chore(deps): update ci dependencies (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/sonarqube-scan-action	action	major	v6 → v7
actions/checkout	action	major	v4 → v6
actions/download-artifact	action	major	v4 → v8
actions/upload-artifact	action	major	v4 → v7
docker/build-push-action	action	major	v6 → v7
docker/login-action	action	major	v3 → v4
docker/setup-buildx-action	action	major	v3 → v4
docker/setup-qemu-action	action	major	v3 → v4
node	uses-with	major	20 → 24
pnpm/action-setup	action	major	v4 → v6
softprops/action-gh-release	action	major	v2 → v3

---

Release Notes

SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)

v7.1

Compare Source

v7.1.0

Compare Source

What's Changed

• SQSCANGHA-128 NO-JIRA Bump actions/cache from 4 to 5 by @​dependabot[bot] in #​219
• SQSCANGHA-130 Bump rollup from 4.50.1 to 4.59.0 by @​dependabot[bot] in #​221
• SQSCANGHA-131 Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​223
• SQSCANGHA-132 Upgrade Node to 24 by @​claire-villard-sonarsource in #​224

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.1.0

v7.0

Compare Source

v7.0.0

Compare Source

What's Changed

• SQSCANGHA-120 NO-JIRA Bump actions/setup-node from 4 to 5 by @​dependabot[bot] in #​211
• Update SonarScanner CLI to 7.3.0.5189 by @​github-actions[bot] in #​212
• SQSCANGHA-122 Include caveats for running SCA by @​subdavis in #​213
• SQSCANGHA-123 NO-JIRA Bump actions/setup-node from 5 to 6 by @​dependabot[bot] in #​214
• SQSCANGHA-126 Update SonarScanner CLI to 8.0.1.6346 by @​github-actions[bot] in #​218

New Contributors

• @​subdavis made their first contribution in #​213

Full Changelog: SonarSource/sonarqube-scan-action@v6.0.0...v7.0.0

v7

Compare Source

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6-beta

Compare Source

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

Compare Source

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in #​2226
• Prepare v5.0.0 release by @​salmanmkc in #​2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v5

Compare Source

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

v4.2.1

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in #​1924

v4.2.0

Compare Source

• Add Ref and Commit outputs by @​lucacome in #​1180
• Dependency updates by @​dependabot- #​1777, #​1872

v4.1.7

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in #​1739
• Bump actions/checkout from 3 to 4 by @​dependabot in #​1697
• Check out other refs/* by commit by @​orhantoy in #​1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in #​1776

v4.1.6

Compare Source

• Check platform to set archive extension appropriately by @​cory-miller in #​1732

v4.1.5

Compare Source

• Update NPM dependencies by @​cory-miller in #​1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in #​1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in #​1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in #​1695
• README: Suggest user.email to be 41898282+github-actions[bot]@​users.noreply.github.com by @​cory-miller in #​1707

v4.1.4

Compare Source

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in #​1692
• Add dependabot config by @​cory-miller in #​1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in #​1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in #​1643

v4.1.3

Compare Source

• Check git version before attempting to disable sparse-checkout by @​jww3 in #​1656
• Add SSH user parameter by @​cory-miller in #​1685
• Update actions/checkout version in update-main-version.yml by @​jww3 in #​1650

v4.1.2

Compare Source

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in #​1598

v4.1.1

Compare Source

• Correct link to GitHub Docs by @​peterbe in #​1511
• Link to release page from what's new section by @​cory-miller in #​1514

v4.1.0

Compare Source

• Add support for partial checkout filters

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

v7

Compare Source

v7.0.0

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@​v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​440
• Download Artifact Node24 support by @​salmanmkc in #​415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in #​451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in #​452

New Contributors

• @​patrikpolyak made their first contribution in #​440
• @​salmanmkc made their first contribution in #​415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v6

Compare Source

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

v5

Compare Source

v5.0.0

Compare Source

What's Changed

• Update README.md by @​nebuk89 in #​407
• BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @​GrantBirki in #​416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

• By name: name: my-artifact → extracted to path/ (direct)
• By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

• By name: name: my-artifact → extracted to path/ (unchanged)
• By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

• You download artifacts by name
• You download multiple artifacts by ID
• You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist

### Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

- uses: actions/download-artifact@v5
  with:
    artifact-ids: 12345
    path: dist/my-artifact  # Explicitly specify the nested path

New Contributors

• @​nebuk89 made their first contribution in #​407

Full Changelog: actions/download-artifact@v4...v5.0.0

v4.3.0

Compare Source

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in #​401
• Fix workflow example for downloading by artifact ID by @​joshmgross in #​402
• Prep for v4.3.0 release by @​robherley in #​404

