ci: bump artifact actions to Node 24 (upload-artifact v7, download-artifact v8)

[lucasmundim]

What

Bump the artifact actions in docker-publish.yml to Node 24 majors, clearing the "Node.js 20 actions are deprecated" warnings that show on every release run:

• actions/upload-artifact @v4 → @v7
• actions/download-artifact @v4 → @v8

Why these versions

GitHub deprecated Node 20 actions. For the artifact actions, v5 (upload) / v6 (download) only had preliminary Node 24 support and still defaulted to Node 20 — so the first versions that actually default to Node 24 are upload v6+ and download v7+. I went to the current latest majors.

Compatibility

The with: params we use are unchanged across these versions:

• upload: name, path, if-no-files-found, retention-days
• download: path, pattern, merge-multiple

download v8 adds a secure digest-mismatch=error default + an ESM migration (transparent to callers) — both safe for the empty digest-marker files this pipeline uploads/downloads. The latest runners (Blacksmith ubuntu-2404 + GitHub-hosted) meet the >= 2.327.1 runner requirement.

These were the only two actions flagged; checkout@v6, docker/*, and setup-helm@v5 already run on Node 24.

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

[shingonoide]

Clean CI maintenance. Bumps actions/upload-artifact@v4 -> @v7 (docker-publish.yml:86) and actions/download-artifact@v4 -> @v8 (line 115), the Node 24 majors. Verified:

• Both target versions are real published majors on Node 24 (using: node24 in each action.yml).
• No artifact-name collision across the controller + claimer x amd64/arm64 matrix: uploads use digests-${{ matrix.image.name }}-${{ matrix.arch.name }} (four distinct names); the merge job downloads pattern: digests-${{ matrix.image }}-* with merge-multiple: true, so the upload/download contract holds across the v7/v8 pairing.
• No other workflow (lint.yml, test.yml, test-e2e.yml, helm-crd-sync-check.yml) references these actions; pinning stays version-tag style.

Two non-blocking notes:

1. The green CI here does not exercise the bump: the upload/export steps and the whole merge job are gated on github.event_name != 'pull_request', so they were skipped. First real execution is the next push to main or a tag.
2. download-artifact@v8 flips the digest-mismatch default to error (was a warning). A safety improvement, but the merge job will now hard-fail on a mismatched artifact rather than warn. Heads-up for the first run of the new flow.

LGTM.

[leandrobmarinho]

Verified the artifact-action bump end-to-end against upstream release notes: upload-artifact v7 and download-artifact v8 stay on the same v4-era Artifacts backend (cross-version compatible), merge-multiple/pattern/path are unchanged through v8, and the flat extraction layout the manifest-merge step relies on (printf '...@sha256:%s ' * over /tmp/digests) is preserved -- every breaking change across the bumped majors is either a Node-24 runtime bump or scoped to behaviors this digest-merge flow doesn't use (by-ID downloads, archive:false, hidden files). Names are unique per matrix leg so the v4 immutability/overwrite rules are satisfied. Two non-blocking heads-ups: the node24 runtime requires Actions Runner >= 2.327.1 (matters since these run on Blacksmith runners, not GitHub-hosted), and the Upload/Download digest steps are gated 'if: github.event_name != pull_request' so the merge job is skipped on PRs -- this PR's green checks don't actually exercise the bumped actions, so the first real validation is the next push to main. Looks good.