    - uses: actions/upload-artifact@v4-beta
+    - uses: actions/upload-artifact@v4
       with:
         name: test-regression-empty
         path: ${{ github.action_path }}/init.txt
diff --git a/actions/artifact/restore/action.yaml b/actions/artifact/restore/action.yaml
index 518235be..fc463e1e 100644
--- a/actions/artifact/restore/action.yaml
+++ b/actions/artifact/restore/action.yaml
@@ -60,7 +60,7 @@ runs:
         archive_name="artifact-5b3513f5"
         echo "name=${archive_name}" >> "${GITHUB_OUTPUT}"
 
-    - uses: actions/download-artifact@v4-beta
+    - uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.name }}
         pattern: ${{ inputs.pattern }}
diff --git a/actions/artifact/save/action.yaml b/actions/artifact/save/action.yaml
index 2bd974ba..ab6c4639 100644
--- a/actions/artifact/save/action.yaml
+++ b/actions/artifact/save/action.yaml
@@ -128,7 +128,7 @@ runs:
     # - uses: fawazahmed0/action-debug-vscode@main
     #   if: inputs.interactive-debug == 'true'
 
-    - uses: actions/upload-artifact@v4-beta
+    - uses: actions/upload-artifact@v4
       with:
         name: ${{ inputs.name }}
         if-no-files-found: ${{ inputs.if-no-files-found }}
diff --git a/actions/aws/cloudfront/action.yaml b/actions/aws/cloudfront/action.yaml
index a3343d6d..366698ec 100644
--- a/actions/aws/cloudfront/action.yaml
+++ b/actions/aws/cloudfront/action.yaml
@@ -45,7 +45,7 @@ runs:
   using: "composite"
 
   steps:
-    - uses: aws-actions/configure-aws-credentials@v4-beta
+    - uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: ${{ inputs.aws-iam-role-to-assume }}
         aws-region: ${{ inputs.aws-region }}
diff --git a/actions/golang/cache/action.yaml b/actions/golang/cache/action.yaml
index 306f20c7..bf27d655 100644
--- a/actions/golang/cache/action.yaml
+++ b/actions/golang/cache/action.yaml
@@ -35,7 +35,7 @@ runs:
   steps:
     - name: Cache Golang modules on Linux
       if: runner.os == 'Linux'
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         save-always: ${{ inputs.cache-save-always }}
         path: |
@@ -47,7 +47,7 @@ runs:
 
     - name: Cache Golang modules on macOS
       if: runner.os == 'macOS'
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         save-always: ${{ inputs.cache-save-always }}
         path: |
@@ -59,7 +59,7 @@ runs:
 
     - name: Cache Golang modules on Windows
       if: runner.os == 'Windows'
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         save-always: ${{ inputs.cache-save-always }}
         path: |
diff --git a/actions/matrix/read/action.yaml b/actions/matrix/read/action.yaml
index 5ba1ca27..a432a957 100644
--- a/actions/matrix/read/action.yaml
+++ b/actions/matrix/read/action.yaml
@@ -17,7 +17,7 @@ runs:
   using: "composite"
 
   steps:
-    - uses: actions/download-artifact@v4-beta
+    - uses: actions/download-artifact@v4
 
     - id: context
       shell: bash
diff --git a/actions/node/cache-pnpm/action.yaml b/actions/node/cache-pnpm/action.yaml
index e17fa5cf..915e31df 100644
--- a/actions/node/cache-pnpm/action.yaml
+++ b/actions/node/cache-pnpm/action.yaml
@@ -30,7 +30,7 @@ runs:
       run: echo "dir=$(pnpm store path)" >> ${GITHUB_OUTPUT}
 
     - name: Cache Node modules
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         path: |
           ${{ steps.pnpm-store-dir.outputs.dir }}
diff --git a/actions/node/cache/action.yaml b/actions/node/cache/action.yaml
index a7e8b5e6..ec447825 100644
--- a/actions/node/cache/action.yaml
+++ b/actions/node/cache/action.yaml
@@ -37,7 +37,7 @@ runs:
 
   steps:
     - name: Cache Electron libs
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       if: inputs.is-electron-application == 'true'
       with:
         path: |
@@ -50,7 +50,7 @@ runs:
 
