[0.8] Bump GitHub Actions to Node 24 compatible versions [MOD-15112]

[dor-forer]

Describe the changes in the pull request

Manual backport of #947 to 0.8. The automated backport failed due to conflicts.

Migrates JavaScript-based GitHub Actions to versions running on the Node 24 runtime, ahead of the June 2, 2026 Node 20 deprecation.

Version bumps applied to the workflow files that exist on 0.8:

Action	Old	New
actions/checkout	v4	v6
actions/setup-python	v5	v6
actions/upload-artifact	v4	v7
aws-actions/configure-aws-credentials	v4	v6
machulav/ec2-github-runner	v2.4.2	v2.6.1
codecov/codecov-action	v4	v6
github/codeql-action/*	v3	v4
korthout/backport-action	v2	v4
release-drafter/release-drafter	v6	v7

Conflict-resolution notes:

• Only the version bumps from Bump GitHub Actions to Node 24 compatible versions [MOD-15112]  #947 were taken; main-only additions (CPU info logging, Upload Logs artifact step in PR workflow, sanitizer step in coverage, notify-on-failure Slack job in nightly, and submodules: recursive adds) were intentionally dropped because they don’t exist on 0.8.
• slackapi/slack-github-action v1→v3 from Bump GitHub Actions to Node 24 compatible versions [MOD-15112]  #947 was dropped because the notify-on-failure job doesn’t exist on 0.8.
• benchmark-runner.yml doesn’t exist on 0.8, so its changes were skipped.

Which issues this PR fixes

1. MOD-15112

Main objects this PR modified

1. .github/workflows/arm.yml
2. .github/workflows/codeql-analysis.yml
3. .github/workflows/coverage.yml
4. .github/workflows/event-pull_request.yml
5. .github/workflows/release-drafter.yml
6. .github/workflows/task-backport_pr.yml
7. .github/workflows/task-unit-test.yml

Mark if applicable

• This PR introduces API changes
• This PR introduces serialization changes

---

Pull Request opened by Augment Code with guidance from the PR author

---

Note

Low Risk
Low risk: this only bumps GitHub Action versions in CI workflows, but could affect CI behavior if any new action defaults/inputs change.

Overview
Upgrades GitHub Actions versions across the repo’s CI workflows to Node 24–compatible releases.

This bumps actions/checkout, actions/setup-python, actions/upload-artifact, aws-actions/configure-aws-credentials, machulav/ec2-github-runner, codecov/codecov-action, github/codeql-action/*, korthout/backport-action, and release-drafter/release-drafter without changing the workflows’ logic beyond the action version pins.

^{Reviewed by Cursor Bugbot for commit cf77569. Bugbot is set up for automated code reviews on this repo. Configure here.}

[jit-ci]

🛡️ Jit Security Scan Results

✅ No security findings were detected in this PR

---

^{Security scan by Jit}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit cf77569. Configure here.}

[cursor]

Deprecated file input may silently fail with disable_search

Medium Severity

The codecov/codecov-action deprecated the file input in v5 in favor of files. Bumping to v6 (a new major version where deprecated features are typically removed) means the file input may be silently ignored. Combined with disable_search: true, this could result in no coverage files being uploaded at all, since there's no auto-discovery fallback. The input likely needs to be changed from file to files.

 

^{Reviewed by Cursor Bugbot for commit cf77569. Configure here.}

[dor-forer]

Closing in favor of re-backporting once #953 merges. The bumped codecov-action with: key in this PR is broken (file: was renamed to files: in v5; see #953).