chore(ci): bump checkout action version

[dhable]

Summary

Node 20 will lose support in a few months and all of our workflow actions were tied to versions that used node 20. This PR tries to get in front of that by bumping actions to newer versions.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d0ea5f3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ready	Preview, Comment	May 5, 2026 10:25pm

[github-actions]

E2E Test Results

✅ All tests passed • 158 passed • 3 skipped • 1195s

Status	Count
✅ Passed	158
❌ Failed	0
⚠️ Flaky	5
⏭️ Skipped	3

Tests ran across 4 shards in parallel.

View full report →

[github-actions]

🔴 Tier 4 — Critical

Touches auth, data models, config, tasks, OTel pipeline, ClickHouse, or CI/CD.

Why this tier:

• Critical-path files (2):
  • .github/workflows/main.yml
  • .github/workflows/release.yml
• All files are docs / images / lock files

Review process: Deep review from a domain expert. Synchronous walkthrough may be required.
SLA: Schedule synchronous review within 2 business days.

Stats

• Production files changed: 0
• Production lines changed: 0
• Branch: dan/gha-node20-update
• Author: dhable

To override this classification, remove the review/tier-4 label and apply a different review/tier-* label. Manual overrides are preserved on subsequent pushes.

[github-actions]

PR Review

This PR bumps GitHub Actions versions across all CI workflows to move away from Node 20-based action runners.

• ⚠️ Security regression in knip.yml: Previous workflow pinned actions to full commit SHAs (actions/checkout@34e114876..., actions/setup-node@49933ea5..., actions/github-script@f28e40c7...) to prevent supply chain attacks. This PR replaces all SHA pins with floating major version tags (@v6, @v9). For a public repo, this is a meaningful security downgrade — a malicious actor could move a tag to point to compromised code. Restore SHA pins (or use a tool like pinact to add them) rather than floating tags.

• ⚠️ Unverified version jumps: actions/checkout jumps v4→v6, actions/setup-node v4→v6, actions/upload-artifact v4→v7, actions/download-artifact v4→v8. These skip entire major versions — confirm each target version is actually published and stable before merge, as a non-existent tag will silently fail or use an unexpected version.

• ℹ️ Inconsistency: tj-actions/changed-files@v47.0.6 uses a full semver pin while all other actions use bare major-version aliases (@v6, @v9). Pick one strategy and apply it consistently — ideally SHA pinning for all third-party actions.