New Contributors

• @​GrantBirki made their first contribution in #​401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

v4.2.1

Compare Source

What's Changed

• Add unit tests by @​GhadimiR in #​392
• Fix bug introduced in 4.2.0 by @​GhadimiR in #​391

Full Changelog: actions/download-artifact@v4.2.0...v4.2.1

v4.2.0

Compare Source

What's Changed

• Update README.md by @​lkfortuna in #​384
• Bump artifact version, do digest check by @​GhadimiR in #​383

New Contributors

• @​lkfortuna made their first contribution in #​384
• @​GhadimiR made their first contribution in #​383

Full Changelog: actions/download-artifact@v4.1.9...v4.2.0

v4.1.9

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​354
• docs: small migration fix by @​froblesmartin in #​370
• Update MIGRATION.md by @​andyfeller in #​372
• Update artifact package to 2.2.2 by @​yacaovsnc in #​380

New Contributors

• @​Jcambass made their first contribution in #​354
• @​froblesmartin made their first contribution in #​370
• @​andyfeller made their first contribution in #​372
• @​yacaovsnc made their first contribution in #​380

Full Changelog: actions/download-artifact@v4.1.8...v4.1.9

v4.1.8

Compare Source

What's Changed

• Update @​actions/artifact version, bump dependencies by @​robherley in #​341

Full Changelog: actions/download-artifact@v4.1.7...v4.1.8

v4.1.7

Compare Source

What's Changed

• Update @​actions/artifact dependency by @​bethanyj28 in #​325

Full Changelog: actions/download-artifact@v4.1.6...v4.1.7

v4.1.6

Compare Source

What's Changed

• updating @actions/artifact dependency to v2.1.6 by @​eggyhead in #​324

Full Changelog: actions/download-artifact@v4.1.5...v4.1.6

v4.1.5

Compare Source

What's Changed

• Update readme with v3/v2/v1 deprecation notice by @​robherley in #​322
• Update dependencies @actions/core to v1.10.1 and @actions/artifact to v2.1.5

Full Changelog: actions/download-artifact@v4.1.4...v4.1.5

v4.1.4

Compare Source

What's Changed

• Update @​actions/artifact by @​bethanyj28 in #​307

Full Changelog: actions/download-artifact@v4...v4.1.4

v4.1.3

Compare Source

What's Changed

• Update release-new-action-version.yml by @​konradpabjan in #​292
• Update toolkit dependency with updated unzip logic by @​bethanyj28 in #​299
• Update @​actions/artifact by @​bethanyj28 in #​303

New Contributors

• @​bethanyj28 made their first contribution in #​299

Full Changelog: actions/download-artifact@v4...v4.1.3

v4.1.2

Compare Source

• Bump @​actions/artifacts to latest version to include updated GHES host check

v4.1.1

Compare Source

• Fix transient request timeouts #​249
• Bump @actions/artifacts to latest version

v4.1.0

Compare Source

What's Changed

• Some cleanup by @​robherley in #​247
• Fix default for run-id by @​stchr in #​252
• Support pattern matching to filter artifacts & merge to same directory by @​robherley in #​259

New Contributors

• @​stchr made their first contribution in #​252

Full Changelog: actions/download-artifact@v4...v4.1.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6

Compare Source

v6.0.0

Compare Source

v5

Compare Source

v5.0.0

Compare Source

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

• @​salmanmkc made their first contribution in #​685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in #​673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in #​662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in #​578
• Add new artifact-digest output by @​bdehamer in #​656

New Contributors

• @​hamirmahal made their first contribution in #​578
• @​bdehamer made their first contribution in #​656

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

v4.4.3

Compare Source

What's Changed

• Undo indirect dependency updates from #​627 by @​joshmgross in #​632

Full Changelog: actions/upload-artifact@v4.4.2...v4.4.3

v4.4.2

Compare Source

What's Changed

• Bump @actions/artifact to 2.1.11 by @​robherley in #​627
  • Includes fix for relative symlinks not resolving properly

Full Changelog: actions/upload-artifact@v4.4.1...v4.4.2

v4.4.1

Compare Source

What's Changed

• Add a section about hidden files by @​joshmgross in #​607
• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​621
• Update @​actions/artifact to latest version, includes symlink and timeout fixes by @​robherley in #​625

New Contributors

• @​Jcambass made their first contribution in #​621

Full Changelog: actions/upload-artifact@v4.4.0...v4.4.1

v4.4.0

Compare Source

Notice: Breaking Changes ⚠️

We will no longer include hidden files and folders by default in the upload-artifact action of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, include-hidden-files, to continue to do so.

