Skip to content

chore(deps): update github artifact actions (major) #223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update github artifact actions (major) #223

wants to merge 1 commit into from
+12 −12

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 30, 2025

This PR contains the following updates:

Package Type Update Change
actions/download-artifact action major v5.0.0 -> v6.0.0
actions/upload-artifact action major v4.6.1 -> v5.0.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

actions/download-artifact (actions/download-artifact)

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: actions/download-artifact@v5...v6.0.0

actions/upload-artifact (actions/upload-artifact)

v5.0.0

Compare Source

v4.6.2

Compare Source

What's Changed

  • Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

Full Changelog: actions/upload-artifact@v4...v4.6.2

Configuration

📅 Schedule: Branch creation - "before 2am every weekday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:test:long_running Skip long-running tests (≥5min) labels Oct 30, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2025
edited
Loading

Claude finished @renovate[bot]'s task —— View job

Reviewing PR #223: GitHub Artifact Actions Update

Task: Review Renovate bot's major version update for GitHub artifact actions

Todo List

  • Read repository documentation (CLAUDE.md, .github/CLAUDE.md)
  • Review all changed workflow files
  • Check for breaking changes in artifact actions
  • Verify workflow syntax and logic correctness
  • Assess impact on CI/CD pipeline
  • Check security and compliance implications
  • Provide comprehensive review feedback

Review Summary

APPROVED - This is a safe and straightforward dependency update with no breaking changes to the CI/CD pipeline.

What Changed

This PR updates GitHub Actions artifact dependencies across 8 workflow files:

  • actions/upload-artifact: v4.6.1v5.0.0
  • actions/download-artifact: v5.0.0v6.0.0

Key update: Both actions now support Node v24.x (treated as breaking change per GitHub versioning policy, though not functionally breaking).

Analysis

✅ No Functional Breaking Changes

Both action updates are backwards compatible:

  1. Upload Artifact v4 → v5: No API changes, only Node.js runtime upgrade
  2. Download Artifact v5 → v6: No API changes, only Node.js runtime upgrade

All workflow usage patterns remain valid:

  • name: parameter ✅
  • path: parameter ✅
  • pattern: parameter (download) ✅
  • merge-multiple: parameter (download) ✅
  • retention-days: parameter ✅
  • if: conditionals ✅

✅ Workflow Correctness Verified

All 8 modified workflows maintain correct syntax:

  1. _audit.yml (line 40): Upload audit results - ✅ Correct
  2. _build-native-only.yml (line 64): Upload native builds - ✅ Correct
  3. _ketryx_report_and_check.yml (lines 40, 49): Download test/audit results - ✅ Correct
  4. _package-publish.yml (lines 86, 117, 188, 194): Upload native builds, download artifacts - ✅ Correct
  5. _scheduled-audit.yml (line 90): Upload test results - ✅ Correct
  6. _scheduled-test-daily.yml (line 177): Upload test artifacts - ✅ Correct
  7. _scheduled-test-hourly.yml (line 159): Upload test results - ✅ Correct
  8. _test.yml (line 202): Upload test artifacts - ✅ Correct

✅ SHA Pinning Verified

All actions use SHA-pinned versions (security best practice):

# Upload v5.0.0 (NEW)
actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4

# Download v6.0.0 (NEW)  
actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53

This prevents supply chain attacks via tag hijacking.

✅ No Impact on CI/CD Strategy

The update does not affect:

  • Test execution strategy (unit, integration, e2e, long_running)
  • Artifact naming conventions (test-results-*, audit-results, dist_native-*)
  • Retention policies (1-30 days)
  • BetterStack heartbeat monitoring
  • Ketryx compliance reporting
  • Coverage uploads (Codecov/SonarQube)

✅ Security & Compliance

  • SHA-pinned versions: ✅ Prevents unauthorized code execution
  • No new permissions: ✅ Actions use existing permission model
  • Medical device compliance: ✅ No impact on Ketryx workflows
  • Audit trail: ✅ Artifact retention and naming unchanged

Findings

No blocking issues found.

Suggestions (Non-blocking)

  1. Add PR label: Consider adding skip:test:long_running to this PR to save CI time (no code changes require long tests)

    gh pr edit 223 --add-label "skip:test:long_running"

  2. Monitor first run: Watch the first CI run to confirm Node v24 compatibility with GitHub-hosted runners (expected to work fine)

Testing Recommendation

This PR will automatically trigger:

  • ✅ Lint checks
  • ✅ Audit checks
  • ✅ Test suite (unit, integration, e2e)
  • ✅ All workflows will exercise the new artifact actions

No additional manual testing required.

Conclusion

This is a routine dependency maintenance update with zero functional risk. The changes are isolated to GitHub Actions versions with no API modifications. All workflow syntax is correct and security practices (SHA pinning) are maintained.

Recommendation: ✅ Merge after CI passes

@codecov
Copy link

codecov bot commented Oct 30, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

❌ Your project check has failed because the head coverage (62.84%) is below the target coverage (70.00%). You can increase the head coverage or adjust the target coverage.
see 21 files with indirect coverage changes

@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant