Update GitHub actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	major	v3.2.0 → v4.1.0
actions/cache	action	major	v4.3.0 → v5.0.4
actions/checkout	action	major	v5.0.1 → v6.0.2
actions/upload-artifact	action	major	v4.6.2 → v7.0.0
gradle/actions	action	major	v4.4.4 → v6.0.1
jdx/mise-action	action	major	v3.6.3 → v4.0.1

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v4.1.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in #​836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in #​838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in #​835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

actions/cache (actions/cache)

v5.0.4

Compare Source

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

Compare Source

v5.0.0

Compare Source

gradle/actions (gradle/actions)

v6.0.1

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

• Bump actions used in docs by @​Goooler in #​792
• Add typing information for use by typesafegithub by @​bigdaz in #​910
• Mute license warning when terms are accepted by @​bigdaz in #​911
• Mention explicit license acceptance in notice by @​bigdaz in #​912
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.1 to 2.21.2 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​907

Full Changelog: gradle/actions@v6.0.0...v6.0.1

v6.0.0

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

• Caching functionality of 'gradle-actions' has been extracted into a separate gradle-actions-caching library, and is no longer open-source. See this blog post for more context.
• Existing, rudimentary, configuration-cache support has been removed, pending a fully functional implementation in gradle-actions-caching.
• Dependencies updated to address security vulnerabilities

[!IMPORTANT]

Licensing notice

The caching functionality in `gradle-actions` has been extracted into `gradle-actions-caching`, a proprietary commercial component that is not covered by the MIT License.
The bundled `gradle-actions-caching` component is licensed and governed by a separate license, available at https://gradle.com/legal/terms-of-use/.

The `gradle-actions-caching` component is used only when caching is enabled and is not loaded or used when caching is disabled.

Use of the `gradle-actions-caching` component is subject to a separate license, available at https://gradle.com/legal/terms-of-use/.
If you do not agree to these license terms, do not use the `gradle-actions-caching` component.

What's Changed

• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​866
• Update known wrapper checksums by @​github-actions[bot] in #​868
• Dependency updates by @​bigdaz in #​876
• Update known wrapper checksums by @​github-actions[bot] in #​878
• Bump @​types/node from 25.3.3 to 25.3.5 in /sources in the npm-dependencies group across 1 directory by @​dependabot[bot] in #​877
• Bump the github-actions group across 3 directories with 3 updates by @​dependabot[bot] in #​867
• Update known wrapper checksums by @​github-actions[bot] in #​881
• Bump the npm-dependencies group in /sources with 6 updates by @​dependabot[bot] in #​879
• Bump the github-actions group across 3 directories with 5 updates by @​dependabot[bot] in #​880
• Remove configuration-cache support by @​bigdaz in #​884
• Extract caching logic into a separate gradle-actions-caching component by @​bigdaz in #​885
• Update gradle-actions-caching library to v0.3.0 by @​bot-githubaction in #​899
• Avoid windows shutdown bug by @​bigdaz in #​900
• Dependency updates by @​bigdaz in #​905
• Fix critical and high npm vulnerabilities by @​bigdaz in #​904
• Fix rendering of job-disabled message by @​bigdaz in #​909

Full Changelog: gradle/actions@v5.0.2...v6.0.0

v5.0.2

Compare Source

Summary

This release contains no functional changes. It updates dependencies and known Gradle wrapper checksums.

What's Changed

• Update dependencies by @​bigdaz in #​851
• Bump the github-actions group across 2 directories with 3 updates by @​dependabot[bot] in #​850
• Update DV config by @​bigdaz in #​848
• Convert project to ESM and update dependencies by @​bigdaz in #​854
• Workflow fixes by @​bigdaz in #​856
• Remove superfluous text from log message by @​bigdaz in #​861
• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in #​860
• Bump the npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​859
• Update known wrapper checksums by @​github-actions[bot] in #​857
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.0 to 2.21.1 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​862
• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​863
• Bump github/codeql-action from 4.32.3 to 4.32.4 in the github-actions group across 1 directory by @​dependabot[bot] in #​864

Full Changelog: gradle/actions@v5.0.1...v5.0.2

v5.0.1

Compare Source

What's Changed

• Bump npm code dependency versions
• Bump Gradle versions used in sample builds
• Bump dependencies versions in Gradle sample builds
• Bump GitHub actions used for build and test
• Update known wrapper checksums to include Gradle 9.2+

Full Changelog: gradle/actions@v5.0.0...v5.0.1

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade to node 24 by @​amyu in #​721

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency upgrades

• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in #​748

Full Changelog: gradle/actions@v4...v5.0.0

jdx/mise-action (jdx/mise-action)

v4.0.1: : Documentation and Internal Cleanup

Compare Source

A small maintenance release that updates the README documentation to reflect v4 and cleans up internal code. There are no functional changes to the action itself.

Changed

• Updated all README examples to reference jdx/mise-action@v4, actions/checkout@v6, and current tool versions by @​deining in #​407 and #​408
• Extracted getCwd() helper to deduplicate working directory resolution logic (internal refactor, no behavior change) by @​altendky in #​403

New Contributors

• @​deining made their first contribution in #​407

Full Changelog: jdx/mise-action@v4.0.0...v4.0.1

v4.0.0

Compare Source

What's Changed

• chore(deps): lock file maintenance by @​renovate[bot] in #​392
• chore(deps): update actions/setup-node digest to 53b8394 by @​renovate[bot] in #​396
• feat!: Update Node.js version from 20 to 24 by @​tumerorkun in #​395
• chore(deps): update github/codeql-action digest to 820e316 by @​renovate[bot] in #​397
• chore: release v4.0.0 by @​mise-en-dev in #​398

New Contributors

• @​tumerorkun made their first contribution in #​395

Full Changelog: jdx/mise-action@v3...v4.0.0

---

Configuration

📅 Schedule: Branch creation - "after 7am every weekday,before 8pm every weekday" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: BUILD-9291

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

SonarQube reviewer guide

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

Routine Renovate major-version bump PR. All actions remain SHA-pinned (good), versions are consistent across every file that uses each action, and there are no logic changes. The largest jumps — actions/upload-artifact v4→v7 and gradle/actions/setup-gradle v4→v6 — skip multiple major versions, so it's worth a quick scan of their changelogs for breaking input/output changes before merging, but the inputs used here (name, path, subject-path, cache-disabled, etc.) are stable across those versions.

🗣️ Give feedback