Skip to content

chore(deps): update github artifact actions (major) #238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update github artifact actions (major) #238

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 3, 2025

This PR contains the following updates:

Package Type Update Change
actions/download-artifact action major v5.0.0 -> v6.0.0
actions/upload-artifact action major v4.6.1 -> v5.0.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

actions/download-artifact (actions/download-artifact)

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: actions/download-artifact@v5...v6.0.0

actions/upload-artifact (actions/upload-artifact)

v5.0.0

Compare Source

v4.6.2

Compare Source

What's Changed

  • Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

Full Changelog: actions/upload-artifact@v4...v4.6.2

Configuration

📅 Schedule: Branch creation - "before 2am every weekday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:test:long_running Skip long-running tests (≥5min) labels Nov 3, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2025
edited
Loading

Claude finished @renovate[bot]'s task —— View job

PR Review: GitHub Artifact Actions Update

Reviewing Renovate PR #238 for major version updates to GitHub artifact actions.

Todo List

  • Read .github/CLAUDE.md for CI/CD standards
  • Review all 8 changed workflow files
  • Analyze release notes for breaking changes
  • Verify artifact usage patterns are compatible
  • Check workflow syntax and structure
  • Provide comprehensive review feedback

✅ Review Summary

This Renovate PR updates GitHub artifact actions to their latest major versions. The changes are SAFE TO MERGE with no breaking API changes.

Changes Overview

8 workflow files updated:

  • _audit.yml
  • _build-native-only.yml
  • _ketryx_report_and_check.yml (2 download-artifact calls)
  • _package-publish.yml (4 artifact calls)
  • _scheduled-audit.yml
  • _scheduled-test-daily.yml
  • _scheduled-test-hourly.yml
  • _test.yml

Version Updates:

  • actions/upload-artifact: v4.6.1 → v5.0.0 (+5 files)
  • actions/download-artifact: v5.0.0 → v6.0.0 (+3 files)

Breaking Changes Analysis

upload-artifact v5.0.0

  • Primary change: Node v24.x support
  • API compatibility: ✅ No API changes required
  • Current usage: All usage patterns remain valid

download-artifact v6.0.0

  • Primary change: Node v24.x support
  • API compatibility: ✅ No API changes required
  • Current usage: All usage patterns remain valid
  • Dependency: Bumps @actions/artifact to v4.0.0

Workflow Compatibility Check

All artifact usage patterns verified compatible:

Upload patterns (5 occurrences):

- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
  with:
    name: <artifact-name>
    path: <file-paths>
    retention-days: <1|7|30>

Download patterns (4 occurrences):

- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
  with:
    name: <artifact-name>
    path: <destination-path>

Download with pattern matching (1 occurrence):

- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
  with:
    pattern: dist_native-*
    path: dist_native_all/
    merge-multiple: false

All parameters used (name, path, pattern, merge-multiple, retention-days) remain supported in the new versions.

Security Review

SHA-pinned actions with version comments:

  • actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
  • actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0

No workflow permissions changes

No secret exposure risks

Medical Device Compliance

Ketryx workflow compatibility verified:

  • Artifact downloads in _ketryx_report_and_check.yml work with v6.0.0
  • SBOM and test result artifacts properly handled
  • Compliance reporting unaffected

BetterStack heartbeat monitoring:

  • No impact on scheduled workflow monitoring
  • Artifact uploads in scheduled jobs remain functional

CI/CD Impact Assessment

Affected workflows:

  1. Main CI/CD pipeline (ci-cd.yml) - Calls all affected reusable workflows
  2. Audit pipeline - Uses upload-artifact v5.0.0
  3. Test pipelines - Use upload-artifact v5.0.0
  4. Package publishing - Uses both upload v5.0.0 and download v6.0.0
  5. Native builds - Use upload-artifact v5.0.0
  6. Ketryx reporting - Uses download-artifact v6.0.0
  7. Scheduled jobs (3 workflows) - Use upload-artifact v5.0.0

Risk assessment:LOW RISK

  • No functional API changes
  • All usage patterns remain valid
  • Node v24.x support improves future compatibility
  • SHA-pinned versions ensure deterministic behavior

Testing Recommendations

Since this PR only updates dependency versions with no functional changes:

Add label: skip:test:long_running to save CI time (Renovate PRs should not need this, but recommended)

Verify in CI:

  • Lint and audit should pass ✓
  • Unit/integration tests should pass ✓
  • Artifact upload/download in test workflows should work ✓

Recommendations

  1. Merge this PR - Changes are safe and maintain compatibility
  2. Monitor first CI run - Verify artifacts upload/download successfully
  3. No code changes needed - All usage patterns remain valid
  4. ℹ️ Future benefit - Node v24.x support prepares for GitHub Actions runner updates

Adherence to Repository Standards

Follows .github/CLAUDE.md guidelines:

  • Reusable workflow pattern maintained
  • Artifact naming conventions preserved
  • Retention policies unchanged (1/7/30 days appropriate)
  • BetterStack heartbeat compatibility verified

No architectural violations:

  • No changes to workflow logic
  • Only dependency version updates
  • SHA pinning maintained for security

Final Verdict

✅ APPROVED - SAFE TO MERGE

This is a clean dependency update with no breaking API changes. The "major" version designation reflects Node v24.x support, not functional changes. All artifact upload/download patterns in the repository remain fully compatible.

