Skip to content

🚨 Update github actions (main) (major)#528

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-major-github-actions
Open

🚨 Update github actions (main) (major)#528
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-major-github-actions

Conversation

@renovate

@renovate renovate Bot commented Feb 27, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v6.0.2v7.0.0
actions/deploy-pages action major v4.0.5v5.0.0
actions/download-artifact action major v7.0.0v8.0.1
actions/github-script action major v8.0.0v9.0.0
actions/setup-node action major v6.1.0v7.0.0
actions/upload-artifact action major v6.0.0v7.0.1
actions/upload-pages-artifact action major v4.0.0v5.0.0

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

v6.0.3

Compare Source

actions/deploy-pages (actions/deploy-pages)

v5.0.0

Compare Source

Changelog

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v5

Compare Source

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

[!IMPORTANT]
actions/download-artifact@​v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT]
Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

actions/github-script (actions/github-script)

v9.0.0

Compare Source

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.
What's Changed
New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v9

Compare Source

actions/setup-node (actions/setup-node)

v7.0.0

Compare Source

v7

Compare Source

v6.5.0

Compare Source

v6.4.0

Compare Source

What's Changed

Dependency updates:

New Contributors

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

Enhancements:

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:
Bug fixes:

New Contributors

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Documentation
Dependency updates:

New Contributors

Full Changelog: actions/setup-node@v6...v6.2.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

actions/upload-pages-artifact (actions/upload-pages-artifact)

v5.0.0

Compare Source

Changelog

See details of all code changes since previous release.

v5

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://0dd3ad5e.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 156f344 to 0f2a36c Compare March 11, 2026 18:17
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://82e1c678.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 0f2a36c to 8b0c3ed Compare March 25, 2026 22:10
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://ca1d3651.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 8b0c3ed to c35a9fb Compare April 10, 2026 02:08
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://8cd54fa6.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from c35a9fb to e713a78 Compare April 10, 2026 21:42
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://a6c9d9b6.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from e713a78 to 5eb525c Compare April 15, 2026 08:50
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://5c2af602.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 5eb525c to b66bda7 Compare April 29, 2026 13:52
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://734adc21.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from b66bda7 to bba418f Compare May 12, 2026 10:49
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://a63e6978.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from bba418f to 4bb4e68 Compare June 18, 2026 21:10
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://bf4cad53.enterprise-contract.pages.dev

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 4bb4e68 to 90cf9b5 Compare July 12, 2026 17:05
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 12, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 5:06 PM UTC · Completed 5:12 PM UTC
Commit: 87c4a29 · View workflow run →

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://010e4b4f.enterprise-contract.pages.dev

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review — approve

PR: #528 — Update github actions (main) (major)
Author: renovate[bot]

Summary

Mechanical dependency update from Renovate bumping 7 GitHub Actions to their next major versions across 4 workflow files (build.yaml, preview.yaml, publish.yaml, scorecards.yml). All changes are SHA-pinned commit hash swaps with version comments — no workflow logic, permissions, or structural changes.

Key observations

  • SHA pinning preserved: All 10 updated action references use full 40-character SHA pins with version comments — the recommended supply-chain security posture.
  • Permissions unchanged: No permissions: blocks are added, removed, or modified. The new action versions do not require additional permissions beyond what the previous major versions needed.
  • checkout v7 safety: The main breaking change in checkout v7 ("block checking out fork PR for pull_request_target and workflow_run") does not affect this repo's workflows. In preview.yaml, the checkout step (line 70) does not specify a ref, so it checks out the default branch — not fork PR code. Fork-built content is obtained via the artifact download mechanism. In build.yaml, the trigger is pull_request (not pull_request_target), which is unaffected.
  • Artifact version compatibility: upload-artifact@v7 and download-artifact@v8 are the expected compatible pairing. The preview.yaml workflow downloads artifacts via the REST API (not download-artifact), making it version-agnostic.
  • No pre-existing issues worsened: The version bumps do not change the risk profile of any existing workflow patterns.

