chore(deps): Bump actions/checkout from 4 to 7

.github/workflows/ci.yml

@@ -14,7 +14,7 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           # diff-cover needs origin/main; hatch-vcs needs full history + tags for the version
           fetch-depth: 0
@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: test
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           # hatch-vcs derives the version from git history + tags; a shallow/tagless
           # checkout would build a bogus low version (e.g. 0.1.dev1).

.github/workflows/commitlint.yml

@@ -8,6 +8,6 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with: { fetch-depth: 0 }
       - uses: wagoid/commitlint-github-action@v6

.github/workflows/promote-prod.yml

@@ -240,7 +240,7 @@ jobs:
     outputs:
       version: ${{ steps.ver.outputs.version }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           # Check out the resolved release TAG (qualified as refs/tags/ so a same-named
           # branch can never be selected). Full history + tags so hatch-vcs stamps the

.github/workflows/publish.yml

@@ -42,15 +42,15 @@ jobs:
         run: |
           echo "$INPUT_TAG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$' \
             || { echo "::error::tag '${INPUT_TAG}' does not match ^v[0-9]+\\.[0-9]+\\.[0-9]+\$ — must be a plain vX.Y.Z tag"; exit 1; }
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         if: github.event.inputs.tag == ''
         with:
           # hatch-vcs derives the version from git history + tags. A shallow/tagless
           # checkout would build a bogus low version (e.g. 0.1.dev1) — fetch everything
           # so .devN (main) / clean vX.Y.Z (tag) resolve correctly.
           fetch-depth: 0
           fetch-tags: true
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         if: github.event.inputs.tag != ''
         with:
           # Replay: check out the exact release tag so hatch-vcs stamps clean vX.Y.Z.

.github/workflows/regen.yml

@@ -73,7 +73,7 @@ jobs:
           repositories: ${{ github.event.repository.name }},${{ secrets.SPEC_REPO }}
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
         with:
           token: ${{ steps.app-token.outputs.token }}
           # The guard tests build the wheel (tests/build) via hatch-vcs, which derives

.github/workflows/release-please-validate.yml

@@ -11,7 +11,7 @@ jobs:
   dry-run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: googleapis/release-please-action@v5
         # Pure read-only validation: skip BOTH the release and the PR so the
         # action never attempts a write (tree/branch creation) with the