ci: Updated all the GitHub Actions

[agsaru]

PR Type

• Bug fix
• New feature
• Core Runtime change (higher bar -- see CONTRIBUTING.md)
• Docs / tooling
• Refactoring

Summary

This PR updates all the GitHub Actions to use latest release versions.
Pinned commit SHAs rather than version tags.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[greptile-apps]

Greptile Summary

This PR upgrades all GitHub Actions across 8 workflow files to use immutable commit SHA pins instead of mutable version tags, improving supply-chain security. It also bumps several actions to newer major versions (e.g., actions/checkout v6→v7, github/codeql-action v2→v4, dorny/test-reporter v1→v3, codecov/codecov-action v5→v7).

• All mutable @vN tags are replaced with full 40-character commit SHAs annotated with a version comment, which is the recommended practice for pinning third-party actions.
• actions/upload-artifact is bumped to v7.0.1 while actions/download-artifact is bumped to v8.0.1 — a major-version mismatch in ux-tests.yml that may break artifact exchange between jobs in the coverage-report workflow.

Confidence Score: 4/5

Safe to merge for all workflows except ux-tests.yml, where the upload/download artifact version mismatch could silently break the coverage-report job.

The upload-artifact (v7) and download-artifact (v8) actions are at different major versions in ux-tests.yml. GitHub has previously required these two actions to share the same major version (the v3→v4 migration broke cross-version artifact reads), so this mismatch could cause the coverage-report job to fail to retrieve any artifacts uploaded by earlier jobs.

.github/workflows/ux-tests.yml — the upload-artifact/download-artifact major-version mismatch should be resolved before merging.

Important Files Changed

Filename	Overview
.github/workflows/ux-tests.yml	SHA-pins all actions correctly, but uses upload-artifact@v7.0.1 while download-artifact@v8.0.1 is used in the coverage-report job — a major-version mismatch that may break artifact transfer between jobs.
.github/workflows/codeql.yml	Upgrades checkout from mutable @v6 tag (which didn't correspond to a real release) to SHA-pinned v7.0.0, and bumps codeql-action from v2 to v4.36.2 — all three action steps use the same SHA for consistency.
.github/workflows/full-stack-test.yml	Replaces mutable @v6 tag with SHA-pinned checkout@v7.0.0; straightforward and consistent with the rest of the PR.
.github/workflows/metaflow.s3_tests.minio.yml	Upgrades checkout SHA to v7.0.0; setup-python SHA unchanged (same commit hash as before), only comment formatting adjusted.
.github/workflows/publish.yml	Upgrades checkout to v7.0.0 and pypa/gh-action-pypi-publish from v1.13.0 to v1.14.0; setup-python SHA unchanged.
.github/workflows/test-card-build.yml	Replaces mutable @v6 tags with SHA-pinned checkout@v7.0.0 and setup-node@v6.4.0.
.github/workflows/test-stubs.yml	Upgrades checkout to SHA-pinned v7.0.0 and nick-fields/retry from mutable @v2 to SHA-pinned v4.0.0.
.github/workflows/test.yml	Upgrades checkout to SHA-pinned v7.0.0; setup-python and pre-commit/action SHAs are unchanged, only formatting adjusted.

_{Reviews (1): Last reviewed commit: "Updated github actions" | Re-trigger Greptile}

[greptile-apps]

upload-artifact and download-artifact major version mismatch

Artifacts are uploaded with upload-artifact@v7.0.1 but downloaded with download-artifact@v8.0.1. GitHub has historically required these two actions to use the same major version (the v3→v4 migration, for example, required upgrading both simultaneously because the storage format changed). If the artifact schema changed between v7 and v8, the download-artifact step in the coverage-report job will fail to find or decode the artifacts produced by the earlier jobs, silently breaking coverage reporting.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (master@5cdcc70). Learn more about missing BASE report.

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #3277   +/-   ##
=========================================
  Coverage          ?   30.34%           
=========================================
  Files             ?      381           
  Lines             ?    52551           
  Branches          ?     9273           
=========================================
  Hits              ?    15946           
  Misses            ?    35427           
  Partials          ?     1178           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.