[CI] Bump upload-artifact v4->v7 + codeql-action v3->v4 (manual, supersedes 539/541)

[atlas-apex]

Driver

Dependabot opened bumps for actions/upload-artifact (v4→v7, #539) and github/codeql-action (v3→v4, #541), but their branches were cut from main and conflict with dev's diverged workflow files; dependabot can't auto-target dev until the target-branch: dev config (merged in #588) reaches main via a release. Apply the two major bumps manually against dev and close the conflicting dependabot PRs.

Scope

• .github/workflows/: bump every actions/upload-artifact@v4 → @v7 (extract-subpacks-on-release.yml, security-scan.yml, scorecard.yml) and every github/codeql-action/*@v3 → @v4 (codeql.yml init+analyze, scorecard.yml upload-sarif).
• Close dependabot PRs chore: bump actions/upload-artifact from 4 to 7 #539 and chore: bump github/codeql-action from 3 to 4 #541 with a pointer to this PR.

Acceptance Criteria

• All upload-artifact usages on dev are @v7; all codeql-action usages are @v4.
• CI green on the PR.
• chore: bump actions/upload-artifact from 4 to 7 #539 and chore: bump github/codeql-action from 3 to 4 #541 closed referencing this PR.

Glossary

Term	Definition
Major action bump	Upgrading a pinned GitHub Action across a major version, possibly with breaking changes — validated by the PR's own CI.

[atlas-apex]

Fixed in 38dcf45 (PR #593), merged to dev — it'll auto-close on the next release to main, closing now since it's resolved. ✅