ci: upgrade actions to Node 24 versions

[wardbox]

Summary

GitHub Actions warned that Node 20 actions are deprecated — they'll be forced to Node 24 by June 2, 2026 and Node 20 removed from runners September 16, 2026. Bumping to the latest majors that ship on Node 24:

Action	Before	After
actions/checkout	v4	v6
actions/setup-node	v4	v6
pnpm/action-setup	v4	v5
peter-evans/create-pull-request	v7	v8

Using major-only tags so patch/minor updates flow in automatically.

Behavioral check

None of these majors introduce breaks for this repo:

• setup-node@v5 added auto-cache detection via the packageManager package.json field — this repo has no such field, so it's a no-op. setup-node@v6 further limits auto-cache to npm anyway.
• All four bumps are otherwise pure runner version bumps per their release notes.
• cache: 'pnpm' config is unchanged.

Test plan

• CI passes on this branch (build + smoke matrix all 4 runtimes)
• No new deprecation warnings appear in the run summary
• After merge, manually dispatch Schema Drift Check and confirm clean run with no Node 20 warnings

🤖 Generated with Claude Code

Upgrade GitHub Actions to Node 24-compatible versions

Update workflow actions across five files (.github/workflows/ci.yml, docs.yml, release.yml, schema-drift.yml, token-check.yml) to majors that run on Node 24 and avoid Node 20 deprecation:

• actions/checkout: v4 → v6
• actions/setup-node: v4 → v6
• pnpm/action-setup: v4 → v5
• peter-evans/create-pull-request: v7 → v8 (schema-drift.yml only)
• actions/upload-artifact: v4 → v7 (ci.yml)
• actions/download-artifact: v4 → v8 (ci.yml)
• actions/upload-pages-artifact: v3 → v5 (docs.yml)
• actions/deploy-pages: v4 → v5 (docs.yml)

Notes:

• Major-only tags are used so patch/minor updates flow automatically.
• Configuration inputs (node-version, pnpm version, cache settings) remain unchanged.
• download-artifact v5 breaking change (downloads-by-ID) does not affect this repo (downloads by name).
• CI passes on this branch and no Node 20 deprecation warnings appear in runs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 38b8be0b-d1cb-4347-98bd-af44bd3d411a

📥 Commits

Reviewing files that changed from the base of the PR and between 93be377 and 42c6c77.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/docs.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/docs.yml
• .github/workflows/ci.yml

---

Walkthrough

This PR upgrades GitHub Actions versions across workflow files: actions/checkout v4→v6, pnpm/action-setup v4→v5, and actions/setup-node v4→v6 in CI, docs, release, and schema-drift workflows. It also updates artifact and pages/deploy actions (actions/upload-artifact v4→v7, actions/download-artifact v4→v8, actions/upload-pages-artifact v3→v5, actions/deploy-pages v4→v5) and peter-evans/create-pull-request v7→v8. Configured inputs (Node and pnpm versions, cache, artifact paths, PR metadata) are unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• ci: pin pnpm version in schema-drift workflow #17 — Modifies the schema-drift workflow pnpm setup step; related to workflow setup changes here.

Poem

🐰 Hop, hop, the workflows gleam anew,
v6 and v5 hopped into view,
Pins untouched, the runs stay true,
I nibble logs and twitch my shoe,
A rabbit cheers — CI, hooray! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title describes a general upgrade to Node 24 versions, but the actual changes are specifically GitHub Actions version bumps to versions compatible with Node 24. The title is partially accurate—while the underlying motivation involves Node 24 compatibility, the direct change is action version upgrades across multiple workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

22-33: Optional hardening: pin third-party actions to immutable commit SHAs.

Using major version tags (@v6, @v5, etc.) is convenient but mutable. Consider pinning actions to their commit SHAs for supply-chain integrity, then automate refreshes using Dependabot or similar tooling.

The actions in this workflow can be pinned to:

• actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288
• actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 22 - 33, Replace the mutable
action tags with the provided immutable commit SHAs to harden the workflow:
update the "uses" entries for actions/checkout, pnpm/action-setup, and
actions/setup-node (the steps named "Checkout", "Setup pnpm", and "Setup Node")
to use the specific SHAs de0fac2e4500dabe0009e67214ff5f5447ce83dd,
a8198c4bff370c8506180b035930dea56dbd5288, and
48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e respectively; after pinning, add or
document Dependabot (or similar) automation to periodically update those SHAs so
they can be refreshed safely.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 22-28: Update the GitHub Actions usages that still run on Node 20:
replace actions/deploy-pages@v4 with v5.0.0+ (deploy-pages@v5), replace
actions/download-artifact@v4 with v7+ (download-artifact@v7), and replace
actions/upload-artifact@v4 with v6+ (upload-artifact@v6); also update
actions/upload-pages-artifact to a newer major that no longer pulls
upload-artifact@v3 (e.g., upload-pages-artifact@v4+ or whichever release
references upload-artifact@v6+). Locate these action entries by their action
identifiers (actions/deploy-pages, actions/download-artifact,
actions/upload-artifact, actions/upload-pages-artifact) in the workflow and bump
the version tags accordingly to Node 24-compatible releases.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 22-33: Replace the mutable action tags with the provided immutable
commit SHAs to harden the workflow: update the "uses" entries for
actions/checkout, pnpm/action-setup, and actions/setup-node (the steps named
"Checkout", "Setup pnpm", and "Setup Node") to use the specific SHAs
de0fac2e4500dabe0009e67214ff5f5447ce83dd,
a8198c4bff370c8506180b035930dea56dbd5288, and
48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e respectively; after pinning, add or
document Dependabot (or similar) automation to periodically update those SHAs so
they can be refreshed safely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8861dd40-917e-430a-924f-d7f0adcdf233

📥 Commits

Reviewing files that changed from the base of the PR and between 2f179e1 and 93be377.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/docs.yml
• .github/workflows/release.yml
• .github/workflows/schema-drift.yml
• .github/workflows/token-check.yml

[wardbox]

Addressing CodeRabbit feedback before merge:

Inline comment (ci.yml line 28) — stale. CodeRabbit reviewed the first commit (93be377) before 42c6c77 bumped the artifact actions. Current state: upload-artifact@v7, download-artifact@v8, upload-pages-artifact@v5, deploy-pages@v5. The latest CI run shows zero Node 20 deprecation warnings — that's the ground truth.

Nitpick (release.yml SHA pinning) — declining for this PR. SHA pinning is a legitimate hardening practice but inverts this PR's stated intent of using major-only tags so patch/minor updates flow automatically, and would require Dependabot to keep SHAs fresh. Worth doing as a separate, repo-wide hardening pass with the Dependabot setup, not piecemeal in one workflow.