🚨 Update github actions (release-v0.7) (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v6.0.2 → v7.0.0
actions/download-artifact	action	major	v7 → v8
actions/upload-artifact	action	major	v6.0.0 → v7.0.1
actions/upload-artifact	action	major	v6 → v7
codecov/codecov-action	action	major	v5.5.2 → v7.0.0
softprops/action-gh-release	action	major	v2.5.0 → v3.0.1

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

[!IMPORTANT]
actions/download-artifact@​v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT]
Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

⚠️ Due to migration issues with keybase, we are unable to update our keys under the codecovsecurity account. We have deleted the account and are using codecovsecops with the original gpg key

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in #​1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in #​1957

Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0

v7

Compare Source

v6.0.2

Compare Source

This is a copy of the v7.0.0 release to make updates easier

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in #​1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in #​1957

Full Changelog: codecov/codecov-action@v6.0.1...v6.0.2

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in #​1929
• Th/6.0.0 by @​thomasrockhu-codecov in #​1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

softprops/action-gh-release (softprops/action-gh-release)

v3.0.1

Compare Source

3.0.1

• maintenance release with updated dependencies

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

v2.6.2

Compare Source

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in #​781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in #​765

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in #​372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in #​760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in #​759
• docs: clarify working_directory input by @​chenrui333 in #​761
• ci: verify dist bundle freshness by @​chenrui333 in #​762
• fix: clarify immutable prerelease uploads by @​chenrui333 in #​763

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: prefer token input over GITHUB_TOKEN by @​chenrui333 in #​751
• fix: clean up duplicate drafts after canonicalization by @​chenrui333 in #​753
• fix: support Windows-style file globs by @​chenrui333 in #​754
• fix: normalize refs-tag inputs by @​chenrui333 in #​755
• fix: expand tilde file paths by @​chenrui333 in #​756

Other Changes 🔄

• docs: clarify token precedence by @​chenrui333 in #​752
• docs: clarify GitHub release limits by @​chenrui333 in #​758
• documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: canonicalize releases after concurrent create by @​chenrui333 in #​746
• fix: preserve prereleased events for prereleases by @​chenrui333 in #​748
• fix: restore dotfile asset labels by @​chenrui333 in #​749
• fix: handle upload already_exists races across workflows by @​api2062 in #​745
• fix: clean up orphan drafts when tag creation is blocked by @​chenrui333 in #​750

New Contributors

• @​api2062 made their first contribution in #​745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

• fix: fetch correct asset URL after finalization; test; some refactoring by @​pzhlkj6612 in #​738
• fix: release marked as 'latest' despite make_latest: false by @​Boshen in #​715
• fix: use getReleaseByTag API instead of iterating all releases by @​kim-em in #​725

Other Changes 🔄

• dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

• @​autarch made their first contribution in #​716
• @​pzhlkj6612 made their first contribution in #​738
• @​Boshen made their first contribution in #​715
• @​kim-em made their first contribution in #​725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[fullsend-ai-review]

Review

Findings

High

• [protected-path] .github/workflows/ — All five modified files (codeql.yml, pre-merge-ci.yaml, push-bundles.yaml, release.yaml, scorecards.yml) are under the .github/ protected path. This PR has no linked issue providing justification for modifying governance/infrastructure files. Human approval is required for all protected-path changes.

Low

• [supply-chain integrity] .github/workflows/release.yaml:117 — upload-artifact is referenced by mutable tag (@v7) instead of a pinned commit SHA. This is inconsistent with the scorecards workflow, which pins upload-artifact to SHA 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1. Note: this is a pre-existing condition carried forward from @v6, not newly introduced by this PR.
  Remediation: Pin to actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 (matching scorecards.yml).

• [supply-chain integrity] .github/workflows/release.yaml:155 — download-artifact is referenced by mutable tag (@v8) instead of a pinned commit SHA, inconsistent with the SHA-pinning convention used for other actions in this repository. Pre-existing condition carried forward from @v7.
  Remediation: Pin to actions/download-artifact@<full-sha> # v8.0.x.

Info

• [commit SHA verification] .github/workflows/release.yaml:162 — softprops/action-gh-release updated to SHA 718ea10b132b3b2eba29c1007bb80653f286566b (v3.0.1). Verify this SHA against the official repository.

• [commit SHA verification] .github/workflows/codeql.yml:67 — actions/checkout updated to SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 (v7.0.0). Verify against the official repository. Same change applies across all five workflow files.

Previous run

Review

Findings

High

• [protected-path] .github/workflows/ — All 5 modified files are under .github/, a protected path. This PR has no linked issue providing authorization for changes to governance/infrastructure files. Human approval is required for all protected-path changes.

