starred/hardening

Fork 0

mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-25 16:55:53 +03:00

[PR #733] [CLOSED] chore(deps): update github artifact actions (major) - autoclosed #732

New issue

Closed

opened 2026-03-03 14:32:31 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 14:32:31 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/konstruktoid/hardening/pull/733
Author: @renovate[bot]
Created: 2/26/2026
Status: ❌ Closed

Base: master ← Head: renovate/major-github-artifact-actions

📝 Commits (1)

91e115c chore(deps): update github artifact actions

📊 Changes

2 files changed (+3 additions, -3 deletions)

View changed files

📝 .github/workflows/scorecards.yml (+1 -1)
📝 .github/workflows/slsa.yml (+2 -2)

📄 Description

This PR contains the following updates:

Package	Type	Update	Change
actions/download-artifact	action	major	`v7.0.0` → `v8.0.0`
actions/upload-artifact	action	major	`v6.0.0` → `v7.0.0`

Release Notes

actions/download-artifact (actions/download-artifact)

`v8.0.0`

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Don't attempt to un-zip non-zipped downloads by @danwkennedy in #460
Add a setting to specify what to do on hash mismatch and default it to error by @danwkennedy in #461

Full Changelog: https://github.com/actions/download-artifact/compare/v7...v8.0.0

actions/upload-artifact (actions/upload-artifact)

`v7.0.0`

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Add proxy integration test by @Link- in #754
Upgrade the module to ESM and bump dependencies by @danwkennedy in #762
Support direct file uploads by @danwkennedy in #764

New Contributors

@Link- made their first contribution in #754

Full Changelog: https://github.com/actions/upload-artifact/compare/v6...v7.0.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/konstruktoid/hardening/pull/733 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 2/26/2026 **Status:** ❌ Closed **Base:** `master` ← **Head:** `renovate/major-github-artifact-actions` --- ### 📝 Commits (1) - [`91e115c`](https://github.com/konstruktoid/hardening/commit/91e115cfbd8858312596e0c44e464cf53c954606) chore(deps): update github artifact actions ### 📊 Changes **2 files changed** (+3 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/scorecards.yml` (+1 -1) 📝 `.github/workflows/slsa.yml` (+2 -2) </details> ### 📄 Description This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | major | `v7.0.0` → `v8.0.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6.0.0` → `v7.0.0` | --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v8.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v8.0.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v7.0.0...v8.0.0) #### v8 - What's new ##### Direct downloads To support direct uploads in `actions/upload-artifact`, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the `Content-Type` header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new `skip-decompress` parameter to `false`. ##### Enforced checks (breaking) A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the `digest-mismatch` parameter. To be secure by default, we are now defaulting the behavior to `error` which will fail the workflow run. ##### ESM To support new versions of the @actions/\* packages, we've upgraded the package to ESM. #### What's Changed - Don't attempt to un-zip non-zipped downloads by [@danwkennedy](https://redirect.github.com/danwkennedy) in [#460](https://redirect.github.com/actions/download-artifact/pull/460) - Add a setting to specify what to do on hash mismatch and default it to `error` by [@danwkennedy](https://redirect.github.com/danwkennedy) in [#461](https://redirect.github.com/actions/download-artifact/pull/461) **Full Changelog**: <https://github.com/actions/download-artifact/compare/v7...v8.0.0> </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7.0.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6.0.0...v7.0.0) #### v7 What's new ##### Direct Uploads Adds support for uploading single files directly (unzipped). Callers can set the new `archive` parameter to `false` to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The `name` parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file. ##### ESM To support new versions of the `@actions/*` packages, we've upgraded the package to ESM. #### What's Changed - Add proxy integration test by [@Link-](https://redirect.github.com/Link-) in [#754](https://redirect.github.com/actions/upload-artifact/pull/754) - Upgrade the module to ESM and bump dependencies by [@danwkennedy](https://redirect.github.com/danwkennedy) in [#762](https://redirect.github.com/actions/upload-artifact/pull/762) - Support direct file uploads by [@danwkennedy](https://redirect.github.com/danwkennedy) in [#764](https://redirect.github.com/actions/upload-artifact/pull/764) #### New Contributors - [@Link-](https://redirect.github.com/Link-) made their first contribution in [#754](https://redirect.github.com/actions/upload-artifact/pull/754) **Full Changelog**: <https://github.com/actions/upload-artifact/compare/v6...v7.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/konstruktoid/hardening).  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>