[ci] Update various actions to address Node 20 deprecation warnings

[fhanau]

Context: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

We should be updating packages anyway, but this resolves unsightly warnings about actions using Node 20, which will no longer be supported in Q2.

[ask-bonk]

remote: Permission to cloudflare/workerd.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/cloudflare/workerd.git/': The requested URL returned error: 403

github run

[ask-bonk]

@fhanau Bonk workflow failed. Check the logs for details.

View workflow run · To retry, trigger Bonk again.

[fhanau]

Not sure why CodeQL starts complaining now – https://github.com/actions/checkout does include some changes in v5/v6 but they should not negatively affect security.
Edit: I think it wants us to replace pull_request_target with pull_request which sounds reasonable (even though this issue already existed before this change). Will see if that helps here

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.69%. Comparing base (7eb16de) to head (b7159df).
⚠️ Report is 51 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6328      +/-   ##
==========================================
- Coverage   70.79%   70.69%   -0.11%     
==========================================
  Files         420      420              
  Lines      112279   113026     +747     
  Branches    18411    18533     +122     
==========================================
+ Hits        79488    79903     +415     
- Misses      21801    22082     +281     
- Partials    10990    11041      +51     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codspeed-hq]

Merging this PR will degrade performance by 11.21%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

❌ 1 regressed benchmark
✅ 69 untouched benchmarks
⏩ 129 skipped benchmarks¹

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
❌	Encode_ASCII_256[TextEncoder][0/0/256]	3.1 ms	3.5 ms	-11.21%

---

_{Comparing felix/031526-ci-update (b7159df) with main (71cce94)}

Footnotes

1. 129 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[fhanau]

I think our current use of pull_request_target for internal build is safe since we only run it for org members... Since CodeQL appears to complain about this if there's any change to the given file, I just kept that file as-is for now. In case actions/checkout@4 is broken when made to use Node 24 we'll have to fix this later but at least the other actions can be updated now.