Skip to content

chore(deps): bump actions/download-artifact from 4 to 8#21

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/download-artifact-8
Open

chore(deps): bump actions/download-artifact from 4 to 8#21
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/download-artifact-8

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026
edited
Loading

Bumps actions/download-artifact from 4 to 8.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

New Contributors

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v6.0.0

... (truncated)

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Apr 27, 2026

Labels

The following labels could not be found: area:ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from manav8498 as a code owner April 27, 2026 03:31
@dependabot dependabot Bot changed the title chore(deps): bump actions/download-artifact from 4 to 8 build(deps): bump actions/download-artifact from 4 to 8 Apr 27, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/download-artifact-8 branch from c7bf53c to a320abe Compare April 27, 2026 15:44
@manav8498 manav8498 force-pushed the main branch 3 times, most recently from 22d997e to 359e811 Compare April 29, 2026 04:45
@dependabot dependabot Bot changed the title build(deps): bump actions/download-artifact from 4 to 8 chore(deps): bump actions/download-artifact from 4 to 8 Apr 29, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/download-artifact-8 branch from a320abe to 932c2cf Compare April 29, 2026 05:12
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/download-artifact-8 branch from 932c2cf to ceb1c4b Compare April 30, 2026 19:22
@manav8498
Copy link
Copy Markdown
Owner

manav8498 commented May 5, 2026

@dependabot rebase

@dependabot
chore(deps): bump actions/download-artifact from 4 to 8
8a1cc7b 
Bumps [actions/download-artifact](https://github.com/actions/download-
artifact) from 4 to 8.

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/download-artifact-8 branch from ceb1c4b to c2635bc Compare May 5, 2026 07:16
manav8498 added a commit that referenced this pull request May 5, 2026
@manav8498 @claude
chore(deps): bump release/docs workflow actions to current majors
9728a49 
* softprops/action-gh-release@v2 → v3 (closes #19)
* actions/deploy-pages@v4 → v5 (closes #20)

Both are single-line workflow-only changes that don't affect PR
CI (release.yml fires on tag push; docs.yml on main push). The
dependabot PRs were blocked on the DCO check because dependabot's
commits aren't signed; landing the same change as a signed
maintainer commit clears that without requiring per-PR rebase.

Skipping the higher-risk PRs for the v3.1.0 launch:
  * #18 dtolnay/rust-toolchain 1.95.0→1.100.0 (cargo-test
    failures need investigation)
  * #21 actions/download-artifact v4→v8 (4-major-version jump)
  * #22 actions/upload-artifact v4→v7 (3-major-version jump)
  * #24 hypothesis/mypy/ruff dev-dep group (ruff 0.15 surfaces
    new lint rules; bundle for a follow-up)
  * #31 rust crate minor patches (low-risk, defer to post-launch)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: manav8498 <manavpatel91570@gmail.com>
@manav8498
Copy link
Copy Markdown
Owner

manav8498 commented May 5, 2026

Deferred to post-v3.1.0 follow-up. Tracking summary in 9728a49 commit message — needs more careful review than a launch-day merge can give it.

manav8498 added a commit that referenced this pull request May 5, 2026
@manav8498
chore(deps): bump release/docs workflow actions to current majors
724e08d 
* softprops/action-gh-release@v2 → v3 (closes #19)
* actions/deploy-pages@v4 → v5 (closes #20)

Both are single-line workflow-only changes that don't affect PR
CI (release.yml fires on tag push; docs.yml on main push). The
dependabot PRs were blocked on the DCO check because dependabot's
commits aren't signed; landing the same change as a signed
maintainer commit clears that without requiring per-PR rebase.

Skipping the higher-risk PRs for the v3.1.0 launch:
  * #18 dtolnay/rust-toolchain 1.95.0→1.100.0 (cargo-test
    failures need investigation)
  * #21 actions/download-artifact v4→v8 (4-major-version jump)
  * #22 actions/upload-artifact v4→v7 (3-major-version jump)
  * #24 hypothesis/mypy/ruff dev-dep group (ruff 0.15 surfaces
    new lint rules; bundle for a follow-up)
  * #31 rust crate minor patches (low-risk, defer to post-launch)

Signed-off-by: manav8498 <manavpatel91570@gmail.com>
@manav8498 manav8498 force-pushed the dependabot/github_actions/actions/download-artifact-8 branch from c2635bc to 238cb8f Compare May 5, 2026 23:45
@manav8498 manav8498 force-pushed the dependabot/github_actions/actions/download-artifact-8 branch from 238cb8f to 8a1cc7b Compare May 5, 2026 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manav8498 manav8498 Awaiting requested review from manav8498 manav8498 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@manav8498