chore(deps): update github actions (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v4 → v6
actions/download-artifact	action	major	v4 → v8
actions/github-script	action	major	v7 → v9
actions/setup-go	action	major	v5 → v6
actions/upload-artifact	action	major	v4 → v7
canonical/setup-lxd	action	major	v0.1.3 → v1
github/codeql-action	action	major	v3 → v4
googleapis/release-please-action	action	major	v4 → v5
hashicorp/setup-terraform	action	major	v3 → v4
ubuntu	github-runner	major	22.04 → 24.04

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

Compare Source

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in #​2226
• Prepare v5.0.0 release by @​salmanmkc in #​2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v5

Compare Source

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

v4.2.1

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in #​1924

v4.2.0

Compare Source

• Add Ref and Commit outputs by @​lucacome in #​1180
• Dependency updates by @​dependabot- #​1777, #​1872

v4.1.7

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in #​1739
• Bump actions/checkout from 3 to 4 by @​dependabot in #​1697
• Check out other refs/* by commit by @​orhantoy in #​1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in #​1776

v4.1.6

Compare Source

• Check platform to set archive extension appropriately by @​cory-miller in #​1732

v4.1.5

Compare Source

• Update NPM dependencies by @​cory-miller in #​1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in #​1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in #​1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in #​1695
• README: Suggest user.email to be 41898282+github-actions[bot]@​users.noreply.github.com by @​cory-miller in #​1707

v4.1.4

Compare Source

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in #​1692
• Add dependabot config by @​cory-miller in #​1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in #​1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in #​1643

v4.1.3

Compare Source

• Check git version before attempting to disable sparse-checkout by @​jww3 in #​1656
• Add SSH user parameter by @​cory-miller in #​1685
• Update actions/checkout version in update-main-version.yml by @​jww3 in #​1650

v4.1.2

Compare Source

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in #​1598

v4.1.1

Compare Source

• Correct link to GitHub Docs by @​peterbe in #​1511
• Link to release page from what's new section by @​cory-miller in #​1514

v4.1.0

Compare Source

• Add support for partial checkout filters

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

v7

Compare Source

v7.0.0

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@​v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​440
• Download Artifact Node24 support by @​salmanmkc in #​415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in #​451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in #​452

New Contributors

• @​patrikpolyak made their first contribution in #​440
• @​salmanmkc made their first contribution in #​415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v6

Compare Source

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

v5

Compare Source

v5.0.0

Compare Source

What's Changed

• Update README.md by @​nebuk89 in #​407
• BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @​GrantBirki in #​416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

• By name: name: my-artifact → extracted to path/ (direct)
• By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

• By name: name: my-artifact → extracted to path/ (unchanged)
• By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

• You download artifacts by name
• You download multiple artifacts by ID
• You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist

### Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

- uses: actions/download-artifact@v5
  with:
    artifact-ids: 12345
    path: dist/my-artifact  # Explicitly specify the nested path

New Contributors

• @​nebuk89 made their first contribution in #​407

Full Changelog: actions/download-artifact@v4...v5.0.0

v4.3.0

Compare Source

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in #​401
• Fix workflow example for downloading by artifact ID by @​joshmgross in #​402
• Prep for v4.3.0 release by @​robherley in #​404

New Contributors

• @​GrantBirki made their first contribution in #​401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

v4.2.1

Compare Source

What's Changed

• Add unit tests by @​GhadimiR in #​392
• Fix bug introduced in 4.2.0 by @​GhadimiR in #​391

Full Changelog: actions/download-artifact@v4.2.0...v4.2.1

v4.2.0

Compare Source

What's Changed

• Update README.md by @​lkfortuna in #​384
• Bump artifact version, do digest check by @​GhadimiR in #​383

New Contributors

• @​lkfortuna made their first contribution in #​384
• @​GhadimiR made their first contribution in #​383

Full Changelog: actions/download-artifact@v4.1.9...v4.2.0

v4.1.9

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​354
• docs: small migration fix by @​froblesmartin in #​370
• Update MIGRATION.md by @​andyfeller in #​372
• Update artifact package to 2.2.2 by @​yacaovsnc in #​380

New Contributors

• @​Jcambass made their first contribution in #​354
• @​froblesmartin made their first contribution in #​370
• @​andyfeller made their first contribution in #​372
• @​yacaovsnc made their first contribution in #​380

Full Changelog: actions/download-artifact@v4.1.8...v4.1.9

v4.1.8

Compare Source

What's Changed

• Update @​actions/artifact version, bump dependencies by @​robherley in #​341

Full Changelog: actions/download-artifact@v4.1.7...v4.1.8

v4.1.7

Compare Source

What's Changed

• Update @​actions/artifact dependency by @​bethanyj28 in #​325

Full Changelog: actions/download-artifact@v4.1.6...v4.1.7

v4.1.6

Compare Source

What's Changed

• updating @actions/artifact dependency to v2.1.6 by @​eggyhead in #​324

Full Changelog: actions/download-artifact@v4.1.5...v4.1.6

v4.1.5

Compare Source

What's Changed

• Update readme with v3/v2/v1 deprecation notice by @​robherley in #​322
• Update dependencies @actions/core to v1.10.1 and @actions/artifact to v2.1.5

Full Changelog: actions/download-artifact@v4.1.4...v4.1.5

v4.1.4

Compare Source

What's Changed

• Update @​actions/artifact by @​bethanyj28 in #​307

Full Changelog: actions/download-artifact@v4...v4.1.4

v4.1.3

Compare Source

What's Changed

• Update release-new-action-version.yml by @​konradpabjan in #​292
• Update toolkit dependency with updated unzip logic by @​bethanyj28 in #​299
• Update @​actions/artifact by @​bethanyj28 in #​303

New Contributors

• @​bethanyj28 made their first contribution in #​299

Full Changelog: actions/download-artifact@v4...v4.1.3

v4.1.2

Compare Source

• Bump @​actions/artifacts to latest version to include updated GHES host check

v4.1.1

Compare Source

• Fix transient request timeouts #​249
• Bump @actions/artifacts to latest version

v4.1.0

Compare Source

What's Changed

• Some cleanup by @​robherley in #​247
• Fix default for run-id by @​stchr in #​252
• Support pattern matching to filter artifacts & merge to same directory by @​robherley in #​259

New Contributors

• @​stchr made their first contribution in #​252

Full Changelog: actions/download-artifact@v4...v4.1.0

actions/github-script (actions/github-script)

v9

Compare Source

v9.0.0

Compare Source

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in #​695
• ci: use deployment: false for integration test environments by @​salmanmkc in #​712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in #​700

New Contributors

• @​Copilot made their first contribution in #​695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v8: .0.0

Compare Source

What's Changed

• Update Node.js version support to 24.x by @​salmanmkc in #​637
• README for updating actions/github-script from v7 to v8 by @​sneha-krip in #​653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

• @​salmanmkc made their first contribution in #​637
• @​sneha-krip made their first contribution in #​653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v8.0.0

Compare Source

v7.1.0

Compare Source

What's Changed

• Upgrade husky to v9 by @​benelan in #​482
• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​485
• Upgrade IA Publish by @​Jcambass in #​486
• Fix workflow status badges by @​joshmgross in #​497
• Update usage of actions/upload-artifact by @​joshmgross in #​512
• Clear up package name confusion by @​joshmgross in #​514
• Update dependencies with npm audit fix by @​joshmgross in #​515
• Specify that the used script is JavaScript by @​timotk in #​478
• chore: Add Dependabot for NPM and Actions by @​nschonni in #​472
• Define permissions in workflows and update actions by @​joshmgross in #​531
• chore: Add Dependabot for .github/actions/install-dependencies by @​nschonni in #​532
• chore: Remove .vscode settings by @​nschonni in #​533
• ci: Use github/setup-licensed by @​nschonni in #​473
• make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by @​iamstarkov in #​508
• Remove octokit README updates for v7 by @​joshmgross in #​557
• docs: add "exec" usage examples by @​neilime in #​546
• Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by @​dependabot[bot] in #​563
• Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by @​dependabot[bot] in #​575
• Clearly document passing inputs to the script by @​joshmgross in #​603
• Update README.md by @​nebuk89 in #​610

New Contributors

• @​benelan made their first contribution in #​482
• @​Jcambass made their first contribution in #​485
• @​timotk made their first contribution in #​478
• @​iamstarkov made their first contribution in #​508
• @​neilime made their first contribution in #​546
• @​nebuk89 made their first contribution in #​610

Full Changelog: actions/github-script@v7...v7.1.0

v7.0.1

Compare Source

What's Changed

• Avoid setting baseUrl to undefined when input is not provided by @​joshmgross in #​439

Full Changelog: actions/github-script@v7.0.0...v7.0.1

actions/setup-go (actions/setup-go)

v6.4.0

Compare Source

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in #​721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in #​724
• Fix Microsoft build of Go link by @​gdams in #​734

