Bump actions versions + correctly handle labels

[thewhaleking]

Description

This is a two-part PR.
Part One:
Workflows run correctly depending on labeling now. Previously any label change would trigger the rerunning of a number of tests:

• check-bittensor-e2e-tests.yml (should only not run on skip-bittensor-e2e-tests label)
• check-devnet.yml (no-spec-version-bump label)
• check-finney.yml (no-spec-version-bump label)
• check-testnet.yml (no-spec-version-bump label)
• cargo-audit.yml (skip-cargo-audit)
• check-node-compat.yml (check-node-compat, switched from 'contains')

Part Two:
Basically every GitHub Action used in this PR was outdated and using deprecated Node versions, causing 200+ warnings on every run. This is annoying to look through annotations to find one that actually matters out of hundreds.

Related Issue(s)

N/A

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Other (please describe): better workflows

Breaking Change

N/A

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have run ./scripts/fix_rust.sh to ensure my code is formatted and linted correctly
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

Screenshots (if applicable)

Additional Notes

I didn't touch the actions in ai-review.yml or ai-review-index-gittensor.yml because those use hash-specified actions versions, and I don't know why.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

BASELINE scrutiny: established 2018 account, repo write permission, high contribution counts, no committer mismatch, no Gittensor allowlist hit; branch chore/thewhaleking/update-workflows -> devnet-ready.

Reviewed the workflow-only diff for protected AI-review prompt changes, permission expansion, token exposure, dangerous trigger changes, and required-check bypasses. The PR does not modify .github/ai-review/* or .github/copilot-instructions.md. The label-event gates now only mirror a previous completed result for the same head SHA, so unrelated label changes do not create a fresh required-check success without an earlier successful run for that commit.

Findings

No findings.

Prior-comment reconciliation

• dfa248d1: addressed — The current cargo-audit gate only skips on unrelated label events when it finds a previous successful completed run for the same head SHA; otherwise it runs or mirrors failure.
• 3c04f825: addressed — The current E2E gate records mirror state only from a previous completed run for the same head SHA, then fails on prior failure or skips on prior success.
• c904a582: addressed — The current devnet spec-version gate no longer treats any unrelated label event as success by itself; it requires a previous successful completed run for the same head SHA.
• 0e7ef028: addressed — The current finney spec-version gate no longer treats any unrelated label event as success by itself; it requires a previous successful completed run for the same head SHA.
• d73dddd6: addressed — The current testnet spec-version gate no longer treats any unrelated label event as success by itself; it requires a previous successful completed run for the same head SHA.

Conclusion

No malicious behavior or PR-introduced security vulnerability found in the current diff. The earlier label-event required-check bypass concerns remain addressed by gating skips on a prior completed run for the same head SHA.

---

🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor UNKNOWN by trusted allowlists; author has repo write permission and substantial contribution history, so review focused on workflow correctness.

The PR body is substantive and matches the workflow-only diff. No runtime or pallet files are touched, so no spec_version bump is needed.

I did not run Rust builds/tests for this workflow-only change. I parsed the touched workflow YAML successfully; actionlint is not installed in this environment.

No overlapping open PRs were reported in the prefetched overlap data.

Findings

No findings.

Prior-comment reconciliation

• 9a06aca2: addressed — The current gate logic mirrors a previous completed success/failure for unrelated label events and otherwise runs the check, so an unrelated label event no longer creates a skipped-success replacement for required work.

Conclusion

Approving: the prior label-gating concern remains addressed by mirroring previous completed results for the same head SHA, and the remaining changes are consistent with workflow maintenance.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