Medium

• [pinning-inconsistency] .github/workflows/release.yaml:117 — actions/upload-artifact@v7 uses a mutable tag reference instead of a SHA-pinned commit hash. The same PR already pins this action to a SHA in scorecards.yml (actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1), making the inconsistency clear.
  Remediation: Pin to actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1.

• [pinning-inconsistency] .github/workflows/release.yaml:155 — actions/download-artifact@v8 uses a mutable tag reference instead of a SHA-pinned commit hash. All other action references in this repository use SHA pinning. This workflow has contents:write permissions, making the supply-chain risk more impactful.
  Remediation: Pin to actions/download-artifact@<sha> # v8.0.1.

Low

• [major-version-jump] .github/workflows/pre-merge-ci.yaml:74 — codecov/codecov-action is bumped from v5.5.2 to v7.0.0, skipping v6 entirely. Verify the CODECOV_TOKEN env-var pattern and input parameters are still compatible with v7.

• [major-version-jump] .github/workflows/release.yaml:161 — softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. The step uses body, name, tag_name, make_latest, and generate_release_notes inputs — verify v3 still supports these parameters with the same semantics.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent was unavailable (model deployment issue). This dimension was not evaluated, though the mechanical nature of this version-bump PR means no style findings were expected.

Previous run (2)

Review

Findings

Medium

• [api-contract] .github/workflows/pre-merge-ci.yaml:80 — codecov/codecov-action is bumped from v5.5.2 directly to v7.0.0 (skipping v6). The workflow uses use_oidc: true (line 80), which was a v5-era input. Major version bumps commonly rename or remove inputs. If v7 has changed OIDC configuration semantics or removed use_oidc, this step will either fail or silently ignore the parameter, potentially breaking coverage uploads. Verify the codecov-action v7 changelog to confirm use_oidc is still supported with the same semantics.

• [supply-chain] .github/workflows/release.yaml — actions/upload-artifact@v7 and actions/download-artifact@v8 use tag-only pins without commit SHA hashes, unlike all other action references in this repository which use SHA pins (e.g., codecov/codecov-action@fb8b3582...). This workflow has contents: write permission — a compromised or force-pushed tag could lead to arbitrary code execution in the release pipeline. This is a pre-existing pattern (the prior refs were also tag-only at @v6/@v7), but the major version bump is the ideal time to align pinning strategy.

• [protected-path] .github/workflows/ — All three modified files are under the .github/ protected path. The PR is an automated Renovate dependency update with clear rationale, but human approval is always required for protected-path changes regardless of context.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:51 PM UTC · Completed 9:00 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] pinning-inconsistency

actions/upload-artifact@v7 uses a mutable tag reference instead of a SHA-pinned commit hash. The same PR already pins this action to a SHA in scorecards.yml (actions/upload-artifact@043fb46 # v7.0.1), making the inconsistency clear.

Suggested fix: Pin to actions/upload-artifact@043fb46 # v7.0.1

[fullsend-ai-review]

[medium] pinning-inconsistency

actions/download-artifact@v8 uses a mutable tag reference instead of a SHA-pinned commit hash. All other action references in this repository use SHA pinning. This workflow has contents:write permissions, making the supply-chain risk more impactful.

Suggested fix: Pin to the specific commit SHA for actions/download-artifact v8, e.g. actions/download-artifact@ # v8.0.1

[fullsend-ai-review]

[low] major-version-jump

codecov/codecov-action is bumped from v5.5.2 to v7.0.0, skipping v6 entirely. Verify the CODECOV_TOKEN env-var pattern and input parameters are still compatible with v7.

[fullsend-ai-review]

[low] major-version-jump

softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. The step uses body, name, tag_name, make_latest, and generate_release_notes inputs. Verify v3 still supports these parameters with the same semantics.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 7:19 PM UTC · Completed 7:29 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] supply-chain integrity

upload-artifact is referenced by mutable tag (@v7) instead of a pinned commit SHA, inconsistent with the SHA-pinning convention used for other actions in this repository. Pre-existing condition carried forward from @v6.

Suggested fix: Pin to actions/upload-artifact@043fb46 # v7.0.1 (matching scorecards.yml).

[fullsend-ai-review]

[low] supply-chain integrity

download-artifact is referenced by mutable tag (@v8) instead of a pinned commit SHA, inconsistent with the SHA-pinning convention used for other actions in this repository. Pre-existing condition carried forward from @v7.

Suggested fix: Pin to actions/download-artifact@ # v8.0.x.

[fullsend-ai-review]

[info] commit SHA verification

softprops/action-gh-release updated to SHA 718ea10b132b3b2eba29c1007bb80653f286566b (commented as v3.0.1). Verify this SHA against the official repository.

[fullsend-ai-review]

[info] commit SHA verification

actions/checkout updated to SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 (commented as v7.0.0). Verify against the official repository. Same change applies across all five workflow files.