fix(ci): bump Node 20-era actions to Node 24 majors

[topcoder1]

Summary

GitHub will force Node.js 20 actions onto Node 24 starting 2026-06-16, and remove Node 20 from runners on 2026-09-16. Several reusable workflows in this repo still pin actions to Node 20-era majors, producing the deprecation warning:

Node.js 20 actions are deprecated… actions/setup-python@v5… Actions will be forced to run with Node.js 24 by default starting June 16th, 2026.

This bumps every action still on a Node 20-era major to its Node 24 major. Each target's runtime was verified by reading runs.using in the pinned tag's action.yml.

Changes

Action	Before	After	Runtime	Files
actions/setup-python	@v5	@v6	node20 → node24	tty-tests, coverage-floor, tests-runner
actions/setup-go	@v5	@v6	node20 → node24	coverage-floor, tests-runner
actions/download-artifact	@v4	@v7	node20 → node24	coverage-floor, audit-required-checks
marocchino/sticky-pull-request-comment	@v2	@v3	node20 → node24	coverage-floor

Already on Node 24 — left unchanged: actions/checkout@v6, actions/setup-node@v6, actions/upload-artifact@v7, dependabot/fetch-metadata@v3. anthropics/claude-code-action is SHA-pinned (composite action, separately managed) — out of scope.

Version-choice notes

• download-artifact → v7, not the latest v8. v7 is the first major to default to node24 (runs.using: node24), which is exactly what resolves the deprecation. v8 adds unrelated breaking changes — ESM migration, hash-mismatch-errors-by-default, and content-type-gated decompression. Both download sites here fetch by name: (coverage-floor) and pattern:/merge-multiple: (audit-required-checks), so none of the v5→v8 single-artifact-by-ID path or decompress changes apply. Staying at v7 keeps the change scoped to the runtime. (Reviewer: bump to v8 instead if you prefer latest — usage is compatible either way.)
• sticky-pull-request-comment v3.0.0 is a pure "update node to 24 + update deps" release — no input/API changes. The header/message inputs used here are unchanged.

Scope note

audit-required-checks.yml is a standalone scheduled workflow (not workflow_call), but it carried the same node20 download-artifact@v4 and emits the identical warning, so it's included for a complete sweep.

Verification

• grep confirms zero setup-python@v5 / setup-go@v5 / download-artifact@v[0-6] / sticky-pull-request-comment@v2 pins remain.
• All four changed workflow files pass yaml.safe_load.
• Each target tag's node24 runtime verified against its upstream action.yml.

Auto-merge rationale: Manual click-merge required — touches .github/workflows/** (high-risk surface per fleet policy), and this repo has no auto-merge caller anyway (filename collision with the reusable definition).

Codex pre-review: Skipped — trivial mechanical version bumps (8 single-token edits), no src/** code changed; below the Codex threshold.

🤖 Generated with Claude Code

[github-actions]

Coverage Floor — mode: enforce

metric	value
measured	100.0%
floor (current)	99.0%
target	100.0%
last bumped	2026-05-12

[claude]

No issues found. Mechanical version bumps are consistent across all four files, upload/download artifact versions are properly paired, and no breaking inputs are in use.