Skip to content

🚨 Update github actions (main) (major)#1679

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-major-github-actions
Open

🚨 Update github actions (main) (major)#1679
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-major-github-actions

Conversation

@renovate

@renovate renovate Bot commented Feb 27, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v6.0.2v7.0.0
actions/upload-artifact action major v6.0.0v7.0.1
codecov/codecov-action action major v5.5.2v7.0.0
softprops/action-gh-release action major v2.5.0v3.0.2

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

v6.0.3

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

⚠️ Due to migration issues with keybase, we are unable to update our keys under the codecovsecurity account. We have deleted the account and are using codecovsecops with the original gpg key

What's Changed

Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0

v7

Compare Source

v6.0.2

Compare Source

This is a copy of the v7.0.0 release to make updates easier

What's Changed

Full Changelog: codecov/codecov-action@v6.0.1...v6.0.2

v6.0.1

Compare Source

What's Changed

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️
What's Changed

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

softprops/action-gh-release (softprops/action-gh-release)

v3.0.2

Compare Source

v3.0.1

Compare Source

3.0.1

  • maintenance release with updated dependencies

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄
  • Move the action runtime and bundle target to Node 24
  • Update @types/node to the Node 24 line and allow future Dependabot updates
  • Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

v2.6.2

Compare Source

What's Changed

Other Changes 🔄

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉
Bug fixes 🐛
Other Changes 🔄

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛
Other Changes 🔄
  • docs: clarify token precedence by @​chenrui333 in #​752
  • docs: clarify GitHub release limits by @​chenrui333 in #​758
  • documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

New Contributors

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛
Other Changes 🔄
  • dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

Full Changelog: softprops/action-gh-release@v2...v2.5.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov

codecov Bot commented Feb 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
unit-tests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from e4b43a1 to cf6e91d Compare March 5, 2026 10:13
@renovate renovate Bot changed the title 🚨 Update actions/upload-artifact action to v7 (main) 🚨 Update github actions (main) (major) Mar 26, 2026
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from cf6e91d to 88adc4b Compare March 26, 2026 18:47
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch 4 times, most recently from 0f4e8e1 to 8bbcd9b Compare April 15, 2026 12:51
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch 3 times, most recently from d434b3b to 7ff12a4 Compare April 23, 2026 14:15
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 7ff12a4 to d8efd66 Compare April 29, 2026 11:10
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch 3 times, most recently from 6aab9ac to d0a72c0 Compare May 19, 2026 00:10
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch 2 times, most recently from fc1e847 to bc16505 Compare May 28, 2026 16:20
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from bc16505 to 83d9f86 Compare June 7, 2026 06:12
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 7, 2026

Copy link
Copy Markdown

Review

Verdict: Approve

Summary

This Renovate PR updates four GitHub Actions to their next major versions across five workflow files. All changes are mechanical SHA-pin + version-comment swaps (9 additions, 9 deletions).

Action Update Files
actions/checkout v6.0.2 → v7.0.0 codeql, pre-merge-ci, push-bundles, release, scorecards
actions/upload-artifact v6.0.0 → v7.0.1 scorecards
codecov/codecov-action v5.5.2 → v7.0.0 pre-merge-ci
softprops/action-gh-release v2.5.0 → v3.0.2 release

Correctness ✅

  • All four SHA pins verified against upstream GitHub tags via API — each resolves to the correct version.
  • All actions/checkout references (6 occurrences) use the identical SHA. No inconsistencies.
  • No stale old-version SHA references remain in any files outside the diff (verified via grep across the entire repo, including 4 other workflow files).
  • Input compatibility verified for all actions:
    • actions/checkout v7: fetch-depth, persist-credentials inputs unchanged. The v7 breaking change (blocking fork PR checkout for pull_request_target) does not affect this repo — none of the modified workflows use pull_request_target.
    • codecov/codecov-action v7: use_oidc, flags, fail_ci_if_error inputs all present and unchanged in v7 action.yml. The v5→v7 jump (skipping v6) is safe — v6 was only a Node 24 runtime upgrade.
    • softprops/action-gh-release v3: name, tag_name, body, make_latest, generate_release_notes inputs all present. Only change is Node 20→24 runtime.
    • actions/upload-artifact v7: name, path, retention-days inputs all present. New archive parameter defaults to true, preserving existing behavior.

Security ✅

  • All actions remain SHA-pinned to full 40-character commit hashes (not floating tags).
  • No permissions: block changes in any workflow file.
  • No secrets exposure changes — push-bundles.yaml secret references are untouched.
  • No injection patterns introduced — no new run: steps or ${{ }} interpolations.
  • No prompt injection or Unicode steganography detected in PR body or workflow files.

Intent & Scope ✅

Mechanical Renovate bot dependency update — authorization is implicit from the automated, value-only nature of the change.

Style ✅

All changes follow the established action@sha # version pinning pattern consistently.

