🚨 Update github actions (main) (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/configure-pages	action	major	v5.0.0 → v6.0.0
actions/create-github-app-token	action	major	v2.2.2 → v3.2.0
actions/deploy-pages	action	major	v4.0.5 → v5.0.0
actions/download-artifact	action	major	v7.0.0 → v8.0.1
actions/upload-artifact	action	major	v6.0.0 → v7.0.1
actions/upload-pages-artifact	action	major	v4.0.0 → v5.0.0
codecov/codecov-action	action	major	v5.5.4 → v7.0.0
docker/setup-qemu-action	action	major	v3.7.0 → v4.1.0
softprops/action-gh-release	action	major	v2 → v3

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

actions/configure-pages (actions/configure-pages)

v6.0.0

Compare Source

Changelog

• upgrade to node 24 @​salmanmkc (#​186)
• Upgrade IA Publish @​Jcambass (#​165)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#​163)
• pin draft release version @​YiMysty (#​162)
• Bump espree from 9.6.1 to 10.1.0 @​dependabot (#​160)
• Bump eslint-config-prettier from 8.8.0 to 9.1.0 @​dependabot (#​143)
• Be more friendly to Dependabot @​yoannchaudet (#​158)
• Bump eslint-plugin-github from 4.10.2 to 5.0.1 @​dependabot (#​154)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group @​dependabot (#​156)
• Bump undici from 5.28.3 to 5.28.4 @​dependabot (#​145)

See details of all code changes since previous release.

v6

Compare Source

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

v3.1.1

Compare Source

Bug Fixes

• improve error message when app identifier is empty (#​362) (07e2b76), closes #​249

v3.1.0

Compare Source

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#​357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#​353) (e6bd4e6)
• update permission inputs (#​358) (076e948)

v3.0.0

Compare Source

• feat!: node 24 support (#​275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#​342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#​143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3

Compare Source

actions/deploy-pages (actions/deploy-pages)

v5.0.0

Compare Source

Changelog

• Update Node.js version to 24.x @​salmanmkc (#​404)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#​374)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory @​dependabot (#​360)
• Make the rebuild dist workflow work nicer with Dependabot @​yoannchaudet (#​361)
• Bump the non-breaking-changes group across 1 directory with 3 updates @​dependabot (#​358)
• Delete repeated sentence @​garethsb (#​359)
• Update README.md @​tsusdere (#​348)
• Bump the non-breaking-changes group with 4 updates @​dependabot (#​341)
• Remove error message for file permissions @​TooManyBees (#​340)

---

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v5

Compare Source

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

actions/upload-pages-artifact (actions/upload-pages-artifact)

v5.0.0

Compare Source

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#​139)
• feat: add include-hidden-files input @​jonchurch (#​137)

See details of all code changes since previous release.

v5

Compare Source

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

v7

Compare Source

v6.0.2

Compare Source

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in #​1929
• Th/6.0.0 by @​thomasrockhu-codecov in #​1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

v5.5.5

Compare Source

docker/setup-qemu-action (docker/setup-qemu-action)

v4.1.0

Compare Source

• Add reset input to uninstall current emulators by @​crazy-max in #​21
• Bump @​docker/actions-toolkit from 0.77.0 to 0.91.0 in #​250 #​247
• Bump brace-expansion from 1.1.12 to 1.1.15 in #​265
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in #​286
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​255
• Bump flatted from 3.3.3 to 3.4.2 in #​257
• Bump glob from 10.3.15 to 10.5.0 in #​254
• Bump handlebars from 4.7.8 to 4.7.9 in #​262
• Bump lodash from 4.17.23 to 4.18.1 in #​273
• Bump postcss from 8.5.6 to 8.5.10 in #​285
• Bump tar from 6.2.1 to 7.5.15 in #​287
• Bump tmp from 0.2.5 to 0.2.6 in #​291
• Bump undici from 6.23.0 to 6.26.0 in #​251
• Bump vite from 7.3.1 to 7.3.2 in #​271

Full Changelog: docker/setup-qemu-action@v4.0.0...v4.1.0

v4.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​245
• Switch to ESM and update config/test wiring by @​crazy-max in #​241
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​244
• Bump @​docker/actions-toolkit from 0.67.0 to 0.77.0 in #​243
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in #​240
• Bump js-yaml from 3.14.1 to 3.14.2 in #​231
• Bump lodash from 4.17.21 to 4.17.23 in #​238

Full Changelog: docker/setup-qemu-action@v3.7.0...v4.0.0

v4

Compare Source

softprops/action-gh-release (softprops/action-gh-release)

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	53.56% <ø> (+<0.01%)	⬆️
generative	16.87% <ø> (ø)
integration	27.80% <ø> (ø)
unit	69.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

Review

Findings

High

• [privilege-escalation] .github/workflows/update-go-containerregistry.yaml:54 — The bump from actions/create-github-app-token v2 to v3 introduces a breaking change in default token scoping. In v2, omitting the repositories input scoped the token to the current repository. In v3, omitting repositories (when owner is also omitted) may grant the token access to ALL repositories where the GitHub App is installed. The workflow does not specify repositories or owner, so the token generated for the peter-evans/create-pull-request step could have broader repository access than intended, violating least-privilege.
  Remediation: Explicitly add repositories: ${{ github.event.repository.name }} to the actions/create-github-app-token step to preserve the v2 behavior of scoping the token to only the current repository.

• [protected-path] .github/workflows/ — All four modified files (.github/workflows/checks-codecov.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml) are under the .github/ protected path. The PR has no linked issue and the description does not explain why these governance/infrastructure files are being changed. Human approval is required for all protected-path changes.

Medium

• [api-contract] .github/workflows/checks-codecov.yaml:195 — codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The disable_search input parameter is used in all four codecov upload steps. If disable_search is no longer supported in v7, Codecov may silently search for and upload unintended coverage files instead of using only the explicitly specified files. Additionally, skipping a major version makes incremental change auditing harder, particularly relevant given codecov's prior supply-chain compromise history.
  Remediation: Verify that disable_search: true is still a supported input in codecov/codecov-action v7.0.0 by checking the action's v7 action.yml. Review the v6 and v7 changelogs for changes in secret handling or upload behavior.

Low

• [api-contract] .github/workflows/release.yaml:204 — softprops/action-gh-release is bumped from v2 to v3. The make_latest parameter is used in both the rolling release and versioned release steps. If v3 changed this input's type or semantics, release behavior could be affected.
  Remediation: Verify that softprops/action-gh-release v3 still supports the make_latest input with the same semantics.

Info

• [permissions-audit] .github/workflows/checks-codecov.yaml — No permissions: blocks were changed in any of the four modified workflow files. The existing permission scoping remains unchanged by this diff.

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable.

• [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model unavailable.

Previous run

Review

Findings

High

• [protected-path] .github/workflows/ — All four modified files are under .github/, a protected path. This PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required for protected-path changes regardless of context.
  • Affected files: checks-codecov.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml

Medium

• [api-contract] .github/workflows/checks-codecov.yaml:200 — codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The workflow uses disable_search: true in four codecov upload steps (lines 200, 209, 218, 227). This input may have been removed or renamed across the two major version jumps. If unrecognized, the action may fall back to auto-discovery, potentially uploading wrong or duplicate coverage files. Verify the codecov-action v6 and v7 changelogs confirm disable_search, files, flags inputs and the CODECOV_TOKEN env var pattern are still supported.

Low

• [api-contract] .github/workflows/update-go-containerregistry.yaml:57 — actions/create-github-app-token v3.1.0 deprecated the app-id input in favor of client-id. The workflow still uses app-id. While deprecated inputs typically continue to work, this should be migrated to client-id to avoid future breakage.

• [api-contract] .github/workflows/checks-codecov.yaml:89 — actions/upload-artifact is bumped from v6 to v7 while actions/download-artifact is bumped from v7 to v8. These cross-job artifact actions must use compatible backend versions. Confirm in the release notes that upload v7 artifacts can be downloaded by download v8.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on this deployment.

• [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on this deployment.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] api-contract

actions/create-github-app-token v3.1.0 deprecated the app-id input in favor of client-id. The workflow still uses app-id. While deprecated inputs typically continue to work, this should be migrated to avoid future breakage.

Suggested fix: Replace app-id with client-id in the create-github-app-token step.

[fullsend-ai-review]

[low] api-contract

upload-artifact v6 to v7 and download-artifact v7 to v8 are both major bumps used cross-job. Confirm in release notes that upload v7 artifacts can be downloaded by download v8.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:18 PM UTC · Completed 9:27 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] privilege-escalation

The bump from actions/create-github-app-token v2 to v3 introduces a breaking change in default token scoping. In v2, omitting the repositories input scoped the token to the current repository. In v3, omitting repositories (when owner is also omitted) may grant the token access to ALL repositories where the GitHub App is installed. The workflow does not specify repositories or owner, so the token generated for the peter-evans/create-pull-request step could have broader repository access than intended, violating least-privilege.

Suggested fix: Explicitly add repositories: ${{ github.event.repository.name }} to the actions/create-github-app-token step to preserve the v2 behavior of scoping the token to only the current repository.

[fullsend-ai-review]

[medium] api-contract

codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The disable_search input parameter is used in all four codecov upload steps. If disable_search is no longer supported in v7, Codecov may silently search for and upload unintended coverage files instead of using only the explicitly specified files. Additionally, skipping a major version makes incremental change auditing harder, particularly relevant given codecov's prior supply-chain compromise history.

Suggested fix: Verify that disable_search: true is still a supported input in codecov/codecov-action v7.0.0 by checking the action's v7 action.yml. Review the v6 and v7 changelogs for changes in secret handling or upload behavior.

[fullsend-ai-review]

[low] api-contract

softprops/action-gh-release is bumped from v2 to v3. The make_latest parameter is used in both the rolling release and versioned release steps. If v3 changed this input's type or semantics, release behavior could be affected.

Suggested fix: Verify that softprops/action-gh-release v3 still supports the make_latest input with the same semantics.