ci: bump checkout and setup-bun in test workflows to Node 24 releases

[ant-kurt]

GitHub flags Node 20 actions as deprecated on every run ahead of the June 16 forced Node 24 cutover. The action's own files are already Node 24-ready (#1378, #1377 pending for setup-node); the remaining warnings come from the test workflows' pins:

• actions/checkout v4 (11bd7190, node20) → v6.0.2 (de0fac2e, node24) — 13 uses
• oven-sh/setup-bun v2.0.2 (735343b6, node20) → v2.2.0 (0c5077e5, node24) — 2 uses in test-mcp-servers.yml

SHA-pin swaps only; no input or behavior changes.

[claude]

LGTM — verified the new SHA pins resolve to actions/checkout v6.0.2 and oven-sh/setup-bun v2.2.0; mechanical CI pin bump consistent with the rest of the repo.

Extended reasoning...

Overview

This PR is a pure SHA-pin swap across six workflow files in .github/workflows/ (the five test workflows plus sync-base-action.yml): 13 occurrences of actions/checkout move from the v4 (node20) pin to de0fac2e, and 2 occurrences of oven-sh/setup-bun in test-mcp-servers.yml move to 0c5077e5. No inputs, steps, or job logic change.

Verification

I independently verified both new pins via git ls-remote: de0fac2e4500dabe0009e67214ff5f5447ce83dd is exactly the v6.0.2 tag of actions/checkout, and 0c5077e51419868618aeaa5fe8019c62421857d6 is exactly the v2.2.0 tag of oven-sh/setup-bun — matching the comments added next to each pin. The setup-bun pin is already used in action.yml and base-action/action.yml, and other workflows in this repo (ci.yml, claude.yml, release.yml, issue-triage.yml) already use checkout v6, so this brings the test workflows in line with established patterns rather than introducing anything new.

Security risks

Bumping pinned third-party actions is the main risk surface, but both targets are official, widely-used releases pinned by full commit SHA and verified against the upstream tags, so there is no opportunity for tag-moving or typosquatting. sync-base-action.yml does handle a deploy key, but only its checkout step changes and the new pin is a verified official release.

Level of scrutiny

This is CI-only configuration with no production code paths touched; the appropriate scrutiny is confirming the SHAs match the claimed releases, which I did. The single inline finding is a nit about two pre-existing node20 stragglers (ci.yml's setup-bun@v1 and the base-action/examples/issue-triage.yml example) that this PR does not touch — worth a quick follow-up but not a reason to hold this change.

[claude]

🟡 Two occurrences of the node20 pattern this PR sweeps out were missed: the prettier job in .github/workflows/ci.yml (line 28) still uses oven-sh/setup-bun@v1 (node20), so the deprecation warning will keep appearing on every pull_request run, and base-action/examples/issue-triage.yml (line 17) still pins the exact node20 checkout SHA 11bd7190 # v4 being replaced everywhere else — and that example is published to the standalone claude-code-base-action repo via sync-base-action.yml. Both are pre-existing (this PR doesn't touch those lines) and trivially fixable here or in a follow-up: bump ci.yml to the same pinned setup-bun v2.2.0 SHA 0c5077e5 and the example to the checkout v6.0.2 SHA de0fac2e.

Extended reasoning...

What was missed. The PR's stated goal is to remove the remaining Node 20 deprecation warnings ahead of the June 16 forced Node 24 cutover, and the description says the remaining warnings come from the test workflows' pins. The 13 actions/checkout bumps (11bd7190 v4/node20 → de0fac2e v6.0.2/node24) and the 2 oven-sh/setup-bun bumps in test-mcp-servers.yml (735343b6 v2.0.2/node20 → 0c5077e5 v2.2.0/node24) are all correct — the new SHAs resolve to releases whose action.yml declares using: node24. However, two occurrences of the same node20 pattern remain in the repo after this PR.

1. .github/workflows/ci.yml:28 — prettier job still on setup-bun@v1. The test and typecheck jobs in the same file already use oven-sh/setup-bun@v2, but the prettier job still uses @v1, whose action.yml declares using: node20 (verified against the v1 tag, currently resolving to f4d14e03). ci.yml runs on every pull_request and is also invoked via workflow_call from ci-all.yml.

Step-by-step: (1) a contributor opens any PR; (2) ci.yml triggers and the prettier job runs oven-sh/setup-bun@v1; (3) the runner resolves the v1 tag, sees runs.using: node20 in its action.yml, and emits the "Node.js 20 actions are deprecated" annotation; (4) the warning the PR set out to eliminate keeps appearing on every run after merge, slightly contradicting the description's claim that the test workflows' pins were the last node20 sources. Nothing in this PR prevents it because ci.yml isn't touched.

2. base-action/examples/issue-triage.yml:17 — last remaining occurrence of the old checkout SHA. A repo-wide search shows this is the only file still containing actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4, the exact node20 SHA replaced in the 13 other locations. The sync-base-action.yml workflow (which this PR does modify) publishes the entire base-action/ directory — including this example — verbatim to the public anthropics/claude-code-base-action repo, so users copying the published example inherit a deprecated checkout pin that becomes unsupported after the cutover. Notably base-action/action.yml already uses the new setup-bun v2.2.0 SHA and the README uses checkout@v6, so the example is the lone straggler. It never executes as a workflow in this repo, so it produces no warnings here — this part is purely a missed occurrence in published documentation.

Why this doesn't block the PR. Neither file is modified by this PR, the changed lines themselves are all correct, and the impact is limited to a persistent deprecation warning (ci.yml) and a stale published example (issue-triage.yml) — no functional breakage until GitHub fully removes node20 runner support. All verifiers agreed these are completeness gaps in the same sweep, not regressions.

How to fix. In this PR or a one-line follow-up: bump ci.yml's prettier job to oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 (the same pin used in test-mcp-servers.yml here, and consistent with the other two jobs in ci.yml), and bump base-action/examples/issue-triage.yml:17 to actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2.