     - name: Cache local 'node_modules'
       if: inputs.local-cache == 'on' && inputs.is-electron-application == 'true'
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         path: node_modules
         key: ${{ runner.os }}-${{ runner.arch }}-cache-${{ inputs.cache-version }}-node_modules-${{ hashFiles(inputs.hashfiles-search-path) }}
@@ -63,7 +63,7 @@ runs:
       run: echo "dir=$(npm config get cache)" >> ${GITHUB_OUTPUT}
 
     - name: Cache Node modules
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       if: inputs.is-electron-application == 'false'
       with:
         path: ${{ steps.npm-cache-dir.outputs.dir }}
diff --git a/actions/node/prepare-pnpm/action.yaml b/actions/node/prepare-pnpm/action.yaml
index b2f3f8f5..2fa3b238 100644
--- a/actions/node/prepare-pnpm/action.yaml
+++ b/actions/node/prepare-pnpm/action.yaml
@@ -43,7 +43,7 @@ runs:
 
   steps:
     - name: Install NodeJS - ${{ inputs.node-version }}
-      uses: actions/setup-node@v4-beta
+      uses: actions/setup-node@v4
       with:
         node-version: ${{ inputs.node-version }}
 
@@ -55,7 +55,7 @@ runs:
 
     - name: Install pnpm - ${{ inputs.pnpm-version }}
       if: inputs.pnpm-version != ''
-      uses: pnpm/action-setup@v4-beta
+      uses: pnpm/action-setup@v4
       with:
         version: ${{ inputs.pnpm-version }}
 
diff --git a/actions/node/prepare/action.yaml b/actions/node/prepare/action.yaml
index eaed2748..9993b809 100644
--- a/actions/node/prepare/action.yaml
+++ b/actions/node/prepare/action.yaml
@@ -82,7 +82,7 @@ runs:
 
   steps:
     - name: Install NodeJS - ${{ inputs.node-version }}
-      uses: actions/setup-node@v4-beta
+      uses: actions/setup-node@v4
       with:
         node-version: ${{ inputs.node-version }}
         registry-url: ${{ inputs.registry-url }}
diff --git a/actions/python/cache/action.yaml b/actions/python/cache/action.yaml
index 88005baa..d99feca4 100644
--- a/actions/python/cache/action.yaml
+++ b/actions/python/cache/action.yaml
@@ -30,7 +30,7 @@ runs:
       run: echo "dir=$(pip cache dir)" >> ${GITHUB_OUTPUT}
 
     - name: Cache Python modules
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         path: ${{ steps.pip-cache.outputs.dir }}
         key: ${{ runner.os }}-${{ runner.arch }}-cache-pip-${{ inputs.version }}-${{ hashFiles(inputs.hashfiles-search-path) }}
diff --git a/actions/rust/cache/action.yaml b/actions/rust/cache/action.yaml
index a16e20ec..0933788c 100644
--- a/actions/rust/cache/action.yaml
+++ b/actions/rust/cache/action.yaml
@@ -25,7 +25,7 @@ runs:
 
   steps:
     - name: Cache Rust Cargo modules
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         path: |
           ~/.cargo/bin/
diff --git a/blocks/java/build/action.yaml b/blocks/java/build/action.yaml
index 54f4c9b3..eedfa1fd 100644
--- a/blocks/java/build/action.yaml
+++ b/blocks/java/build/action.yaml
@@ -207,7 +207,7 @@ runs:
 
     - name: Prepare env for Java application build
       if: inputs.java-version != ''
-      uses: actions/setup-java@v4-beta
+      uses: actions/setup-java@v4
       with:
         distribution: ${{ inputs.java-distribution }}
         java-version: ${{ inputs.java-version }}
@@ -216,7 +216,7 @@ runs:
       if:  inputs.data-cache-paths != ''
         && inputs.data-cache-key != ''
 
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         key: ${{ inputs.data-cache-key }}
         path: ${{ inputs.data-cache-paths }}
@@ -280,7 +280,7 @@ runs:
 
