Skip to content

🚨 Update github actions to v7 (main)#233

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-major-github-actions
Open

🚨 Update github actions to v7 (main)#233
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-major-github-actions

Conversation

@renovate

@renovate renovate Bot commented Feb 27, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v6.0.2v7.0.0
actions/upload-artifact action major v6.0.0v7.0.1

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

v6.0.3

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from f856c89 to 8a140ee Compare April 10, 2026 18:06
@renovate renovate Bot changed the title 🚨 Update actions/upload-artifact action to v7 (main) 🚨 Update github actions to v7 (main) Jun 2, 2026
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 8a140ee to 22bd5ef Compare June 18, 2026 21:43
@renovate renovate Bot force-pushed the renovate/main-major-github-actions branch from 22bd5ef to 4590e0b Compare July 12, 2026 10:14
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 12, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:15 AM UTC · Completed 10:20 AM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review — approve

PR: #233 — 🚨 Update github actions to v7 (main)
Author: renovate[bot]
Scope: 1 file changed (.github/workflows/scorecards.yml), 2 additions, 2 deletions

Summary

This PR updates two SHA-pinned GitHub Actions in the OpenSSF Scorecard workflow from v6 to v7:

Action Old New
actions/checkout v6.0.2 (de0fac2e...) v7.0.0 (9c091bb2...)
actions/upload-artifact v6.0.0 (b7c566a7...) v7.0.1 (043fb46d...)

Dimension results

Dimension Result
Correctness ✅ No issues — SHA pins verified against GitHub API; both resolve to claimed tags. No breaking changes affect this workflow's triggers (push/schedule/branch_protection_rule) or inputs (persist-credentials: false, name/path/retention-days).
Security ✅ No issues — Permissions block unchanged (read-all top-level, scoped job permissions). No injection surfaces (no expression interpolation of user-controlled inputs). persist-credentials: false retained. actions/checkout v7's fork-blocking change is not relevant (workflow does not use pull_request_target or workflow_run).
Intent & coherence ✅ Mechanical dependency bump by Renovate bot — authorization implicit.
Style & conventions ✅ New lines follow the existing owner/action@full-sha # version-comment pinning pattern.
Docs currency ✅ CI workflow change — no documentation impact.
Cross-repo contracts ⏭ Skipped — no exported interfaces modified.

Verdict

Approve. Clean, mechanical dependency version bump. Both SHA pins are verified authentic, no breaking changes affect this workflow, and permissions are unchanged.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/scorecards.yml

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants