chore(deps): bump actions/checkout from 6 to 7

[igerber]

Summary

Bumps actions/checkout v6 → v7 across all 5 workflow files. This is a
recreation of Dependabot PR #541 as a same-repo PR, because Dependabot's
restricted security context blocks our pipeline:

• the runner gets a read-only GITHUB_TOKEN + the separate "Dependabot" secret
  store (so secret-needing jobs can't authenticate), and
• the Codex reviewer action hard-refuses to run for the dependabot[bot] actor
  (must have write access ... Detected permission: 'none').

Recreating under a normal actor lets full CI and the AI review run. Once this
merges, Dependabot will auto-close #541 (it detects checkout is already at v7).

Safety note

actions/checkout v7's headline change blocks fork-PR checkout under
pull_request_target / workflow_run. No workflow in this repo uses those
triggers — ai_pr_review.yml runs on pull_request + issue_comment and
already guards is_fork == 'false' — so the bump is a no-op behavior change here.

Changes

13 identical uses: actions/checkout@v6 → @v7 swaps across:
ai_pr_review.yml, docs-tests.yml, notebooks.yml, publish.yml, rust-test.yml.

Replaces #541.

🤖 Generated with Claude Code

[github-actions]

Overall Assessment

✅ Looks good — No unmitigated P0 or P1 findings.

Executive Summary

• The PR only updates actions/checkout@v6 to @v7 across workflow files; no estimator, variance, weighting, inference, or methodology code is changed.
• Methodology Registry review found no affected causal inference method to cross-check.
• The checkout bump is consistently propagated across the five changed active workflows.
• Security-sensitive ai_pr_review.yml still gates checkout to same-repo PRs, and the changed workflows do not use pull_request_target or workflow_run.
• Upstream actions/checkout@v7 adds the allow-unsafe-pr-checkout gate for fork checkout under pull_request_target / workflow_run; this repo’s changed workflows do not hit that path. (raw.githubusercontent.com)

Methodology

• Severity: N/A
  Impact: No methodology-affecting files changed. No estimators, math, weighting, SE/variance logic, identification assumptions, or defaults are modified.
  Concrete fix: None.

Code Quality

• Severity: N/A
  Impact: The dependency bump is mechanically consistent: all modified checkout references in .github/workflows/ai_pr_review.yml, docs-tests.yml, notebooks.yml, publish.yml, and rust-test.yml are updated to actions/checkout@v7.
  Concrete fix: None.

Performance

• Severity: N/A
  Impact: No runtime library code or computational path changed. CI action startup behavior is outside estimator performance.
  Concrete fix: None.

Maintainability

• Severity: N/A
  Impact: No new workflow branching or duplicated logic introduced. Existing workflow structure is preserved.
  Concrete fix: None.

Tech Debt

• Severity: N/A
  Impact: No new TODO, deferred limitation, or methodological debt introduced. Existing TODO.md items are unrelated to this workflow-only bump.
  Concrete fix: None.

Security

• Severity: N/A
  Impact: No new secret exposure or unsafe checkout path found. ai_pr_review.yml remains on pull_request, issue_comment, and pull_request_review_comment, with same-repo checkout gates at .github/workflows/ai_pr_review.yml:L183-L198; the changed workflows do not contain pull_request_target or workflow_run.
  Concrete fix: None.

Documentation/Tests

• Severity: N/A
  Impact: No docs or tests are required for a workflow action version bump. I performed static review and did not run CI locally.
  Concrete fix: None.