chore(ci): bump GitHub Actions off Node 20 runtimes

[clo-ciq]

Summary

Node 20 reached EOL on 2026-04-30. This PR bumps GitHub Actions to current stable releases, pinned by full commit SHA with the target tag in a trailing comment.

⚠️ Heads up — review these specifically

Warning

Artifact actions changed semantics — review your upload/download steps before merging.

The breaking changes landed in upload-artifact v4 and download-artifact v4 and still apply through v7/v8. Bumps in this PR:

• actions/download-artifact: v4 -> v8.0.1
• actions/upload-artifact: v4 -> v7.0.1

Common gotchas to verify in this repo:

• Matrix uploads with a literal name: collide; v4+ no longer auto-merges. Interpolate (name: build-${{ matrix.os }}) or set overwrite: true.
• Multiple uploads in a job with no explicit name: all collide on the default artifact name.
• Hidden files (e.g. .coverage, .next/, .cache/) are excluded by default in v4+ — set include-hidden-files: true if you upload dotfiles.
• download-artifact no longer flattens by default — without a name:, it creates a subdir per artifact. Set merge-multiple: true if a downstream run: step expects a flat path.
• Cross-run downloads now require both github-token: and run-id:.

Changes

Action	Before	After
actions/checkout	v4	v6.0.2
actions/download-artifact	v4	v8.0.1
actions/setup-python	v5	v6.2.0
actions/upload-artifact	v4	v7.0.1

Files touched: 7 workflow file(s), 43 line change(s).

Test plan

• Existing CI runs on this PR and stays green.
• If this repo's workflows aren't PR-triggered, dispatch them manually after merge or via workflow_dispatch.

---

Part of an org-wide bulk update across ~135 ctrliq repos to escape Node 20 EOL.

[Copilot]

Pull request overview

Updates this repo’s CI workflows to use newer, SHA-pinned GitHub Actions releases (notably checkout, setup-python, and artifact upload/download) in response to Node 20 reaching EOL, aiming to keep CI executions compatible with GitHub’s evolving runtime requirements.

Changes:

• Pin actions/checkout to v6.0.2 commit SHA across workflows.
• Pin actions/setup-python to v6.2.0 commit SHA where used.
• Bump artifact actions to upload-artifact@v7.0.1 and download-artifact@v8.0.1 commit SHAs.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/validate-kernel-commits.yml	Pins checkout/setup-python/upload-artifact to newer SHA-pinned releases for the validation workflow.
.github/workflows/validate-kernel-commits-comment.yml	Pins download-artifact/checkout/setup-python to newer SHA-pinned releases for the comment-posting workflow.
.github/workflows/sync.yml	Pins checkout to a newer SHA-pinned release for scheduled/manual sync automation.
.github/workflows/lt-rebase-merge.yml	Pins checkout to a newer SHA-pinned release for LT rebase/merge automation.
.github/workflows/kernel-build-and-test-multiarch.yml	Pins checkout/upload-artifact/download-artifact to newer SHA-pinned releases across the multi-arch pipeline.
.github/workflows/kernel-build-and-test-multiarch-trigger.yml	Pins upload-artifact to a newer SHA-pinned release for passing trigger metadata via artifacts.
.github/workflows/clk-rebase.yml	Pins checkout to a newer SHA-pinned release for CLK rebase automation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[PlaidCat]

We will approve this but we want to hold off until we're through DirtyFrag

[PlaidCat]

blocking until we're through current crisis.