See "Notice of upcoming deprecations and breaking changes in GitHub Actions runners" changelog and this issue for more details.

What's Changed

• Exclude hidden files by default by @​joshmgross in #​598

Full Changelog: actions/upload-artifact@v4.3.6...v4.4.0

v4.3.6

Compare Source

What's Changed

• Revert to @​actions/artifact 2.1.8 by @​robherley in #​594

Full Changelog: actions/upload-artifact@v4...v4.3.6

v4.3.5

Compare Source

What's Changed

• Bump @​actions/artifact to v2.1.9 by @​robherley in #​588
  • Fixed artifact upload chunk timeout logic #​1774
  • Use lazy stream to prevent issues with open file limits #​1771

Full Changelog: actions/upload-artifact@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

• Update @​actions/artifact version, bump dependencies by @​robherley in #​584

Full Changelog: actions/upload-artifact@v4.3.3...v4.3.4

v4.3.3

Compare Source

What's Changed

• updating @actions/artifact dependency to v2.1.6 by @​eggyhead in #​565

Full Changelog: actions/upload-artifact@v4.3.2...v4.3.3

v4.3.2

Compare Source

What's Changed

• Update release-new-action-version.yml by @​konradpabjan in #​516
• Minor fix to the migration readme by @​andrewakim in #​523
• Update readme with v3/v2/v1 deprecation notice by @​robherley in #​561
• updating @actions/artifact dependency to v2.1.5 and @actions/core to v1.0.1 by @​eggyhead in #​562

New Contributors

• @​andrewakim made their first contribution in #​523

Full Changelog: actions/upload-artifact@v4.3.1...v4.3.2

v4.3.1

Compare Source

• Bump @​actions/artifacts to latest version to include updated GHES host check

v4.3.0

Compare Source

What's Changed

• Reorganize upload code in prep for merge logic & add more tests by @​robherley in #​504
• Add sub-action to merge artifacts by @​robherley in #​505

Full Changelog: actions/upload-artifact@v4...v4.3.0

v4.2.0

Compare Source

What's Changed

• Ability to overwrite an Artifact by @​robherley in #​501

Full Changelog: actions/upload-artifact@v4...v4.2.0

v4.1.0

Compare Source

What's Changed

• Add migrations docs by @​robherley in #​482
• Update README.md by @​samuelwine in #​492
• Support artifact-url output by @​konradpabjan in #​496
• Update readme to reflect new 500 artifact per job limit by @​robherley in #​497

New Contributors

• @​samuelwine made their first contribution in #​492

Full Changelog: actions/upload-artifact@v4...v4.1.0

docker/build-push-action (docker/build-push-action)

v7.1.0

Compare Source

• Git context query format support by @​crazy-max in #​1505
• Bump @​docker/actions-toolkit from 0.79.0 to 0.87.0 by @​crazy-max in #​1505
• Bump brace-expansion from 1.1.12 to 1.1.13 in #​1500
• Bump fast-xml-parser from 5.4.2 to 5.5.7 in #​1489
• Bump flatted from 3.3.3 to 3.4.2 in #​1491
• Bump glob from 10.3.12 to 10.5.0 in #​1490
• Bump handlebars from 4.7.8 to 4.7.9 in #​1497
• Bump lodash from 4.17.23 to 4.18.1 in #​1510
• Bump picomatch from 4.0.3 to 4.0.4 in #​1496
• Bump undici from 6.23.0 to 6.24.1 in #​1486
• Bump vite from 7.3.1 to 7.3.2 in #​1509

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

v7.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​1470
• Remove deprecated DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS envs by @​crazy-max in #​1473
• Remove legacy export-build tool support for build summary by @​crazy-max in #​1474
• Switch to ESM and update config/test wiring by @​crazy-max in #​1466
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​1454
• Bump @​docker/actions-toolkit from 0.62.1 to 0.79.0 in #​1453 #​1472 #​1479
• Bump minimatch from 3.1.2 to 3.1.5 in #​1463

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

v7

Compare Source

v6.19.2

Compare Source

• Preserve port in GIT_AUTH_TOKEN host by @​crazy-max in #​1458

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Compare Source

• Derive GIT_AUTH_TOKEN host from GitHub server URL by @​crazy-max in #​1456

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

[Compare Source](https://redirect.github.com/docker/build-push-action/

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud