chore: update GitHub actions runtime

[lorenjphillips]

Summary

• Update GitHub-owned workflow actions to Node 24-backed majors.
• Update softprops/action-gh-release to the Node 24-backed major.
• Clean up release checksum shell snippets so actionlint passes without shellcheck warnings.

Testing

• actionlint .github/workflows/ci.yml .github/workflows/release.yml
• cargo fmt
• cargo clippy --all-targets -- -D warnings
• cargo test

Release workflow verification

The full release workflow cannot be safely dry-run from a PR because it is intentionally triggered by v* tags and publishes a GitHub release plus updates coval-ai/homebrew-tap. After merge, the next tagged release should verify that the Node 20 deprecation annotations are gone.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to use latest stable action versions for improved reliability and consistency.
  • Enhanced release artifact checksum generation and validation process.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions workflows with newer action versions (checkout v6, upload-artifact v7, download-artifact v8, action-gh-release v3) and refactors release workflow checksum generation to compute per-archive SHA256 sums and consolidate Homebrew checksum output handling.

Changes

GitHub Actions Workflow Updates

Layer / File(s)	Summary
CI workflow action versions .github/workflows/ci.yml	actions/checkout upgraded from v4 to v6 in both check and build jobs; actions/upload-artifact upgraded from v4 to v7 in build job artifact upload step.
Release workflow action versions .github/workflows/release.yml	actions/checkout and actions/upload-artifact upgraded to v6 and v7 in build job; actions/download-artifact and softprops/action-gh-release updated to v8 and v3 in release job.
Release checksum generation and Homebrew parsing .github/workflows/release.yml	Checksum generation in release job refactored to run sha256sum with -- flag and aggregate per-directory SHA256SUMS files; Homebrew tap job checksum parsing consolidated into grouped shell block for writing architecture-specific checksums (macos_arm64, macos_x64, linux_arm64, linux_x64) to GITHUB_OUTPUT.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Actions march forward to versions bright and new,
Checksums dancing in grouped shell blocks, refined and true,
From v4 to v6, workflows leap with grace,
Homebrew parsing wears its grouped embrace!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating GitHub Actions workflows to use newer action versions compatible with Node 24 runtime.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-github-actions-node24

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 123-128: The current block constructs variables macos_arm64,
macos_x64, linux_arm64, linux_x64 by grepping SHA256SUMS and appends them to
GITHUB_OUTPUT without validation; change the logic to first assign these four
variables (using the same grep/awk expressions), then explicitly check each
variable is non-empty (or unset) and if any is missing write an error to stderr
and exit non‑zero to fail fast, only appending to GITHUB_OUTPUT after all four
checks pass; reference the variable names macos_arm64, macos_x64, linux_arm64,
linux_x64, the SHA256SUMS file lookup, and the GITHUB_OUTPUT write to locate and
update the code.
- Line 40: Replace mutable action tags with pinned commit SHAs for every
external action used (e.g., actions/checkout, actions/upload-artifact,
actions/download-artifact, softprops/action-gh-release) and add
persist-credentials: false to the checkout steps (the two uses of
actions/checkout) so credentials are not left in the runner; update the action
refs in the workflow to their corresponding commit SHAs and add the
persist-credentials: false key under the checkout steps to harden supply-chain
and disable credential persistence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e37eb3d7-554a-4fe0-8f47-220438ff6b8a

📥 Commits

Reviewing files that changed from the base of the PR and between 62fdcfa and 79f0ace.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[kdmelon]

🪨