Update GitHub Actions for Node 24

[lucarlig]

Summary

• Update pinned actions/checkout references to the Node 24-based v6.0.2 commit.
• Update pinned actions/setup-python references to the Node 24-based v6.2.0 commit.
• Update remaining pinned workflow actions that still used Node 20: Codecov, upload-artifact, and download-artifact.
• Keep workflow action references SHA-pinned while removing Node.js 20 deprecation warnings.

Major-Version Review Notes

• actions/checkout release notes reviewed for v5.0.0, v6.0.0, and v6.0.2. The workflows do not configure sparse checkout, and the existing fetch-depth: 0 usage is preserved unchanged in ci-rust-python-package.yaml. The PR CI validate-and-detect job has passed with this setting.
• actions/setup-python release notes reviewed for v5.0.0, v6.0.0, and v6.2.0. The workflows use setup-python only to install Python 3.12 before invoking pip, uv, and maturin; they do not rely on setup-python cache behavior or virtualenv activation. The plugin catalog and install-built-wheel checks have passed after the upgrade.
• codecov/codecov-action now resolves to a composite action. This is a no-op for this repo's usage because the workflow only uploads one generated Cobertura XML file with explicit files, flags, and name inputs.

SHA Provenance

• actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd -> v6.0.2
• actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 -> v6.2.0
• codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe -> v5.5.4 peeled commit from annotated tag aa56896cf108bd10b5eb883cd1d24196da57f695
• actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f -> v6.0.0
• actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 -> v7.0.0

Validation

• git diff --check HEAD~1..HEAD
• ruby -ryaml -e 'ARGV.each { |p| YAML.load_file(p) }; puts "parsed workflow YAML files"' .github/workflows/*.yaml
• actionlint .github/workflows/*.yaml
• python3 -m unittest tests/test_plugin_catalog.py -> 91 tests passed, 2 skipped
• Metadata scan of all external workflow actions confirms no runs.using: node20 remains:
  • actions/checkout -> node24
  • actions/setup-python -> node24
  • actions/upload-artifact -> node24
  • actions/download-artifact -> node24
  • codecov/codecov-action -> composite
  • pypa/gh-action-pypi-publish -> composite

Note: Standard detailed code review has not been run yet.

[msureshkumar88]

Code Review Findings

Thanks for the clean, well-scoped PR. Two items need addressing before merge.

---

Required: Confirm major-version upgrade paths

actions/checkout jumped v4 → v6 and actions/setup-python jumped v5 → v6 — two skipped major versions each. The PR summary doesn't address breaking changes across those skipped versions.

Specifically, please confirm:

• actions/checkout v6 changes the default behavior of persist-credentials and sparse checkout handling. The fetch-depth: 0 usage in ci-rust-python-package.yaml should be verified still works as expected.
• actions/setup-python v6 introduced changes around virtual environment activation and cache behavior. Workflows relying on uv + maturin in a venv should be spot-checked.

A one-liner in the PR description confirming these were reviewed (or a link to the upstream changelogs) is sufficient.

---

Required: SHA provenance

The PR lists the validation commands used (actionlint, ruby YAML.load_file) but not the actual output. Reviewers cannot independently verify the new SHAs map to the stated versions without leaving GitHub.

Please add one of the following:

• Links to the GitHub release tags for each updated action (e.g. actions/checkout@v6.0.2, actions/setup-python@v6.2.0, etc.), or
• A brief paste of gh release view or equivalent confirming SHA → tag mapping.

---

Minor (non-blocking): codecov/codecov-action callout

The description notes it changed to a "composite" runtime. Worth one sentence clarifying this is a no-op for this repo's usage (uploads a single coverage XML) so future readers don't have to investigate.

---

Overall the change is clean and the test updates are correct. Happy to approve once the two required items above are addressed.

[lucarlig]

Thanks for the careful review. I updated the PR description to address the two required items:

• Added notes confirming the checkout and setup-python major-version changes were reviewed, including the fetch-depth: 0, sparse checkout, virtualenv, and cache considerations.
• Added SHA provenance with release-tag links for each updated action, including the peeled commit detail for the annotated Codecov tag.

I also added the Codecov clarification you called out: the switch to a composite action should be a no-op for this workflow because it only uploads the single generated Cobertura XML with explicit inputs.

The earlier CI failure was also fixed in ca411f1 by updating the workflow pin expectations in tests/test_plugin_catalog.py; that suite now passes locally.

[msureshkumar88]

All requested changes are addressed — approving.

• Major-version upgrade paths: The PR description now documents a per-major-version review of actions/checkout (v5, v6, v6.0.2) and actions/setup-python (v5, v6, v6.2.0), with explicit confirmation that fetch-depth: 0, sparse checkout, virtualenv activation, and cache behavior are unaffected by this repo's workflow configurations. CI passing on the validate-and-detect job corroborates this.
• SHA provenance: Release-tag links are provided for all five updated actions, including the peeled-commit detail for the annotated Codecov tag. Each SHA is now independently verifiable.
• Codecov callout: The composite-action switch is correctly documented as a no-op for this repo's single-file XML upload usage.

The test suite (91 passed, 2 skipped) and actionlint validation give additional confidence. Good to merge.