🚨 Update github actions (main) (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/upload-artifact	action	major	v6.0.0 → v7.0.1
codecov/codecov-action	action	major	v5.5.2 → v7.0.0
softprops/action-gh-release	action	major	v2.5.0 → v3.0.0

---

Release Notes

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

v7

Compare Source

v6.0.2

Compare Source

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in #​1929
• Th/6.0.0 by @​thomasrockhu-codecov in #​1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

v5.5.5

Compare Source

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

softprops/action-gh-release (softprops/action-gh-release)

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

v2.6.2

Compare Source

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in #​781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in #​765

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in #​372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in #​760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in #​759
• docs: clarify working_directory input by @​chenrui333 in #​761
• ci: verify dist bundle freshness by @​chenrui333 in #​762
• fix: clarify immutable prerelease uploads by @​chenrui333 in #​763

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: prefer token input over GITHUB_TOKEN by @​chenrui333 in #​751
• fix: clean up duplicate drafts after canonicalization by @​chenrui333 in #​753
• fix: support Windows-style file globs by @​chenrui333 in #​754
• fix: normalize refs-tag inputs by @​chenrui333 in #​755
• fix: expand tilde file paths by @​chenrui333 in #​756

Other Changes 🔄

• docs: clarify token precedence by @​chenrui333 in #​752
• docs: clarify GitHub release limits by @​chenrui333 in #​758
• documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: canonicalize releases after concurrent create by @​chenrui333 in #​746
• fix: preserve prereleased events for prereleases by @​chenrui333 in #​748
• fix: restore dotfile asset labels by @​chenrui333 in #​749
• fix: handle upload already_exists races across workflows by @​api2062 in #​745
• fix: clean up orphan drafts when tag creation is blocked by @​chenrui333 in #​750

New Contributors

• @​api2062 made their first contribution in #​745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

• fix: fetch correct asset URL after finalization; test; some refactoring by @​pzhlkj6612 in #​738
• fix: release marked as 'latest' despite make_latest: false by @​Boshen in #​715
• fix: use getReleaseByTag API instead of iterating all releases by @​kim-em in #​725

Other Changes 🔄

• dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

• @​autarch made their first contribution in #​716
• @​pzhlkj6612 made their first contribution in #​738
• @​Boshen made their first contribution in #​715
• @​kim-em made their first contribution in #​725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
unit-tests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

Review

Findings

High

• [protected-path] .github/workflows/pre-merge-ci.yaml, .github/workflows/release.yaml, .github/workflows/scorecards.yml — All three modified files are under .github/, a protected path. This PR has no linked issue authorizing the changes. Human approval is required for all protected-path changes regardless of context.
  Remediation: Link an issue authorizing these dependency updates, or obtain explicit human maintainer approval.

Medium

• [api-contract] .github/workflows/pre-merge-ci.yaml:77 — codecov/codecov-action is updated from v5.5.2 to v7.0.0, skipping major version v6 entirely. The use_oidc: true parameter (line 80) may no longer be a recognized input in v7. Because fail_ci_if_error: false (line 82), a failure from an unrecognized input would be silent — coverage uploads could stop working without any CI signal.
  Remediation: Verify against codecov-action v7 docs that use_oidc is still supported. Consider temporarily setting fail_ci_if_error: true or reviewing the first run's logs.

• [supply-chain] .github/workflows/pre-merge-ci.yaml:77 — codecov/codecov-action is bumped from v5.5.2 to v7.0.0, skipping v6. The pinned commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f should be verified against the upstream v7.0.0 tag. This action runs with id-token: write (line 39), so a compromised or mislabeled version could exfiltrate an OIDC token. See also: [api-contract] finding at this location.
  Remediation: Verify the commit hash: git ls-remote https://github.com/codecov/codecov-action refs/tags/v7.0.0.

Low

• [api-contract] .github/workflows/release.yaml:162 — softprops/action-gh-release is updated from v2.5.0 to v3.0.0. The inputs used (name, tag_name, body, make_latest, generate_release_notes) are core but major bumps can change semantics. See also: [supply-chain] finding at this location.

• [supply-chain] .github/workflows/release.yaml:162 — softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. This action runs with contents: write (line 135). The pinned hash should be verified against the upstream v3.0.0 tag. See also: [api-contract] finding at this location.

Info

• [api-contract] .github/workflows/scorecards.yml:84 — actions/upload-artifact is updated from v6.0.0 to v7.0.1. Inputs used (name, path, retention-days) are basic and no download-artifact usage exists in this repo. Minimal risk.