New Contributors

• @​gdams made their first contribution in #​721

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

• Update default Go module caching to use go.mod by @​priyagupta108 in #​705
• Fix golang download url to go.dev by @​178inaba in #​469

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Enhancements

• Example for restore-only cache in documentation by @​aparnajyothi-y in #​696
• Update Node.js version in action.yml by @​ccoVeille in #​691
• Documentation update of actions/checkout by @​deining in #​683

Dependency updates

• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot in #​682
• Upgrade @​actions/cache to v5 by @​salmanmkc in #​695
• Upgrade actions/checkout from 5 to 6 by @​dependabot in #​686
• Upgrade qs from 6.14.0 to 6.14.1 by @​dependabot in #​703

New Contributors

• @​ccoVeille made their first contribution in #​691
• @​deining made their first contribution in #​683

Full Changelog: actions/setup-go@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancements

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​nicholasngai in #​665
• Add support for .tool-versions file and update workflow by @​priya-kinthali in #​673
• Add comprehensive breaking changes documentation for v6 by @​mahabaleshwars in #​674

Dependency updates

• Upgrade eslint-config-prettier from 10.0.1 to 10.1.8 and document breaking changes in v6 by @​dependabot in #​617
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in #​641
• Upgrade semver and @​types/semver by @​dependabot in #​652

New Contributors

• @​nicholasngai made their first contribution in #​665
• @​priya-kinthali made their first contribution in #​673
• @​mahabaleshwars made their first contribution in #​674

Full Changelog: actions/setup-go@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Improve toolchain handling to ensure more reliable and consistent toolchain selection and management by @​matthewhughes934 in #​460
• Upgrade Nodejs runtime from node20 to node 24 by @​salmanmkc in #​624

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot[bot] in #​589
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​591
• Upgrade @​typescript-eslint/parser from 8.31.1 to 8.35.1 by @​dependabot[bot] in #​590
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​594
• Upgrade typescript from 5.4.2 to 5.8.3 by @​dependabot[bot] in #​538
• Upgrade eslint-plugin-jest from 28.11.0 to 29.0.1 by @​dependabot[bot] in #​603
• Upgrade form-data to bring in fix for critical vulnerability by @​matthewhughes934 in #​618
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​631

New Contributors

• @​matthewhughes934 made their first contribution in #​618
• @​salmanmkc made their first contribution in #​624

Full Changelog: actions/setup-go@v5...v6.0.0

v6

Compare Source

v5.6.0

Compare Source

What's Changed

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​aparnajyothi-y in #​689

Full Changelog: actions/setup-go@v5...v5.6.0

v5.5.0

Compare Source

What's Changed

Bug fixes:

• Update self-hosted environment validation by @​priyagupta108 in #​556
• Add manifest validation and improve error handling by @​priyagupta108 in #​586
• Update template link by @​jsoref in #​527

Dependency updates:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in #​574
• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in #​573
• Upgrade ts-jest from 29.1.2 to 29.3.2 by @​dependabot in #​582
• Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by @​dependabot in #​537

New Contributors

• @​jsoref made their first contribution in #​527

Full Changelog: actions/setup-go@v5...v5.5.0

v5.4.0

Compare Source

What's Changed

Dependency updates :

• Upgrade semver from 7.6.0 to 7.6.3 by @​dependabot in #​535
• Upgrade eslint-config-prettier from 8.10.0 to 10.0.1 by @​dependabot in #​536
• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​aparnajyothi-y in #​568
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot in #​541

New Contributors

• @​aparnajyothi-y made their first contribution in #​568

Full Changelog: actions/setup-go@v5...v5.4.0

v5.3.0

Compare Source

What's Changed

• Use the new cache service: upgrade @actions/cache to ^4.0.0 by @​Link- in #​531
• Configure Dependabot settings by @​HarithaVattikuti in #​530
• Document update - permission section by @​HarithaVattikuti in #​533
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot in #​534

New Contributors

• @​Link- made their first contribution in #​531

Full Changelog: actions/setup-go@v5...v5.3.0

v5.2.0

Compare Source

What's Changed

• Leveraging the raw API to retrieve the version-manifest, as it does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token for Github Enterprise Servers by @​Shegox in #​496

New Contributors

• @​Shegox made their first contribution in #​496

Full Changelog: actions/setup-go@v5...v5.2.0

v5.1.0

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in [#​500](https://redirect.github

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.