chore(deps): update github-actions-updates (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	major	v4 → v5
actions/checkout	action	major	v5 → v6
actions/download-artifact	action	major	v5 → v8
actions/upload-artifact	action	major	v4 → v7
astral-sh/setup-uv	action	major	v7 → v8.2.0
codecov/codecov-action	action	major	v5.5.1 → v7.0.0
crazy-max/ghaction-github-labeler	action	major	v5.3.0 → v6.0.0
release-drafter/release-drafter	action	major	v6.1.0 → v7.3.1

---

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v5

Compare Source

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

v7.0.0

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@​v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​440
• Download Artifact Node24 support by @​salmanmkc in #​415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in #​451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in #​452

New Contributors

• @​patrikpolyak made their first contribution in #​440
• @​salmanmkc made their first contribution in #​415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

v6

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.0

Compare Source

v5

Compare Source

astral-sh/setup-uv (astral-sh/setup-uv)

v8.2.0

Compare Source

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#​856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#​860)
• Add a release-gate step to the release workflow @​zanieb (#​859)
• Draft commitish releases @​eifinger (#​858)
• Add action-types.yml to instructions @​eifinger (#​857)
• chore: update known checksums for 0.11.7 @​github-actions[bot] (#​853)
• Refactor version resolving @​eifinger (#​852)
• chore: update known checksums for 0.11.6 @​github-actions[bot] (#​850)
• chore: update known checksums for 0.11.5 @​github-actions[bot] (#​845)
• chore: update known checksums for 0.11.4 @​github-actions[bot] (#​843)
• Add a release workflow @​zanieb (#​839)
• chore: update known checksums for 0.11.3 @​github-actions[bot] (#​836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#​833)
• Pin setup-uv docs to v8 @​eifinger (#​829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @​dependabot[bot] (#​855)

v8.0.0: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

• Remove update-major-minor-tags workflow @​eifinger (#​826)
• Remove deprecrated custom manifest @​eifinger (#​813)

🧰 Maintenance

• Shortcircuit latest version from manifest @​eifinger (#​828)
• Simplify inputs.ts @​eifinger (#​827)
• Bump release-drafter to v7.1.1 @​eifinger (#​825)
• Refactor inputs @​eifinger (#​823)
• Replace inline compile args with tsconfig @​eifinger (#​824)
• chore: update known checksums for 0.11.2 @​github-actions[bot] (#​821)
• chore: update known checksums for 0.11.1 @​github-actions[bot] (#​817)
• chore: update known checksums for 0.11.0 @​github-actions[bot] (#​815)
• Fix latest-version workflow check @​eifinger (#​812)
• chore: update known checksums for 0.10.11/0.10.12 @​github-actions[bot] (#​811)

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

v7

Compare Source

v6.0.2

Compare Source

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in #​1929
• Th/6.0.0 by @​thomasrockhu-codecov in #​1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

v5.5.2

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

crazy-max/ghaction-github-labeler (crazy-max/ghaction-github-labeler)

v6.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​249
• Switch to ESM and update config/test wiring by @​crazy-max in #​246
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​247
• Bump @​actions/github from 6.0.0 to 9.0.0 in #​248
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​236
• Bump js-yaml from 4.1.0 to 4.1.1 in #​240
• Bump lodash from 4.17.21 to 4.17.23 in #​242
• Bump matcher from 3.0.0 to 6.0.0 in #​239
• Bump minimatch from 3.1.2 to 3.1.5 in #​245

Full Changelog: crazy-max/ghaction-github-labeler@v5.3.0...v6.0.0

v6

Compare Source

release-drafter/release-drafter (release-drafter/release-drafter)

v7.3.1

Compare Source

What's Changed

Bug Fixes

• fix: output name and tag_name in dry-run mode (#​1625) @​cchanche

Maintenance

• chore(deps): update graphql-codegen to 7.0.0 (#​1619) @​renovate[bot]
• chore(deps): update dependency nock to 14.0.15 (#​1609) @​renovate[bot]
• chore(deps): update graphql-codegen (#​1615) @​renovate[bot]
• chore(deps): update dependency typescript to 6.0.3 (#​1610) @​renovate[bot]
• ci(deps): update actions/download-artifact action to v8.0.1 (#​1620) @​renovate[bot]
• chore(deps): update dependency @​types/node to 24.12.3 (#​1608) @​renovate[bot]
• chore(deps): update vitest to 4.1.5 (#​1612) @​renovate[bot]
• chore(deps): update dependency @​biomejs/biome to 2.4.15 (#​1607) @​renovate[bot]
• chore(deps): update dependency vite to 8.0.11 (#​1611) @​renovate[bot]
• ci(deps): pin dependencies (#​1606) @​renovate[bot]

