chore(ci): bump checkout action version

[dhable]

Summary

Node 20 will lose support in a few months and all of our workflow actions were tied to versions that used node 20. This PR tries to get in front of that by bumping actions to newer versions.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ab532db

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ready	Preview, Comment	May 1, 2026 2:33am

[github-actions]

E2E Test Results

✅ All tests passed • 159 passed • 3 skipped • 1174s

Status	Count
✅ Passed	159
❌ Failed	0
⚠️ Flaky	4
⏭️ Skipped	3

Tests ran across 4 shards in parallel.

View full report →

[github-actions]

🔴 Tier 4 — Critical

Touches auth, data models, config, tasks, OTel pipeline, ClickHouse, or CI/CD.

Why this tier:

• Critical-path files (2):
  • .github/workflows/main.yml
  • .github/workflows/release.yml
• All files are docs / images / lock files

Review process: Deep review from a domain expert. Synchronous walkthrough may be required.
SLA: Schedule synchronous review within 2 business days.

Stats

• Production files changed: 0
• Production lines changed: 0
• Branch: dan/gha-node20-update
• Author: dhable

To override this classification, remove the review/tier-4 label and apply a different review/tier-* label. Manual overrides are preserved on subsequent pushes.

[github-actions]

PR Review

PR #2179 — chore(ci): bump checkout action version

Bumps GitHub Actions to Node 20+ compatible versions across all workflows to get ahead of Node 20 EOL.

• ⚠️ Security regression in knip.yml: The previous workflow pinned actions to specific commit hashes (actions/checkout@34e114876b... and actions/setup-node@49933ea5...) for supply chain security. This PR replaces them with floating semver tags (@v6), which removes that protection and is inconsistent with the rest of the project (no other workflow uses hash pinning). Either pin the new versions to their commit hashes, or document why the project is moving away from hash pinning.

• ⚠️ Unverified action versions: actions/checkout@v6, actions/setup-node@v6, actions/upload-artifact@v7, and actions/download-artifact@v8 — as of this writing, the latest stable releases for several of these are lower major versions. Confirm these tags actually exist and are published by the respective action maintainers before merging to avoid silent failures.

• ✅ Whitespace/alignment cleanup in pr-triage.js is fine (no logic changes).

• ✅ Removing the hardcoded version from the pr-triage.js comment is correct.