ci: bump remaining node20 action pins to node24-ready releases (rebase of #28333)

[AIalliAI]

What

Bumps every remaining GitHub Actions pin that still declares the node20 runtime to its current node24-ready release, SHA-pinned. GitHub forces node20 actions onto node24 by default starting 2026-06-16 (and removes node20 from runners 2026-09-16) — every Tests/Lint run currently emits deprecation annotations for these pins.

This is a rebase of #28333 (credit: @daelnom-dev) onto current main. That PR is now conflicting: roughly half of its bumps have since landed on main piecemeal (checkout v6.0.2, setup-python v6.2.0, docker login v4.1.0, build-push v7.1.0, upload/download-artifact v7/v8 in tests.yml, sigstore v3.3.0, osv-scanner v2.3.8). This PR picks up the remainder, keeping that PR's exact SHAs:

action	from	to
astral-sh/setup-uv	v5 + v6	v8.1.0
actions/upload-artifact (lint/docker-publish/skills-index/pypi sites)	v4	v7.0.1
actions/download-artifact (docker-publish)	v4	v8.0.1
actions/github-script	v7	v9.0.0
actions/setup-node	v4	v6.4.0
actions/create-github-app-token	v1.9.3	v3.2.0
docker/setup-buildx-action	v3	v4.0.0
marocchino/sticky-pull-request-comment	v2.9.1	v3.0.4
actions/upload-pages-artifact + deploy-pages	v3 / v4	v5.0.0 / v5.0.0 (documented compatible pair)
cachix/cachix-action	v17	v17 re-tag (tree-identical commit)

Plus one comment fix: the setup-python pin in lint.yml was already bumped to the v6.2.0 SHA on main but still labeled # v5.

Verification

• Pin authenticity: every new SHA was resolved against the action's upstream repo tags (annotated tags dereferenced) — all 17 pins in ci: update GitHub Actions pins #28333 match their claimed release commits exactly.
• Breaking-change review vs this repo's actual usage, per major bump:
  • actions/checkout v6 (already on main) keeps persist-credentials: true as default; v6 moves credentials to $RUNNER_TEMP with no workflow changes required — the git push flows in nix-lockfile-fix.yml are unaffected.
  • create-github-app-token v2 removed the snake_case inputs — nix-lockfile-fix.yml already uses app-id/private-key, and the token output is unchanged.
  • github-script v9: both scripts in this repo use only require('fs') + github.rest.* / core.* — no getOctokit shadowing, no result-encoding.
  • upload-pages-artifact v4+ excludes dotfiles from the artifact — deploy-site.yml stages with cp -r website/build/* _site/docs/, which already drops top-level dotfiles; no load-bearing dotfiles in the Docusaurus build.
  • download-artifact v5's single-download path change applies only to artifact-ids downloads — this repo downloads by name or pattern + merge-multiple exclusively ("no action needed" cases).
  • setup-uv v6–v8 removals (python-version auto-venv, server-url, pyproject-file, tag conventions) — none used here; enable-cache + cache-dependency-glob in tests.yml keep identical semantics in v8.
  • setup-node v5 auto-caching trigger (packageManager field) — absent from all package.json files; every caching usage passes explicit cache: npm.
  • setup-buildx v4 / build-push v7 / login v4: removed inputs/envs unused; the consumed steps.push.outputs.digest is unchanged.
• All workflow files YAML-validated after the edit.

Closes #28333 if maintainers prefer this rebase; happy to close this one instead if @daelnom-dev rebases the original.

[AIalliAI]

Live verification: these exact pin bumps were cherry-picked onto the head of rollup PR #44061 (commit 1f0dc0d) and the full check suite ran green — Tests (all 6 shards + e2e), Lint, Docker Build and Publish, Nix (including the sticky-comment v3.0.4 path), uv.lock check, Docs Site Checks, Typecheck, Supply Chain Audit, History Check, Contributor Attribution.

The Node.js 20 deprecation annotations that previously appeared on every Tests/Lint run are gone on that head.