fix: update undici dependency path for CVE-2026 alerts

[dannyneira]

Summary

• Updates @actions/core from ^1.6.0 to ^2.0.3, which pulls @actions/http-client@3.0.2 and patched undici@6.25.0.
• Rebuilds the checked-in dist/ bundle with ncc.
• Updates CI Node setup from 16.x to 20.x to match action.yml and the patched dependency engine requirements.

Dependabot alerts resolved

• https://github.com/warpdotdev/generate-changelog/security/dependabot/53 — CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q
• https://github.com/warpdotdev/generate-changelog/security/dependabot/54 — CVE-2026-2229 / GHSA-v9p9-hfj2-hcw8
• https://github.com/warpdotdev/generate-changelog/security/dependabot/41 — CVE-2026-22036 / GHSA-g9mf-h72j-4rw9
• https://github.com/warpdotdev/generate-changelog/security/dependabot/51 — CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm
• https://github.com/warpdotdev/generate-changelog/security/dependabot/52 — CVE-2026-1527 / GHSA-4992-7rv2-5pvq

Notes

• These were transitive runtime alerts for undici through @actions/core -> @actions/http-client.
• Dependabot reported alert 41 could not be fixed on the old @actions/http-client@2.2.3 path because it required undici@^5.25.4; this PR moves to the upstream @actions/core@2.0.3 path instead of forcing an override.

Verification

• npm audit --json: undici, @actions/core, and @actions/http-client are no longer reported as vulnerable.
• npm --prefix /workspace/generate-changelog run all
• npx --yes npm@8 ci --prefix /workspace/generate-changelog

Conversation: https://staging.warp.dev/conversation/8004f084-5693-4f77-9267-be632984a3c4
Run: https://oz.staging.warp.dev/runs/019e3184-22d2-71d7-a0cd-719bd9ee2224
This PR was generated with Oz.