     - name: Save build artifacts
       if: steps.artifact-paths.outputs.result != ''
-      uses: actions/upload-artifact@v4-beta
+      uses: actions/upload-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ steps.artifact-paths.outputs.result }}
diff --git a/blocks/java/test/action.yaml b/blocks/java/test/action.yaml
index 8a7e7a87..eb467a0f 100644
--- a/blocks/java/test/action.yaml
+++ b/blocks/java/test/action.yaml
@@ -236,7 +236,7 @@ runs:
       uses: milaboratory/github-ci/actions/context@v4-beta
 
     - name: Prepare env for Java application build
-      uses: actions/setup-java@v4-beta
+      uses: actions/setup-java@v4
       with:
         distribution: ${{ inputs.java-distribution }}
         java-version: ${{ inputs.java-version }}
@@ -291,7 +291,7 @@ runs:
 
     - name: Download cached test data
       if: inputs.test-data-cache-enabled == 'true' && inputs.test-data-cache-paths != '' && inputs.test-data-cache-key != ''
-      uses: actions/cache@v4-beta
+      uses: actions/cache@v4
       with:
         path: ${{ inputs.test-data-cache-paths }}
         key: ${{ inputs.test-data-cache-key }}
diff --git a/blocks/node/build-and-publish/action.yaml b/blocks/node/build-and-publish/action.yaml
index 13774283..5fe69a1d 100644
--- a/blocks/node/build-and-publish/action.yaml
+++ b/blocks/node/build-and-publish/action.yaml
@@ -120,7 +120,7 @@ runs:
 
   steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4-beta
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: ${{ inputs.s3-iam-role-to-assume }}
         aws-region: ${{ inputs.s3-region }}
@@ -154,7 +154,7 @@ runs:
         run: echo "${GITHUB_WORKSPACE}/${WORKING_DIRECTORY}/release-artifact"
 
     - name: Download artifact
-      uses: actions/download-artifact@v4-beta
+      uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ steps.artifact-path.outputs.stdout }}
diff --git a/blocks/release/registry-bin/action.yaml b/blocks/release/registry-bin/action.yaml
index 13a5847b..f65b984a 100644
--- a/blocks/release/registry-bin/action.yaml
+++ b/blocks/release/registry-bin/action.yaml
@@ -115,7 +115,7 @@ runs:
       uses: milaboratory/github-ci/actions/context@v4-beta
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4-beta
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: ${{ inputs.s3-iam-role-to-assume }}
         aws-region: ${{ inputs.s3-region }}
@@ -126,7 +126,7 @@ runs:
         run: echo './release-artifact'
 
     - name: Download artifact
-      uses: actions/download-artifact@v4-beta
+      uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ steps.artifact-path.outputs.stdout }}
diff --git a/blocks/release/s3/action.yaml b/blocks/release/s3/action.yaml
index 0ea0bc3a..e7b504c7 100644
--- a/blocks/release/s3/action.yaml
+++ b/blocks/release/s3/action.yaml
@@ -194,7 +194,7 @@ runs:
       uses: milaboratory/github-ci/actions/context@v4-beta
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4-beta
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: ${{ inputs.s3-iam-role-to-assume }}
         aws-region: ${{ inputs.s3-region }}
@@ -212,7 +212,7 @@ runs:
           fi
 
     - name: Download artifact
-      uses: actions/download-artifact@v4-beta
+      uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ steps.artifact-path.outputs.stdout }}
diff --git a/blocks/signing-tools/windows-sign/action.yaml b/blocks/signing-tools/windows-sign/action.yaml
index ecb2f78a..9413100c 100644
--- a/blocks/signing-tools/windows-sign/action.yaml
+++ b/blocks/signing-tools/windows-sign/action.yaml
@@ -96,7 +96,7 @@ runs:
 