Documentation ✅

No documentation references specific CI action versions. No staleness concerns.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/codeql.yml
  • .github/workflows/pre-merge-ci.yaml
  • .github/workflows/push-bundles.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecards.yml

Labels: PR modifies GitHub Actions workflow files

Previous run

Review of #1679 — Update GitHub Actions (major)

Verdict: ✅ Approve

This PR is a routine Renovate dependency update that bumps four GitHub Actions to new major versions across five workflow files. All changes are pure commit SHA pin swaps with updated version comments — no workflow logic, permissions, inputs, or secrets are modified.

Actions Updated

Action Change Files
actions/checkout v6.0.2 → v7.0.0 codeql, pre-merge-ci, push-bundles, release (×2), scorecards
actions/upload-artifact v6.0.0 → v7.0.1 scorecards
codecov/codecov-action v5.5.2 → v7.0.0 pre-merge-ci
softprops/action-gh-release v2.5.0 → v3.0.1 release

Breaking Change Analysis

  • actions/checkout v7 blocks fork checkout for pull_request_target and workflow_run triggers. None of the five updated workflows use these triggers — all use pull_request, push, schedule, workflow_dispatch, or branch_protection_rule. ✅
  • actions/upload-artifact v7 adds a new optional archive parameter for direct uploads. Existing usage (name, path, retention-days) is unaffected. ✅
  • codecov/codecov-action v7 skips v6 (Codecov released v6 as a Node 24 bridge and v6.0.2 is described as "a copy of v7.0.0"). The existing inputs (use_oidc: true, flags, fail_ci_if_error) remain valid. The job already has id-token: write permission for OIDC. ✅
  • softprops/action-gh-release v3 is a Node 20→24 runtime upgrade with no API surface changes. Existing inputs (name, tag_name, body, make_latest, generate_release_notes) are fully supported. ✅

Security

  • All action references use full 40-character commit SHA pins — supply chain best practice. ✅
  • No permissions, secrets, or trigger changes. ✅
  • All updated actions are from well-known, trusted sources. ✅
  • The Codecov keybase account migration note (codecovsecuritycodecovsecops) uses the original GPG key — this is a legitimate infrastructure change, not a compromise indicator. ✅

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/codeql.yml
  • .github/workflows/pre-merge-ci.yaml
  • .github/workflows/push-bundles.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecards.yml
Previous run (2)

Review

Findings

High

  • [protected-path] .github/workflows/ — All five modified files are under the .github/ protected path. This PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required for all protected-path changes.
    Remediation: Link an authorizing issue or obtain explicit human maintainer approval before merging.

Medium

  • [supply-chain integrity] .github/workflows/pre-merge-ci.yaml:77codecov/codecov-action is being bumped from v5.5.2 to v7.0.0, a two-major-version jump. This action receives an OIDC token (use_oidc: true) which makes it security-sensitive. The SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f should be verified against the upstream repository.
    Remediation: Verify the SHA matches the v7.0.0 tag at https://github.com/codecov/codecov-action. Review the changelog for v6 and v7 breaking changes, especially around OIDC token handling.

Low

  • [supply-chain integrity] .github/workflows/release.yaml:162softprops/action-gh-release is bumped from v2.5.0 to v3.0.1. This action runs with contents: write permission. The major version bump should be verified for behavioral changes.

  • [supply-chain integrity] .github/workflows/codeql.yml:67actions/checkout is bumped from v6.0.2 to v7.0.0 across five workflow files (six occurrences). As a first-party GitHub action the risk is lower, but the major version bump may change default behaviors.

Info

  • [sub-agent-failure] — The style-conventions sub-agent did not return findings: model not available. No style findings were evaluated for this review.
Previous run (3)

Review

Findings

High

  • [protected-path] .github/workflows/ — All five modified files (codeql.yml, pre-merge-ci.yaml, push-bundles.yaml, release.yaml, scorecards.yml) are under the .github/ protected path. This PR has no linked issue providing justification for modifying governance/infrastructure files. Human approval is required for all protected-path changes.

Medium

  • [edge-case] .github/workflows/pre-merge-ci.yaml:77 — codecov/codecov-action is being bumped from v5.5.2 to v7.0.0, skipping the entire v6 major release line. The workflow uses use_oidc: true (line 80) for authentication and has the required id-token: write permission (line 39). The compatibility of this parameter with v7 should be verified. Note that fail_ci_if_error: false (line 82) means a broken upload would be silent.
    Remediation: Run the pre-merge CI workflow on this branch to confirm coverage upload succeeds before merging. Check codecov-action v7 documentation for any changes to the use_oidc parameter.

Info

  • [edge-case] .github/workflows/release.yaml:162 — softprops/action-gh-release bumped from v2.5.0 to v3.0.0 (Node 20 → Node 24 runtime). The workflow uses runs-on: ubuntu-latest, so Node 24 compatibility is not a concern.
  • [permission-reduction] .github/workflows/codeql.yml:67 — actions/checkout upgraded from v6.0.2 to v7.0.0. All checkout references across the five workflows are pinned to the same commit SHA, ensuring consistency.
  • [permission-reduction] .github/workflows/scorecards.yml:84 — actions/upload-artifact upgraded from v6.0.0 to v7.0.1 with pinned SHA. The existing usage pattern remains compatible.
Previous run (4)

Review

Findings

High

  • [protected-path] .github/workflows/pre-merge-ci.yaml, .github/workflows/release.yaml, .github/workflows/scorecards.yml — All three modified files are under .github/, a protected path. This PR has no linked issue authorizing the changes. Human approval is required for all protected-path changes regardless of context.
    Remediation: Link an issue authorizing these dependency updates, or obtain explicit human maintainer approval.