Action: Merge when CI passes.

@codecov
Copy link

codecov bot commented Nov 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

❗ There is a different number of reports uploaded between BASE (3eddfe4) and HEAD (dd4f972). Click for more details.

HEAD has 6 uploads less than BASE
Flag BASE (3eddfe4) HEAD (dd4f972)
7 1

see 22 files with indirect coverage changes

@renovate renovate bot force-pushed the renovate/major-github-artifact-actions branch from 321a731 to dd4f972 Compare November 10, 2025 23:51
@github-actions
Copy link
Contributor

github-actions bot commented Nov 10, 2025
edited
Loading

Claude finished @renovate[bot]'s task —— View job

PR Re-Review: GitHub Artifact Actions Update

Re-analyzing PR #238 after synchronization event.

Todo List

  • Check commit history since last review
  • Review current workflow file changes
  • Analyze CI status and Codecov failure
  • Verify CI/CD compliance per .github/CLAUDE.md
  • Provide updated recommendations

📊 Current Status

Single commit on PR branch:

  • dd4f972 - "chore(deps): update github artifact actions"

CI Status: 4 workflows queued/in-progress (Build Native, CI/CD, Claude Code review)

Previous Review: Claude approved this PR on 2025-11-03 as "SAFE TO MERGE"

✅ Re-Review Findings

1. No New Changes Since Last Review

The PR contains the same changes that were previously reviewed and approved:

  • actions/upload-artifact: v4.6.1 → v5.0.0 (5 files)
  • actions/download-artifact: v5.0.0 → v6.0.0 (4 files)

2. Workflow Changes Validated

All 8 workflow files updated correctly:

Upload Artifact (v5.0.0) Usage:

- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
  with:
    name: <artifact-name>
    path: <paths>
    retention-days: <1|7|30>

✅ Files: _audit.yml, _build-native-only.yml, _package-publish.yml (1x), _scheduled-audit.yml, _scheduled-test-daily.yml, _scheduled-test-hourly.yml, _test.yml

Download Artifact (v6.0.0) Usage:

- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
  with:
    name: <artifact-name>  # OR pattern: dist_native-*
    path: <destination>
    merge-multiple: false  # Optional

✅ Files: _ketryx_report_and_check.yml (2x), _package-publish.yml (3x)

3. Breaking Changes Analysis

No functional breaking changes:

  • v5.0.0 upload-artifact: Primarily Node v24.x support, no API changes
  • v6.0.0 download-artifact: Primarily Node v24.x support, bumps @actions/artifact to v4.0.0

All existing parameters (name, path, pattern, merge-multiple, retention-days) remain fully supported.

4. CI/CD Compliance Check

Per .github/CLAUDE.md standards:

Reusable workflow pattern - All files are reusable workflows (_*.yml)
SHA pinning - Actions pinned to commit SHAs with version comments
Artifact naming - Consistent conventions maintained
Retention policies - Appropriate (1/7/30 days based on use case)
BetterStack integration - Scheduled workflows unaffected

5. Codecov Failure Analysis

Codecov Comment:

Your project check has failed because the head coverage (62.91%) is below the target coverage (70.00%).

Root Cause: This appears to be a repository-wide coverage issue, NOT related to this PR.

Evidence:

  1. This PR changes only workflow files (.yml)
  2. Workflow files are excluded from coverage (.coveragerc omits */.github/*)
  3. Coverage target per CLAUDE.md is 85% minimum for code, not 70%
  4. The 62.91% indicates a broader test coverage gap in the main codebase

Recommendation: This Codecov failure should not block this PR, as it:

  • Is unrelated to workflow changes
  • Reflects existing coverage debt in the repository
  • Would require separate PRs to address code coverage

6. Commit Convention Check

Conventional commit: chore(deps): update github artifact actions

  • Type: chore
  • Scope: deps
  • Description: Clear and concise ✓

🔍 No Issues Found

This re-review confirms the original assessment:

No blocking issues
No code quality concerns (no code changes)
No architecture violations (workflow-only changes)
No test marker issues (no test changes)
No security concerns (SHA-pinned actions)
No breaking changes (compatible API)

📝 Final Recommendation

Status: APPROVED - SAFE TO MERGE (confirming previous review)

This PR:

  1. Updates GitHub Actions dependencies to latest stable versions
  2. Maintains full backward compatibility with existing workflows
  3. Improves future compatibility with Node v24.x runtime
  4. Follows repository standards (SHA pinning, naming conventions)
  5. Does not affect codebase coverage (workflow files only)

Action: Merge when CI passes. The Codecov failure is a repository-wide issue requiring separate attention.

Note: This was an automated re-trigger due to PR synchronization. No new changes were introduced since the previous Claude review on 2025-11-03.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 11, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant