diff --git a/.github/actions/publish-maven-to-codeartifact/action.yml b/.github/actions/publish-maven-to-codeartifact/action.yml
index 8b951ef..9a24fe6 100644
--- a/.github/actions/publish-maven-to-codeartifact/action.yml
+++ b/.github/actions/publish-maven-to-codeartifact/action.yml
@@ -57,7 +57,7 @@ runs:
         cache-dependency-path: "${{ inputs.working-directory }}/pom.xml"
 
     - name: Authenticate with CodeArtifact
-      uses: OvertureMaps/workflows/.github/actions/setup-codeartifact@main # zizmor: ignore[unpinned-uses] -- self-referential; SHA updated in follow-up commit
+      uses: OvertureMaps/workflows/.github/actions/setup-codeartifact@main # zizmor: ignore[unpinned-uses] -- trusted same-repo self-reference; pinned to the branch-protected default branch by design
       with:
         aws-role-arn: ${{ inputs.aws-role-arn }}
         aws-region: ${{ inputs.aws-region }}
diff --git a/.github/actions/setup-codeartifact/README.md b/.github/actions/setup-codeartifact/README.md
index 4649f36..cf05f5b 100644
--- a/.github/actions/setup-codeartifact/README.md
+++ b/.github/actions/setup-codeartifact/README.md
@@ -104,7 +104,15 @@ step in the same job resolve or deploy artifacts without bespoke setup.
 
 The authorization token is masked in logs and passed from the token step to the
 settings step via a step output (not `$GITHUB_ENV`), then embedded into the
-generated `~/.m2/settings.xml`. Keeping it out of `$GITHUB_ENV` means it is not
+`~/.m2/settings.xml` written by an inline bash step (a `cat <<EOF` heredoc — no
+third-party action). Keeping it out of `$GITHUB_ENV` means it is not
 exposed as an environment variable to later steps — but `settings.xml` itself is
 readable by any subsequent step in the job, so still treat the runner as trusted
 for the duration of the job and call this action only in jobs you control.
+
+### Runtime
+
+The action pins `aws-actions/configure-aws-credentials` to v6.2.0, which runs on
+the Node.js 24 runtime. The `settings.xml` is written by an inline bash step
+rather than a third-party action, so this action carries no Node 20 runtime
+dependency.
diff --git a/.github/actions/setup-codeartifact/action.yml b/.github/actions/setup-codeartifact/action.yml
index 32010f7..d98c3e5 100644
--- a/.github/actions/setup-codeartifact/action.yml
+++ b/.github/actions/setup-codeartifact/action.yml
@@ -45,7 +45,7 @@ runs:
   using: "composite"
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
       with:
         role-to-assume: ${{ inputs.aws-role-arn }}
         aws-region: ${{ inputs.aws-region }}
@@ -70,17 +70,44 @@ runs:
         echo "::add-mask::$TOKEN"
         echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
 
+    # settings.xml is written inline rather than via actions/setup-java's
+    # generator. CodeArtifact needs both a <server> (credentials) and a
+    # <repository> (resolve URL) in settings.xml; setup-java emits only
+    # <servers> with ${env.*} credential placeholders, which would drop the
+    # resolve repository and force the token into the environment at mvn time.
+    # An inline writer also keeps this auth action JDK-agnostic.
     - name: Configure Maven Settings for CodeArtifact
-      uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22 # zizmor: ignore[archived-uses] -- upstream archived but SHA-pinned; canonical settings.xml writer with no maintained drop-in replacement
-      with:
-        repositories: >
-          [{
-            "id": "${{ inputs.codeartifact-domain }}",
-            "url": "https://${{ inputs.codeartifact-domain }}-${{ inputs.codeartifact-domain-owner }}.d.codeartifact.${{ inputs.aws-region }}.amazonaws.com/maven/${{ inputs.codeartifact-repository }}/"
-          }]
-        servers: >
-          [{
-            "id": "${{ inputs.codeartifact-domain }}",
-            "username": "aws",
-            "password": "${{ steps.token.outputs.token }}"
-          }]
+      shell: bash
+      env:
+        CODEARTIFACT_DOMAIN: ${{ inputs.codeartifact-domain }}
+        CODEARTIFACT_REPO_URL: "https://${{ inputs.codeartifact-domain }}-${{ inputs.codeartifact-domain-owner }}.d.codeartifact.${{ inputs.aws-region }}.amazonaws.com/maven/${{ inputs.codeartifact-repository }}/"
+        CODEARTIFACT_TOKEN: ${{ steps.token.outputs.token }}
+      run: |
+        mkdir -p ~/.m2
+        cat > ~/.m2/settings.xml <<EOF
+        <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+          <servers>
+            <server>
+              <id>${CODEARTIFACT_DOMAIN}</id>
+              <username>aws</username>
+              <password>${CODEARTIFACT_TOKEN}</password>
+            </server>
+          </servers>
+          <profiles>
+            <profile>
+              <id>codeartifact</id>
+              <repositories>
+                <repository>
+                  <id>${CODEARTIFACT_DOMAIN}</id>
+                  <url>${CODEARTIFACT_REPO_URL}</url>
+                </repository>
+              </repositories>
+            </profile>
+          </profiles>
+          <activeProfiles>
+            <activeProfile>codeartifact</activeProfile>
+          </activeProfiles>
+        </settings>
+        EOF