Dependency Updates

8 changes

• chore(deps): update node.js to v24.15.0 (#​1616) @​renovate[bot]
• chore(deps): update vite to v8.0.13 and vitest to v4.1.6 (#​1624) @​cchanche
• fix(deps): update dependency semver to 7.8.0 (#​1622) @​renovate[bot]
• chore(deps): update npm tool constraint to 11.14.1 (#​1617) @​renovate[bot]
• fix(deps): update dependency zod to 4.4.3 (#​1618) @​renovate[bot]
• fix(deps): update actions (#​1613) @​renovate[bot]
• chore(deps): update dependency @​biomejs/biome to 2.4.15 (#​1607) @​renovate[bot]
• fix(deps): update dependency yaml to 2.8.4 (#​1614) @​renovate[bot]

Full Changelog: release-drafter/release-drafter@v7.3.0...v7.3.1

v7.3.0

Compare Source

What's Changed

New

• feat: recover recently merged PRs missed by associated PRs lag (#​1604) @​jetersen
• feat: switch release discovery to ref comparison and explicit missing-baseline warnings (#​1570) @​jetersen

Bug Fixes

• fix: restore prerelease-identifier on first run when no prior releases exist (#​1602) @​jrbeilke
• fix: prevent using commitish like refs/pull (#​1598) @​cchanche

Maintenance

• ci: rebuild dist after codegen so generated PRs include bundle updates (#​1605) @​jetersen
• chore: update generated GraphQL types (#​1600) @​github-actions[bot]
• chore: clarify base repository pr filtering (#​1599) @​cchanche

Dependency Updates

• build(deps-dev): bump postcss from 8.5.8 to 8.5.12 (#​1597) @​dependabot[bot]

Full Changelog: release-drafter/release-drafter@v7.2.1...v7.3.0

v7.2.1

Compare Source

What's Changed

Bug Fixes

• fix: initial-commits-since in config not overwritten by input (#​1593) @​sroebert
• fix: clarify prerelease-identifier behavior and precedence in configuration (#​1594) @​neilime

Maintenance

• chore: disable "No version input..." warning (#​1595) @​cchanche

Full Changelog: release-drafter/release-drafter@v7.2.0...v7.2.1

v7.2.0

Compare Source

What's Changed

New

• feat: allow always collapsing a category (#​1444) @​mhanberg

Bug Fixes

• fix: improve advanced substitutions in replacers (#​1555) @​jetersen
• fix: support repo-only _extends and prevent .github/ path doubling (#​1577) @​jetersen

Maintenance

• chore(deps): update dependency typescript to 6.0.2 (#​1587) @​renovate[bot]
• chore(deps): update vitest to 4.1.4 (#​1585) @​renovate[bot]
• ci(deps): update peter-evans/create-pull-request action to v8 (#​1588) @​renovate[bot]
• chore(deps): update dependency vite to 8.0.5 (#​1579) @​renovate[bot]
• chore(deps): update dependency nock to 14.0.12 (#​1583) @​renovate[bot]
• chore(deps): update dependency @​types/node to 24.12.2 (#​1582) @​renovate[bot]
• chore(deps): update dependency @​biomejs/biome to 2.4.10 (#​1581) @​renovate[bot]
• chore: move codegen to monthly scheduled workflow (#​1578) @​jetersen
• chore: replace vite-tsconfig-paths plugin with native resolve.tsconfigPaths (#​1571) @​jetersen

Documentation

• docs: fix autolabeler example tag (#​1568) @​cchanche

Dependency Updates

• build(deps): bump lodash and @​graphql-codegen/plugin-helpers (#​1589) @​dependabot[bot]
• fix(deps): update dependency @​actions/github to 9.1.0 (#​1586) @​renovate[bot]
• chore(deps): update dependency yaml to 2.8.3 (#​1580) @​renovate[bot]
• chore(deps): update node.js to v24.14.1 (#​1584) @​renovate[bot]
• chore(deps): update dependency @​biomejs/biome to 2.4.10 (#​1581) @​renovate[bot]

Full Changelog: release-drafter/release-drafter@v7.1.1...v7.2.0

v7.1.1

Compare Source

What's Changed

Bug Fixes

• fix: remove disable-releaser and disable-autolabeler from action.yaml (#​1564) @​cchanche

Full Changelog: release-drafter/release-drafter@v7.1.0...v7.1.1

v7.1.0

Compare Source

What's Changed

New

• feat: filter previous releases by range with semver (#​1445) @​cchanche
• feat: support advanced substitutions in replacers (#​1517) @​cchanche

Bug Fixes

• fix: support pull_request_target event in autolabeler (#​1560) @​jmeridth
• fix: empty template when prs all are excluded by labels (#​1429) @​Bledai
• fix: fall back to org .github repo when config not found in current repo (#​1554) @​jetersen