Medium

  • [api-contract] .github/workflows/pre-merge-ci.yaml:77codecov/codecov-action is updated from v5.5.2 to v7.0.0, skipping major version v6 entirely. The use_oidc: true parameter (line 80) may no longer be a recognized input in v7. Because fail_ci_if_error: false (line 82), a failure from an unrecognized input would be silent — coverage uploads could stop working without any CI signal.
    Remediation: Verify against codecov-action v7 docs that use_oidc is still supported. Consider temporarily setting fail_ci_if_error: true or reviewing the first run's logs.

  • [supply-chain] .github/workflows/pre-merge-ci.yaml:77codecov/codecov-action is bumped from v5.5.2 to v7.0.0, skipping v6. The pinned commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f should be verified against the upstream v7.0.0 tag. This action runs with id-token: write (line 39), so a compromised or mislabeled version could exfiltrate an OIDC token. See also: [api-contract] finding at this location.
    Remediation: Verify the commit hash: git ls-remote https://github.com/codecov/codecov-action refs/tags/v7.0.0.

Low

  • [api-contract] .github/workflows/release.yaml:162softprops/action-gh-release is updated from v2.5.0 to v3.0.0. The inputs used (name, tag_name, body, make_latest, generate_release_notes) are core but major bumps can change semantics. See also: [supply-chain] finding at this location.

  • [supply-chain] .github/workflows/release.yaml:162softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. This action runs with contents: write (line 135). The pinned hash should be verified against the upstream v3.0.0 tag. See also: [api-contract] finding at this location.

Info

  • [api-contract] .github/workflows/scorecards.yml:84actions/upload-artifact is updated from v6.0.0 to v7.0.1. Inputs used (name, path, retention-days) are basic and no download-artifact usage exists in this repo. Minimal risk.

  • [supply-chain] .github/workflows/scorecards.yml:84actions/upload-artifact is a first-party GitHub action. Supply-chain risk is minimal for hash-pinned first-party actions.

  • [sub-agent-failure] — The style-conventions sub-agent did not return findings due to model unavailability. Non-critical for a mechanical version bump PR.

Previous run (5)

Review

Findings

High

  • [protected-path] .github/workflows/pre-merge-ci.yaml, .github/workflows/release.yaml, .github/workflows/scorecards.yml — All three modified files are under the .github/ protected path. This PR has no linked issue justifying the changes to governance/infrastructure files. Human approval is required for all protected-path changes.

Medium

  • [api-contract] .github/workflows/pre-merge-ci.yaml:80 — The use_oidc: true input is used with codecov/codecov-action, but this PR jumps from v5.5.2 to v7.0.0, skipping v6 entirely. In codecov-action v7, OIDC became the default authentication method and the use_oidc input may have been removed. GitHub Actions silently ignores unknown inputs so this won't cause a build failure, but the dead configuration is misleading. Verify that: (1) OIDC authentication works correctly without explicit opt-in with the existing id-token: write permission (line 39), and (2) no other v6/v7 breaking changes affect the flags or fail_ci_if_error inputs. Accumulating two major versions of breaking changes warrants review of both migration guides.

Low

  • [api-contract] .github/workflows/release.yaml:162softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. The release notes indicate this is primarily a Node 20 to Node 24 runtime migration with no API changes, but the workflow uses make_latest: false and generate_release_notes: false which should be verified against v3 documentation. The release workflow runs on a weekly schedule, so a silent misconfiguration could produce unexpected release settings.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable. This is a non-critical gap; this dimension covers naming and code organization patterns which are not applicable to version-pin-only changes.

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 83d9f86 to 3614c3a Compare June 11, 2026 18:06
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 11, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:08 PM UTC · Completed 6:15 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 3614c3a to d88fa78 Compare June 18, 2026 20:48
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 18, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:51 PM UTC · Completed 8:58 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from d88fa78 to 6797c11 Compare June 19, 2026 19:16
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 19, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:19 PM UTC · Completed 7:27 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 6797c11 to 5e7d0bd Compare July 12, 2026 17:14
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 12, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 5:15 PM UTC · Completed 5:20 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot dismissed stale reviews from themself July 12, 2026 17:20

Superseded by updated review

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jul 12, 2026
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 5e7d0bd to 99ddf9a Compare July 13, 2026 20:45
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 13, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:46 PM UTC · Completed 8:53 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment github_actions Pull requests that update GitHub Actions code and removed requires-manual-review Review requires human judgment labels Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code main major renovate requires-manual-review Review requires human judgment size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants