Bump GitHub Actions off the deprecated Node 20 runtime

[uribrecher]

Problem

GitHub is deprecating the Node 20 runtime on Actions runners (changelog). Our workflow runs now log a warning that several actions target Node 20 and are being force-run on Node 24:

• actions/checkout@v4
• actions/setup-go@v5
• peter-evans/create-pull-request@v6

They still run today (forced onto Node 24), so this is non-blocking — but once GitHub removes the forcing, these steps will fail.

Scope

Audit every workflow and bump each action to a major that natively targets Node 24:

• .github/workflows/ci.yaml — actions/checkout, actions/setup-go
• .github/workflows/cachebust-check.yaml — actions/checkout
• .github/workflows/release.yaml — actions/checkout, actions/setup-go, goreleaser/goreleaser-action
• .github/workflows/release-pr.yaml — actions/checkout, actions/setup-go, peter-evans/create-pull-request
• .github/workflows/release-publish.yaml — actions/checkout, actions/setup-go, goreleaser/goreleaser-action

Confirm each action's latest major is Node-24-based before bumping (e.g. actions/checkout@v5, actions/setup-go@v6 if available), and re-pin accordingly. Include goreleaser-action in the audit even though the current warning didn't name it.

Done when

• No Node-20 deprecation annotations appear on workflow runs.
• CI plus the release-pr / release-publish workflows still pass.