Maintenance

• ci: make sure PRs have a type label (#​1557) @​cchanche

Documentation

• docs: update README with pull_request_target example (#​1561) @​jmeridth

Full Changelog: release-drafter/release-drafter@v7.0.0...v7.1.0

v7.0.0

Compare Source

What's Changed

Breaking

• feat: new major version (#​1475) @​cchanche

Bug Fixes

• fix: JSON schema too strict with required fields (#​1535) @​jetersen

Maintenance

• chore(deps): update vitest to 4.1.0 (#​1544) @​renovate[bot]
• chore(deps): update linters (#​1549) @​renovate[bot]
• chore(deps): update dependency nock to 14.0.11 (#​1548) @​renovate[bot]
• chore(deps): update dependency @​graphql-codegen/near-operation-file-preset to 5.0.0 (#​1545) @​renovate[bot]
• chore(deps): update dependency @​types/node to 24.12.0 (#​1543) @​renovate[bot]
• chore(deps): update dependency @​graphql-codegen/cli to 6.2.1 (#​1542) @​renovate[bot]
• chore(deps): update vite (#​1541) @​renovate[bot]
• chore(deps): update linters (#​1540) @​renovate[bot]
• build(deps): bump actions/stale from 9 to 10 (#​1527) @​dependabot[bot]

Documentation

• docs: fix v7 docs (#​1532) @​cchanche

Other changes

• chore: migrate from ESLint + Prettier to Biome (#​1552) @​jetersen
• ci: fix licensed (#​1533) @​cchanche

Dependency Updates

• fix(deps): update dependency compare-versions to 6.1.1 (#​1547) @​renovate[bot]
• fix(deps): update dependency zod to 4.3.6 (#​1551) @​renovate[bot]
• fix(deps): update dependency semver to 7.7.4 (#​1550) @​renovate[bot]

Full Changelog: release-drafter/release-drafter@v6.4.0...v7.0.0

v7

Compare Source

v6.4.0

Compare Source

What's Changed

New

• feat: Add support to excluded-paths (#​1522) @​guimorg
• feat: add include-pre-releases to action inputs (#​1525) @​cchanche

Maintenance

• revert: deprecate include-pre-releases (#​1523) @​cchanche

Full Changelog: release-drafter/release-drafter@v6.3.0...v6.4.0

v6.3.0

Compare Source

What's Changed

New

• feat: deprecate include-pre-releases in favor of prerelease (#​1515) @​christopherklint97

Maintenance

• chore: use probot logger instead of @​actions/core (#​1520) @​cchanche

Dependency Updates

8 changes

• chore: update lockfile (#​1521) @​cchanche
• build(deps-dev): bump brace-expansion from 1.1.11 to 1.1.12 (#​1494) @​dependabot[bot]
• build(deps): bump js-yaml (#​1493) @​dependabot[bot]
• build(deps-dev): bump node-fetch from 2.6.7 to 2.7.0 (#​1485) @​dependabot[bot]
• build(deps-dev): bump @​vercel/ncc from 0.34.0 to 0.38.4 (#​1484) @​dependabot[bot]
• build(deps): bump deepmerge from 4.2.2 to 4.3.1 (#​1482) @​dependabot[bot]
• build(deps): bump jws from 3.2.2 to 3.2.3 (#​1495) @​dependabot[bot]
• build(deps): bump lodash from 4.17.21 to 4.17.23 (#​1489) @​dependabot[bot]

Full Changelog: release-drafter/release-drafter@v6.2.0...v6.3.0

v6.2.0

Compare Source

What's Changed

New

• Add config option for history-limit (#​1470) @​gjvoosten
• Add 'commits-since' configuration option for release drafts (#​1451) @​slawekjaranowski

Maintenance

• build: support OIDC for npmjs publishing (#​1480) @​cchanche

Documentation

• Update README.md (#​1434) @​kunaljubce

Full Changelog: release-drafter/release-drafter@v6.1.1...v6.2.0

v6.1.1

Compare Source

What's Changed

Bug Fixes

• Honor Version Template (#​1459) @​ChronosMasterOfAllTime

Documentation

• docs: Add missing action inputs to README (#​1472) @​sasamuku

Full Changelog: release-drafter/release-drafter@v6.1.0...v6.1.1

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • "before 4am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

Security & Bug Review

I've reviewed this PR and found no security vulnerabilities or bugs in the changes themselves.

Summary

This PR updates GitHub Actions dependencies:

• actions/upload-artifact: v4 → v5
• actions/download-artifact: v5 → v6

Analysis

✅ No Security Issues Found

• These are official GitHub Actions with verified provenance
• Updates are handled by Renovate bot with proper version pinning
• No credential exposure or permission escalation

✅ No Bugs Detected

• All artifact upload/download operations maintain consistent naming (dist, docs, coverage-data-*)
• The merge-multiple: true parameter in download-artifact (line 118 of tests.yml) is compatible with v6
• Artifact retention and path configurations remain unchanged
• Jobs dependencies (needs: tests, needs: release) are unaffected

⚠️ Compatibility Note
The major version bumps suggest potential breaking changes. The most common breaking change in artifact actions is the backend storage format, but this typically doesn't affect workflows using matching upload/download versions. Since both actions are updated together, cross-version compatibility is maintained.

Recommendation: ✅ Safe to merge after CI passes. Monitor the first workflow run to confirm artifact upload/download operations succeed.