• [supply-chain] .github/workflows/scorecards.yml:84 — actions/upload-artifact is a first-party GitHub action. Supply-chain risk is minimal for hash-pinned first-party actions.

• [sub-agent-failure] — The style-conventions sub-agent did not return findings due to model unavailability. Non-critical for a mechanical version bump PR.

Previous run

Review

Findings

High

• [protected-path] .github/workflows/pre-merge-ci.yaml, .github/workflows/release.yaml, .github/workflows/scorecards.yml — All three modified files are under the .github/ protected path. This PR has no linked issue justifying the changes to governance/infrastructure files. Human approval is required for all protected-path changes.

Medium

• [api-contract] .github/workflows/pre-merge-ci.yaml:80 — The use_oidc: true input is used with codecov/codecov-action, but this PR jumps from v5.5.2 to v7.0.0, skipping v6 entirely. In codecov-action v7, OIDC became the default authentication method and the use_oidc input may have been removed. GitHub Actions silently ignores unknown inputs so this won't cause a build failure, but the dead configuration is misleading. Verify that: (1) OIDC authentication works correctly without explicit opt-in with the existing id-token: write permission (line 39), and (2) no other v6/v7 breaking changes affect the flags or fail_ci_if_error inputs. Accumulating two major versions of breaking changes warrants review of both migration guides.

Low

• [api-contract] .github/workflows/release.yaml:162 — softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. The release notes indicate this is primarily a Node 20 to Node 24 runtime migration with no API changes, but the workflow uses make_latest: false and generate_release_notes: false which should be verified against v3 documentation. The release workflow runs on a weekly schedule, so a silent misconfiguration could produce unexpected release settings.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable. This is a non-critical gap; this dimension covers naming and code organization patterns which are not applicable to version-pin-only changes.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] api-contract

The use_oidc input is used with codecov/codecov-action, but this PR jumps from v5.5.2 to v7.0.0, skipping v6 entirely. In codecov-action v7, OIDC became the default authentication method and the use_oidc input may have been removed. While GitHub Actions silently ignores unknown inputs, the dead configuration is misleading and the two-major-version skip accumulates breaking changes that should be verified.

Suggested fix: Review codecov-action v6 and v7 changelogs. Remove use_oidc: true if it is no longer a recognized input in v7. Confirm OIDC works by default with the existing id-token: write permission.

[fullsend-ai-review]

[low] api-contract

softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. The release notes indicate this is primarily a Node 20 to Node 24 runtime migration, but the workflow uses make_latest and generate_release_notes inputs that should be verified against v3 documentation.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:08 PM UTC · Completed 6:15 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] api-contract

codecov/codecov-action is updated from v5.5.2 to v7.0.0, skipping v6. The use_oidc parameter may no longer be recognized in v7. Because fail_ci_if_error: false is set, a failure would be silent.

Suggested fix: Verify against codecov-action v7 docs that use_oidc is still supported. Consider temporarily setting fail_ci_if_error: true.

[fullsend-ai-review]

[medium] supply-chain

codecov/codecov-action is bumped from v5.5.2 to v7.0.0, skipping v6. The pinned commit hash should be verified against the upstream v7.0.0 tag. This action runs with id-token: write, so a compromised version could exfiltrate an OIDC token.

Suggested fix: Verify the commit hash matches the v7.0.0 tag: git ls-remote https://github.com/codecov/codecov-action refs/tags/v7.0.0

[fullsend-ai-review]

[low] api-contract

softprops/action-gh-release is updated from v2.5.0 to v3.0.0. Major bumps can change semantics of inputs like make_latest and generate_release_notes.

[fullsend-ai-review]

[low] supply-chain

softprops/action-gh-release v2.5.0 to v3.0.0. This action runs with contents: write permission. The pinned hash should be verified against the upstream v3.0.0 tag.

Suggested fix: Verify the commit hash: git ls-remote https://github.com/softprops/action-gh-release refs/tags/v3.0.0

[fullsend-ai-review]

[info] api-contract

actions/upload-artifact v6.0.0 to v7.0.1. Inputs used are basic and no download-artifact usage exists in the repo. Minimal risk.

[fullsend-ai-review]

[info] supply-chain

actions/upload-artifact is a first-party GitHub action. Supply-chain risk is minimal for hash-pinned first-party actions.