[8.2] Bump GitHub Actions to Node 24 compatible versions [MOD-15112]

[dor-forer]

Describe the changes in the pull request

Manual backport of #947 to 8.2. The automated backport failed due to a single conflict on the notify-on-failure step in event-nightly.yml (the Slack action v1 → v3 migration).

Migrates JavaScript-based GitHub Actions to versions running on the Node 24 runtime, ahead of the June 2, 2026 Node 20 deprecation.

Version bumps:

Action	Old	New
actions/checkout	v4	v6
actions/setup-python	v5	v6
actions/upload-artifact	v4	v7
aws-actions/configure-aws-credentials	v4	v6
machulav/ec2-github-runner	v2.4.2	v2.6.1
codecov/codecov-action	v4	v6
github/codeql-action/*	v3	v4
korthout/backport-action	v3	v4
release-drafter/release-drafter	v6	v7
slackapi/slack-github-action	v1	v3 (input-based webhook config)

Conflict resolution: took the v3 incoming-webhook variant of the Slack notify step from #947 (replaces the SLACK_WEBHOOK_URL env var with webhook / webhook-type inputs and adds repository to the payload).

Which issues this PR fixes

1. MOD-15112

Main objects this PR modified

1. .github/workflows/arm.yml
2. .github/workflows/benchmark-runner.yml
3. .github/workflows/codeql-analysis.yml
4. .github/workflows/coverage.yml
5. .github/workflows/event-nightly.yml
6. .github/workflows/event-pull_request.yml
7. .github/workflows/release-drafter.yml
8. .github/workflows/task-backport_pr.yml
9. .github/workflows/task-unit-test.yml

Mark if applicable

• This PR introduces API changes
• This PR introduces serialization changes

---

Note

Medium Risk
Moderate risk: CI behavior depends on updated third-party action versions (AWS runner lifecycle, artifact upload, CodeQL, Codecov, backport automation) and could cause workflow failures or changed defaults.

Overview
Modernizes CI workflows for upcoming Node runtime changes by bumping multiple GitHub Actions across ARM, benchmarks, coverage, CodeQL, PR CI, release drafting, and backport automation (e.g., actions/checkout@v6, aws-actions/configure-aws-credentials@v6, actions/upload-artifact@v7, github/codeql-action@v4, codecov/codecov-action@v6).

Adjusts nightly failure notifications by migrating slackapi/slack-github-action from v1 to v3, switching to webhook/webhook-type inputs and expanding the payload with repository info.

^{Reviewed by Cursor Bugbot for commit e26d7aa. Bugbot is set up for automated code reviews on this repo. Configure here.}

[jit-ci]

🛡️ Jit Security Scan Results

✅ No security findings were detected in this PR

---

^{Security scan by Jit}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e26d7aa. Configure here.}

[cursor]

Deprecated file input not updated for codecov v6

Low Severity

The codecov/codecov-action was bumped from v4 to v6, but the file input was not renamed to files. The file input was deprecated in v5 in favor of files. While it still functions in v6 (generating a deprecation warning), this migration should address the rename since the PR is already making version-compatibility changes to this action.

 

^{Reviewed by Cursor Bugbot for commit e26d7aa. Configure here.}

[dor-forer]

Closing in favor of re-backporting once #953 merges. The bumped codecov-action with: key in this PR is broken (file: was renamed to files: in v5; see #953).