ci: update actions/download-artifact to v8 (dependabot #3)

[Copilot]

actions/download-artifact@v7 only warned on artifact hash mismatch; v8 defaults to failing the workflow run, closing the window for tampered artifacts to pass silently.

Changes

• cd.yml: actions/download-artifact v7.0.0 → v8.0.0 (both test-publish and publish jobs)
• ci.yml + cd.yml: actions/checkout v6.0.1 → v6.0.2 (patch, all steps)

All refs remain SHA-pinned per existing convention.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.osv.dev
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• https://api.github.com/repos/GalacticDynamics/zeroth/dependabot/alerts/3
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)
  • Triggering command: /usr/bin/curl curl -s -H Authorization: token ****** REDACTED (http block)
  • Triggering command: /usr/bin/curl curl -v -H Authorization: token ****** REDACTED (http block)
• osv.dev
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (8c64388) to head (31923c9).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #35   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines            6         6           
=========================================
  Hits             6         6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Updates GitHub Actions used by the CI/CD workflows to newer, SHA-pinned revisions, including a security-relevant bump of actions/download-artifact to a version that fails the run on artifact hash mismatch.

Changes:

• Bump actions/download-artifact from v7.0.0 to v8.0.0 (SHA-pinned) in the CD workflow’s publish jobs.
• Bump actions/checkout from v6.0.1 to v6.0.2 (SHA-pinned) across CI and CD workflows.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/ci.yml	Updates actions/checkout SHA pin to the v6.0.2 revision for CI jobs.
.github/workflows/cd.yml	Updates actions/checkout SHA pin and bumps actions/download-artifact to v8 (SHA-pinned) for publishing jobs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.