You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.
Enforced checks (breaking)
A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.
ESM
To support new versions of the @actions/* packages, we've upgraded the package to ESM.
Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.
ESM
To support new versions of the @actions/* packages, we've upgraded the package to ESM.
3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.
What's Changed
Other Changes 🔄
Move the action runtime and bundle target to Node 24
Update @types/node to the Node 24 line and allow future Dependabot updates
Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release
2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
fix: preserve discussion category on publish by @chenrui333 in #765
2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Exciting New Features 🎉
feat: support previous_tag for generate_release_notes by @pocesar in #372
Bug fixes 🐛
fix: recover concurrent asset metadata 404s by @chenrui333 in #760
Other Changes 🔄
docs: clarify reused draft release behavior by @chenrui333 in #759
2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
fix: canonicalize releases after concurrent create by @chenrui333 in #746
fix: preserve prereleased events for prereleases by @chenrui333 in #748
2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.
What's Changed
Bug fixes 🐛
fix: fetch correct asset URL after finalization; test; some refactoring by @pzhlkj6612 in #738
fix: release marked as 'latest' despite make_latest: false by @Boshen in #715
fix: use getReleaseByTag API instead of iterating all releases by @kim-em in #725
Other Changes 🔄
dependency updates, including the ESM/runtime compatibility refresh in #731
[api-contract].github/workflows/pre-merge-ci.yaml:80 — codecov/codecov-action is bumped from v5.5.2 directly to v7.0.0 (skipping v6). The workflow uses use_oidc: true (line 80), which was a v5-era input. Major version bumps commonly rename or remove inputs. If v7 has changed OIDC configuration semantics or removed use_oidc, this step will either fail or silently ignore the parameter, potentially breaking coverage uploads. Verify the codecov-action v7 changelog to confirm use_oidc is still supported with the same semantics.
[supply-chain].github/workflows/release.yaml — actions/upload-artifact@v7 and actions/download-artifact@v8 use tag-only pins without commit SHA hashes, unlike all other action references in this repository which use SHA pins (e.g., codecov/codecov-action@fb8b3582...). This workflow has contents: write permission — a compromised or force-pushed tag could lead to arbitrary code execution in the release pipeline. This is a pre-existing pattern (the prior refs were also tag-only at @v6/@v7), but the major version bump is the ideal time to align pinning strategy.
[protected-path].github/workflows/ — All three modified files are under the .github/ protected path. The PR is an automated Renovate dependency update with clear rationale, but human approval is always required for protected-path changes regardless of context.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
force-pushed
the
renovate/release-v0.7-major-github-actions
branch
from
fullsend-ai-review
Bot
added
the
requires-manual-review
This PR contains the following updates:
v7→v8v6.0.0→v7.0.1v6→v7v5.5.2→v7.0.0v2.5.0→v3.0.0Release Notes
actions/download-artifact (actions/download-artifact)
v8.0.1Compare Source
What's Changed
Full Changelog: actions/download-artifact@v8...v8.0.1
v8.0.0Compare Source
v8 - What's new
Direct downloads
To support direct uploads in
actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks theContent-Typeheader ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the newskip-decompressparameter tofalse.Enforced checks (breaking)
A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the
digest-mismatchparameter. To be secure by default, we are now defaulting the behavior toerrorwhich will fail the workflow run.ESM
To support new versions of the @actions/* packages, we've upgraded the package to ESM.
What's Changed
errorby @danwkennedy in #461Full Changelog: actions/download-artifact@v7...v8.0.0
v8Compare Source
actions/upload-artifact (actions/upload-artifact)
v7.0.1Compare Source
What's Changed
Full Changelog: actions/upload-artifact@v7...v7.0.1
v7.0.0Compare Source
v7 What's new
Direct Uploads
Adds support for uploading single files directly (unzipped). Callers can set the new
archiveparameter tofalseto skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. Thenameparameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.ESM
To support new versions of the
@actions/*packages, we've upgraded the package to ESM.What's Changed
New Contributors
Full Changelog: actions/upload-artifact@v6...v7.0.0
v7Compare Source
codecov/codecov-action (codecov/codecov-action)
v7.0.0Compare Source
v7Compare Source
v6.0.2Compare Source
v6.0.1Compare Source
What's Changed
Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1
v6.0.0Compare Source
What's Changed
Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0
v6Compare Source
v5.5.5Compare Source
v5.5.4Compare Source
This is a mirror of
v5.5.2.v6will be released which requiresnode24What's Changed
Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4
v5.5.3Compare Source
What's Changed
Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3
softprops/action-gh-release (softprops/action-gh-release)
v3.0.0Compare Source
3.0.0is a major release that moves the action runtime from Node 20 to Node 24.Use
v3on GitHub-hosted runners and self-hosted fleets that already support theNode 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.What's Changed
Other Changes 🔄
@types/nodeto the Node 24 line and allow future Dependabot updatesv3;v2remains pinned to the latest2.xreleasev3Compare Source
v2.6.2Compare Source
What's Changed
Other Changes 🔄
Full Changelog: softprops/action-gh-release@v2...v2.6.2
v2.6.1Compare Source
2.6.1is a patch release focused on restoring linked discussion thread creation whendiscussion_category_nameis set. It fixes#764, where the draft-first publish flowstopped carrying the discussion category through the final publish step.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
v2.6.0Compare Source
2.6.0is a minor release centered onprevious_tagsupport forgenerate_release_notes,which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a
working_directorydocs sync,a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Exciting New Features 🎉
Bug fixes 🐛
Other Changes 🔄
v2.5.3Compare Source
2.5.3is a patch release focused on the remaining path-handling and release-selection bugs uncovered after2.5.2.It fixes
#639,#571,#280,#614,#311,#403, and#368.It also adds documentation clarifications for
#541,#645,#542,#393, and#411,where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
Other Changes 🔄
preserve_order, and special-character asset filename behaviorFull Changelog: softprops/action-gh-release@v2...v2.5.3
v2.5.2Compare Source
2.5.2is a patch release focused on the remaining release-creation and prerelease regressions in the2.5.xbug-fix cycle.It fixes
#705, fixes#708, fixes#740, fixes#741, and fixes#722.Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
New Contributors
Full Changelog: softprops/action-gh-release@v2...v2.5.2
v2.5.1Compare Source
2.5.1is a patch release focused on regressions introduced in2.5.0and on release lookup reliability.It fixes
#713, addresses#703, and fixes#724. Regression testing shows thatcurrent
masterno longer reproduces the finalize-race behavior reported in#704and#709.What's Changed
Bug fixes 🐛
Other Changes 🔄
New Contributors
Full Changelog: softprops/action-gh-release@v2...v2.5.1
Configuration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.