     - name: Install Java
       if: steps.binaries-list.outputs.has-matches == 'true'
-      uses: actions/setup-java@v4-beta
+      uses: actions/setup-java@v4
       with:
         distribution: ${{ inputs.java-distribution }}
         java-version: ${{ inputs.java-version }}
diff --git a/blocks/update-cdn-link/action.yaml b/blocks/update-cdn-link/action.yaml
index 90624c0a..3cddd2c8 100644
--- a/blocks/update-cdn-link/action.yaml
+++ b/blocks/update-cdn-link/action.yaml
@@ -59,7 +59,7 @@ runs:
 
   steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4-beta
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: ${{ inputs.s3-iam-role-to-assume }}
         aws-region: ${{ inputs.s3-region }}
diff --git a/blocks/update-s3-latest/action.yaml b/blocks/update-s3-latest/action.yaml
index 7de22a82..a8b66547 100644
--- a/blocks/update-s3-latest/action.yaml
+++ b/blocks/update-s3-latest/action.yaml
@@ -146,7 +146,7 @@ runs:
 
   steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4-beta
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: ${{ inputs.s3-iam-role-to-assume }}
         aws-region: ${{ inputs.s3-region }}
@@ -157,7 +157,7 @@ runs:
         run: echo './release-artifact'
 
     - name: Download artifact
-      uses: actions/download-artifact@v4-beta
+      uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ steps.artifact-path.outputs.stdout }}

From 9666dbad77605ff475649b5e927669bc7dd87633 Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Thu, 28 May 2026 09:10:10 -0700
Subject: [PATCH 18/19] fix: anchor merge-beta.sh / fix-beta.sh sed to self-ref
 path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous sed in merge-beta.sh and fix-beta.sh treated @v4 / @v4-beta
as bare version tags. In practice they are git refs on a specific repo
(milaboratory/github-ci), so the substitution must only fire when the
preceding path is `milaboratory/github-ci/...`. Without that anchor the
sed rewrites third-party action pins too (actions/checkout@v4,
aws-actions/configure-aws-credentials@v4, pnpm/action-setup@v4, etc.),
producing references like actions/checkout@v4-beta that do not exist
upstream. The previous commit cleaned up the resulting corruption on
v4-beta; this commit prevents recurrence.

Both scripts now wrap the version pattern with a captured prefix:

    \(milaboratory/github-ci[^[:space:]@]*\)@v4...

The character class excludes @ so the greedy match stops at the @
sign, leaving the version token to be matched and replaced.
fix-beta.sh keeps its two-pattern form (end-of-line + whitespace
boundary) to avoid the @v4 → @v4-beta-beta prefix collision; that
guarantee is preserved.

Verified with a fixture covering self-refs, third-party refs, mixed
content, and the prefix-collision case. Both directions are idempotent.

Also flips six lingering milaboratory/github-ci/.../@v4 self-refs in
.github/workflows/node-simple-pnpm.yaml back to @v4-beta. These were
left behind by a previous manual fixup attempt (5baba62 revert) and
are exactly what the new fix-beta.sh sed produces when run against
the current tree.

Out of scope: actions/*/test-*.yaml files referenced by `act`-based
unit tests. Those deliberately pin @v4 and are outside the find
globs in both scripts.
---
 .github/workflows/node-simple-pnpm.yaml | 12 ++++++------
 fix-beta.sh                             | 18 +++++++++++++-----
 merge-beta.sh                           |  9 +++++++--
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 9eaaed22..4c99d6db 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -481,9 +481,9 @@ jobs:
     needs:
       - init
     steps:
-      - uses: milaboratory/github-ci/actions/context@v4
+      - uses: milaboratory/github-ci/actions/context@v4-beta
 
-      - uses: milaboratory/github-ci/actions/env@v4
+      - uses: milaboratory/github-ci/actions/env@v4-beta
         with:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
@@ -495,7 +495,7 @@ jobs:
           fetch-depth: '0'
 
       - name: Check infrastructure requirements for publication
-        uses: milaboratory/github-ci/actions/node/require-latest@v4
+        uses: milaboratory/github-ci/actions/node/require-latest@v4-beta
         with:
           packages: |
             @platforma-sdk/block-tools
@@ -511,9 +511,9 @@ jobs:
     needs:
       - init
     steps:
-      - uses: milaboratory/github-ci/actions/context@v4
+      - uses: milaboratory/github-ci/actions/context@v4-beta
 
-      - uses: milaboratory/github-ci/actions/env@v4
+      - uses: milaboratory/github-ci/actions/env@v4-beta
         with:
           inputs: ${{ inputs.env }}
           secrets: ${{ secrets.env }}
@@ -930,7 +930,7 @@ jobs:
           test-results-reports: ${{ inputs.test-results-reports }}
 
       - name: Perform security scan checks before publication
-        uses: milaboratory/github-ci/actions/docker/scan-pnpm-repo@v4
+        uses: milaboratory/github-ci/actions/docker/scan-pnpm-repo@v4-beta
 
       - name: Get GitHub App User ID
         if: steps.check-changes.outputs.has-changes == '1'
diff --git a/fix-beta.sh b/fix-beta.sh
index 5ea659bf..e5ee2323 100755
--- a/fix-beta.sh
+++ b/fix-beta.sh
@@ -19,9 +19,17 @@
 #
 # Inverse of merge-beta.sh.
 #
-# Sed safety: @v4 is a prefix of @v4-beta. Naive `s|@v4|@v4-beta|g` would
-# produce @v4-beta-beta. Two scoped patterns are used instead: match @v4 at
-# end-of-line, and @v4 followed by whitespace.
+# Sed safety, two concerns:
+#   1. Prefix collision. @v4 is a prefix of @v4-beta, so a naive
+#      `s|@v4|@v4-beta|g` would produce @v4-beta-beta. We match @v4 only at
+#      end-of-line or followed by whitespace.
+#   2. Path scope. We must rewrite only milaboratory/github-ci self-refs.
+#      Third-party action pins (actions/checkout@v4, aws-actions/...@v4,
+#      pnpm/action-setup@v4, etc.) must stay at their upstream tags — those
+#      repos do not publish a v4-beta tag, and flipping them produced the
+#      "Unable to resolve action ...@v4-beta" failures fixed in this branch.
+# Both patterns therefore anchor the substitution to a leading
+# `milaboratory/github-ci...` path.
 
 set -o nounset
 set -o errexit
@@ -63,13 +71,13 @@ git merge \
     "origin/${SOURCE_BRANCH}" \
     --strategy-option theirs
 
-echo "Flipping @${SOURCE_BRANCH} -> @${TARGET_BRANCH} in action.yaml and workflows..."
+echo "Flipping @${SOURCE_BRANCH} -> @${TARGET_BRANCH} in milaboratory/github-ci self-refs..."
 {
     find . -type f -name "action.yaml"
     find .github/workflows -type f -name "*.yaml"
 } |
     while read -r file; do
-        sed "s|@${SOURCE_BRANCH}\$|@${TARGET_BRANCH}|g; s|@${SOURCE_BRANCH}\([[:space:]]\)|@${TARGET_BRANCH}\1|g" "${file}" > "${file}.tmp"
+        sed "s|\(milaboratory/github-ci[^[:space:]@]*\)@${SOURCE_BRANCH}\$|\1@${TARGET_BRANCH}|g; s|\(milaboratory/github-ci[^[:space:]@]*\)@${SOURCE_BRANCH}\([[:space:]]\)|\1@${TARGET_BRANCH}\2|g" "${file}" > "${file}.tmp"
         mv "${file}.tmp" "${file}"
     done
 
diff --git a/merge-beta.sh b/merge-beta.sh
index 9890559b..8906807a 100755
--- a/merge-beta.sh
+++ b/merge-beta.sh
@@ -69,13 +69,18 @@ git merge \
     "${SOURCE_BRANCH}" \
     --strategy-option theirs
 
-# Replace all v4-beta with v4 in all action.yaml and all workflows
+# Replace @v4-beta -> @v4 in milaboratory/github-ci self-refs only.
+# The substitution is anchored to the self-ref repo path so that third-party
+# action pins (actions/checkout@v4-beta, aws-actions/...@v4-beta, etc.) are
+# left alone. Without the anchor the sed would happily rewrite any token
+# ending in @v4-beta, which corrupts third-party refs on v4-beta when the
+# inverse sed (fix-beta.sh) flipped them from @v4 in the first place.
 {
     find . -type f -name "action.yaml"
     find .github/workflows -type f -name "*.yaml"
 } |
     while read -r file; do
-        sed "s/@${SOURCE_BRANCH}/@${TARGET_BRANCH}/g" "${file}" > "${file}.tmp"
+        sed "s|\(milaboratory/github-ci[^[:space:]@]*\)@${SOURCE_BRANCH}|\1@${TARGET_BRANCH}|g" "${file}" > "${file}.tmp"
         mv "${file}.tmp" "${file}"
     done
 

From cbd15d6301781db954fb0cb67eea8eb68664451f Mon Sep 17 00:00:00 2001
From: Paul Newling <paulnewling@gmail.com>
Date: Thu, 28 May 2026 12:29:48 -0700
Subject: [PATCH 19/19] ci(changeset): make coverage gaps a visible
 non-blocking check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

check-coverage ran as a step with continue-on-error: true, so a gap
exited 1 but the step was reported success — the gap showed only as an
annotation on a green run, which reviewers miss.

Move it to its own 'changeset coverage (diagnostic)' job: the step drops
continue-on-error (a gap turns the job red), the job sets
continue-on-error: true (run stays green, merge not blocked). The native
'changeset status' gate in check-changesets is unchanged.

Only node-simple-pnpm.yaml uses check-coverage.
---
 .github/workflows/node-simple-pnpm.yaml | 48 ++++++++++++++++++++++---
 1 file changed, 44 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/node-simple-pnpm.yaml b/.github/workflows/node-simple-pnpm.yaml
index 4c99d6db..688510cd 100644
--- a/.github/workflows/node-simple-pnpm.yaml
+++ b/.github/workflows/node-simple-pnpm.yaml
@@ -582,11 +582,51 @@ jobs:
           run: |
             pnpm changeset status --since="origin/${BRANCH_NAME}"
 
+  changeset-coverage:
+    name: changeset coverage (diagnostic)
+    runs-on: ubuntu-latest
+    # Diagnostic only: surface per-package changeset gaps as a red check, never block.
+    # The check-coverage step omits continue-on-error, so a gap (exit 1) fails this
+    # job and its check turns red. Job-level continue-on-error keeps the run green and
+    # the merge available. Separate from check-changesets so the native
+    # `changeset status` gate keeps blocking. Keep this job out of required checks.
+    continue-on-error: true
+    if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
+    needs:
+      - metadata
+    steps:
+      - id: context
+        uses: milaboratory/github-ci/actions/context@v4-beta
+
+      - uses: milaboratory/github-ci/actions/env@v4-beta
+        with:
+          inputs: ${{ inputs.env }}
+          secrets: ${{ secrets.env }}
+
+      - uses: actions/checkout@v4
+        with:
+          lfs: ${{ inputs.checkout-git-lfs }}
+          submodules: ${{ inputs.checkout-submodules }}
+          fetch-depth: '0'
+
+      - name: Prepare environment for building a NodeJS application
+        uses: milaboratory/github-ci/actions/node/prepare-pnpm@v4-beta
+        env:
+          PNPM_VERSION: ${{ needs.metadata.outputs.pnpm-version }}
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache-version: ${{ inputs.cache-version }}
+          pnpm-version: ${{ env.PNPM_VERSION || inputs.pnpm-version }}
+          cache-hashfiles-search-path: ${{ inputs.cache-hashfiles-search-path }}
+          npmrc-config: ${{ inputs.npmrc-config }}
+
+      - name: Install NodeJS packages with pnpm
+        uses: milaboratory/github-ci/actions/shell@v4-beta
+        with:
+          run: |
+            pnpm install --frozen-lockfile --prefer-offline
+
       - name: Check changeset coverage
-        if: |
-          always() && !cancelled() &&
-          (github.event_name == 'pull_request' || github.event_name == 'merge_group')
-        continue-on-error: true
         uses: milaboratory/github-ci/actions/changeset/check-coverage@v4-beta
         with:
           base-branch: ${{ inputs.changeset-default-branch }}