ci: update GHA deps to non-deprecated versions

[supervacuus]

see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/

In our case, this only affects the following:

• actions/checkout (v3 -> v4)
• actions/setup-python (v4 -> v5)
• codecov/codecov-action (some previously "approved" sha-pin -> v4)

The last time I updated, some tool blocked the change due to codecov getting an unbounded major version assigned, which seemingly is only allowed for actions/*- and getsentry/*-actions. I hope this time it works since codecov is now a sentry product 😅.

skip-changelog

[supervacuus]

After a short discussion with @kahest, I will maintain the practice of pinning after selecting a version that solves whatever issue a version change should have fixed in the first place (in our case, usually deprecation or bugs). I might even do this for the whitelisted action sources (github, actions, getsentry) in danger, since getsentry/sentry even pins those.