Add GitHub Actions upgrade guide with breaking changes reference

[CybotTM]

Summary

When upgrading GitHub Actions to SHA-pinned versions, it's important to understand breaking changes across major versions. The skill currently mentions SHA pinning in security-config.md but lacks a reference for common breaking changes when upgrading actions.

Proposed Addition

A new references/actions-upgrade-guide.md covering:

Node.js Runtime Deprecation Timeline

• Node 16: fully removed
• Node 20: deprecated Sep 2025, runners default to Node 24 from Mar 4 2026, removal summer 2026
• Node 24: current target

Common Breaking Changes by Action

Action	Version	Breaking Change
actions/checkout	v6	Credentials stored in $RUNNER_TEMP instead of .git/config
actions/download-artifact	v5	Path behavior change for downloads by ID
actions/cache	v5	New cache backend (old retired Apr 2025)
ramsey/composer-install	v3	Requires Node.js 20+ (internal cache v4)
docker/setup-buildx-action	v3.12	install input deprecated

Security Fixes Worth Tracking

Action	Fix
actions/checkout v6	Credential isolation prevents token leaks
actions/cache v5.0.3	Security fix in @actions/cache
docker/login-action v3.7	lodash prototype pollution, cross-spawn CVE-2024-21538

Also

• Example references in actionlint-guide.md still use actions/checkout@v4 — should be updated to v6 with SHA
• tag-validation.md uses actions/checkout@v6 (tag only, no SHA)

Context

Learned from upgrading all GitHub Actions in TYPO3-Documentation/render-guides#1184.