Follow-up opportunities

The following are pre-existing patterns in the modified workflow files. They are not introduced by this PR but are noted as defense-in-depth improvements for a future PR:

  1. preview.yamlrequire('fs') in github-script block (line 54): With the upgrade to github-script v9, consider replacing const fs = require('fs') with const fs = await import('node:fs') for ESM forward-compatibility.

  2. preview.yaml — expression interpolation in github-script blocks (lines 88, 91): ${{ steps.data.outputs.PR_NUMBER }} and ${{ steps.preview.outputs.PREVIEW_URL }} are interpolated directly into JavaScript. While PR_NUMBER is sanitized to digits-only upstream (line 66), the safer pattern is to pass values via env: and access them as process.env.*.

  3. build.yaml — unquoted expression (line 84): ${{ github.event.pull_request.number }} is a GitHub-controlled integer with no injection risk, but quoting it follows defense-in-depth best practices.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/build.yaml
  • .github/workflows/preview.yaml
  • .github/workflows/publish.yaml
  • .github/workflows/scorecards.yml
Previous run

Review — approve

Automated dependency update from Renovate — six GitHub Actions bumped to their next major versions across four workflow files.

Changes reviewed

Action Update Files
actions/checkout v6.0.2 → v7.0.0 build.yaml, preview.yaml, scorecards.yml
actions/upload-artifact v6.0.0 → v7.0.1 build.yaml, scorecards.yml
actions/github-script v8.0.0 → v9.0.0 preview.yaml
actions/download-artifact v7.0.0 → v8.0.1 publish.yaml
actions/upload-pages-artifact v4.0.0 → v5.0.0 publish.yaml
actions/deploy-pages v4.0.5 → v5.0.0 publish.yaml

Verification

  • SHA pin integrity — all six commit SHAs verified against upstream tag refs (including dereferencing annotated tags for actions/github-script)
  • Version comment accuracy — each # vX.Y.Z comment matches the pinned SHA

Breaking change analysis

  1. actions/checkout v7 — blocks checking out fork PR code in pull_request_target and workflow_run contexts. preview.yaml uses checkout under workflow_run, but does not specify a fork ref — it checks out the default branch (path: code, no ref). Safe for this repo's usage.

  2. actions/github-script v9require('@actions/github') no longer works (ESM migration). preview.yaml uses require('fs') (Node.js built-in), not @actions/github. Built-in module requires remain supported. The injected github client is used directly, which is the correct v9 pattern. Safe.

  3. actions/upload-artifact v7 + actions/download-artifact v8 — both sides of the artifact pipeline updated together. v7 upload defaults to archiving (no archive: false set), and v8 download auto-detects content type. Standard usage with path/name parameters is backward compatible. The preview workflow downloads artifacts via REST API and manual unzip, which is unaffected by the action version change. Safe.

  4. actions/upload-pages-artifact v5 / actions/deploy-pages v5 — Node.js 24.x runtime update. No API-level breaking changes affecting this repo's usage (standard path input). Safe.

Findings

Severity Category Finding
low style/conventions PR title 🚨 Update github actions (main) (major) does not follow Conventional Commits format (per AGENTS.md §4). Expected: ci: update github actions (major). This is Renovate's default format — consider configuring commitMessagePrefix in renovate.json to emit conventional commit titles.

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/build.yaml
  • .github/workflows/preview.yaml
  • .github/workflows/publish.yaml
  • .github/workflows/scorecards.yml

Labels: PR updates GitHub Actions workflow dependencies

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment github_actions Pull requests that update GitHub Actions code labels Jul 12, 2026
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 90cf9b5 to c9adc73 Compare July 14, 2026 06:43
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Review · ❌ Terminated · Started 6:44 AM UTC · Ended 7:00 AM UTC
Commit: 87c4a29 · View workflow run →

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Preview is available at https://c46993c8.enterprise-contract.pages.dev

@fullsend-ai-review

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 6:44 AM UTC · Completed 7:00 AM UTC
Commit: 87c4a29 · View workflow run →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code main major renovate requires-manual-review Review requires human judgment size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants