Skip to content

chore: bump the actions group across 1 directory with 5 updates#18

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-dc67fb371b
Open

chore: bump the actions group across 1 directory with 5 updates#18
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-dc67fb371b

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 25, 2026
edited
Loading

Bumps the actions group with 5 updates in the / directory:

Package From To
actions/create-github-app-token 3.0.0 3.1.1
actions/upload-artifact 7.0.0 7.0.1
michalvankodev/copy-issue-labels 1.3.0 2.0.0
actions/setup-node 6.3.0 6.4.0
actions/download-artifact 7.0.0 8.0.1

Updates actions/create-github-app-token from 3.0.0 to 3.1.1

Release notes

Sourced from actions/create-github-app-token's releases.

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

  • improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

  • deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

Commits

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

Updates michalvankodev/copy-issue-labels from 1.3.0 to 2.0.0

Release notes

Sourced from michalvankodev/copy-issue-labels's releases.

v2.0.0

Breaking Changes

  • @​actions/github v9 migration: REST API methods moved from client.issues.* to client.rest.issues.*. If you have custom workflows using this action, update your uses: reference to michalvankodev/copy-issue-labels@v2.

What Changed

  • Upgraded typescript 4 → 5
  • Upgraded @types/node 14 → 22
  • Upgraded @vercel/ncc 0.25 → 0.38 (Node 24 compatible)
  • Updated tsconfig.json with moduleResolution: "bundler" and target: "es2022"
  • Migrated REST API calls to client.rest.issues namespace required by @actions/github v9
  • All dependencies updated (npm audit --fix)
Commits

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

New Contributors

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

Updates actions/download-artifact from 7.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

@dependabot dependabot Bot requested review from jan-kubica and nnad3N as code owners April 25, 2026 07:04
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

Open in Devin Review

Comment thread .github/workflows/rust-napi-ci.yml
run: bun install --frozen-lockfile
- if: inputs.build-changed == 'true'
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 download-artifact major version bump (v7 → v8) paired with upload-artifact v7

The download-artifact action was bumped from v7.0.0 to v8.0.1 at .github/workflows/rust-napi-ci.yml:265, while upload-artifact remains at v7.0.1 at .github/workflows/rust-napi-ci.yml:231. Both are in the v4+ generation sharing the same underlying artifact backend, so artifact format compatibility is maintained. The download step uses no name parameter (downloading all artifacts into subdirectories under path: artifacts), and the subsequent "Move artifacts" step at line 271-281 iterates over artifacts/bindings-* — this pattern has been stable since v4. However, since this is a major version bump, it's worth verifying the v8 release notes for any changes to default behavior (e.g., new required inputs, changed defaults for merge-multiple, or filtering behavior) that could silently affect which artifacts are downloaded.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

@dependabot
chore: bump the actions group across 1 directory with 5 updates
300be93 
Bumps the actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` |
| [michalvankodev/copy-issue-labels](https://github.com/michalvankodev/copy-issue-labels) | `1.3.0` | `2.0.0` |
| [actions/setup-node](https://github.com/actions/setup-node) | `6.3.0` | `6.4.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `7.0.0` | `8.0.1` |



Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](actions/create-github-app-token@v3...1b10c78)

Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v7...043fb46)

Updates `michalvankodev/copy-issue-labels` from 1.3.0 to 2.0.0
- [Release notes](https://github.com/michalvankodev/copy-issue-labels/releases)
- [Commits](michalvankodev/copy-issue-labels@f54e957...c4df96e)

Updates `actions/setup-node` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@53b8394...48b55a0)

Updates `actions/download-artifact` from 7.0.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@37930b1...3e5f45b)

---
updated-dependencies:
- dependency-name: actions/create-github-app-token
  dependency-version: 3.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: michalvankodev/copy-issue-labels
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-dc67fb371b branch from 105af14 to 300be93 Compare May 2, 2026 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@jan-kubica jan-kubica Awaiting requested review from jan-kubica jan-kubica is a code owner

@nnad3N nnad3N Awaiting requested review from nnad3N nnad3N is a code owner

Assignees

No one assigned

Labels

📦 dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants