Skip to content

chore(deps): update github-actions deps (major)#37

Open
elastic-renovate-prod[bot] wants to merge 1 commit intomainfrom
renovate/major-github-actions-deps
Open

chore(deps): update github-actions deps (major)#37
elastic-renovate-prod[bot] wants to merge 1 commit intomainfrom
renovate/major-github-actions-deps

Conversation

@elastic-renovate-prod
Copy link
Copy Markdown

@elastic-renovate-prod elastic-renovate-prod Bot commented Mar 3, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
actions/cache action major v4.2.3 -> v5.0.5
actions/checkout action major v4.2.2 -> v6.0.2
actions/create-github-app-token action major v2.0.6 -> v3.1.1
actions/download-artifact action major v4.3.0 -> v8.0.1
actions/github-script action major v7.0.1 -> v9.0.0
actions/setup-go action major v5.5.0 -> v6.4.0
actions/setup-go action major v5 -> v6
actions/stale action major v9.1.0 -> v10.2.0
actions/upload-artifact action major v4.6.2 -> v7.0.1
codecov/codecov-action action major 5.4.3 -> 6.0.0
docker/setup-buildx-action action major v3.11.1 -> v4.0.0
docker/setup-qemu-action action major v3.6.0 -> v4.0.0
github/codeql-action action major v3.29.5 -> v4.35.2
goreleaser/goreleaser-action action major v6.3.0 -> v7.2.1
sigstore/cosign-installer action major v3.9.2 -> v4.1.1
streetsidesoftware/cspell-action action major v7.2.0 -> v8.4.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

What's Changed
New Contributors

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2: v.5.0.2

Compare Source

v5.0.2
What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

v5.0.1
What's Changed
v5.0.0
What's Changed

Full Changelog: actions/cache@v5...v5.0.1

v5.0.0

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

What's Changed

Full Changelog: actions/cache@v4.3.0...v5.0.0

v4.3.0

Compare Source

What's Changed
New Contributors

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

Compare Source

What's Changed
New Contributors

Full Changelog: actions/cache@v4...v4.2.4

actions/checkout (actions/checkout)

v6.0.2

Compare Source

v6.0.1

Compare Source

v6.0.0

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.3.1

Compare Source

v4.3.0

Compare Source

actions/create-github-app-token (actions/create-github-app-token)

v3.1.1

Compare Source

Bug Fixes

v3.1.0

Compare Source

Bug Fixes
Features

v3.0.0

Compare Source

Bug Fixes
BREAKING CHANGES
  • Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
  • Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v2.2.2

Compare Source

Bug Fixes

v2.2.1

Compare Source

Bug Fixes
  • deps: bump the production-dependencies group with 2 updates (#​311) (b212e6a)

v2.2.0

Compare Source

Bug Fixes
Features

v2.1.4

Compare Source

Bug Fixes

v2.1.3

Compare Source

Bug Fixes
  • deps: bump undici from 7.8.0 to 7.10.0 in the production-dependencies group (#​254) (f3d5ec2)

v2.1.2

Compare Source

Bug Fixes

v2.1.1

Compare Source

Bug Fixes

v2.1.0

Compare Source

Features
actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

[!IMPORTANT]
actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT]
Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

New Contributors

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: actions/download-artifact@v5...v6.0.0

v5.0.0

Compare Source

What's Changed

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

  • By name: name: my-artifact → extracted to path/ (direct)
  • By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

  • By name: name: my-artifact → extracted to path/ (unchanged)
  • By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)
Migration Guide
✅ No Action Needed If:
  • You download artifacts by name
  • You download multiple artifacts by ID
  • You already use merge-multiple: true as a workaround
⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist

### Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

- uses: actions/download-artifact@v5
  with:
    artifact-ids: 12345
    path: dist/my-artifact  # Explicitly specify the nested path

New Contributors

Full Changelog: actions/download-artifact@v4...v5.0.0

actions/github-script (actions/github-script)

v9.0.0

Compare Source

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.
What's Changed
New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v8.0.0

Compare Source

v7.1.0

Compare Source

What's Changed
New Contributors

Full Changelog: actions/github-script@v7...v7.1.0

actions/setup-go (actions/setup-go)

v6.4.0

Compare Source

What's Changed
Enhancement
Dependency update
Documentation update
New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

Compare Source

What's Changed
Enhancements
Dependency updates
New Contributors

Full Changelog: actions/setup-go@v6...v6.2.0

v6.1.0

Compare Source

What's Changed
Enhancements
Dependency updates
New Contributors

Full Changelog: actions/setup-go@v6...v6.1.0

v6.0.0

Compare Source

What's Changed
Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades
New Contributors

Full Changelog: actions/setup-go@v5...v6.0.0

v5.6.0

Compare Source

What's Changed

Full Changelog: actions/setup-go@v5...v5.6.0

actions/stale (actions/stale)

v10.2.0

Compare Source

What's Changed

Bug Fix
Dependency Updates

New Contributors

Full Changelog: actions/stale@v10...v10.2.0

v10.1.1

Compare Source

What's Changed

Bug Fix
Improvement
Dependency Upgrades

New Contributors

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/stale@v10...v10.1.0

v10.0.0

Compare Source

What's Changed

Breaking Changes
Enhancement
Dependency Upgrades
Documentation changes

New Contributors

Configuration

📅 Schedule: Branch creation - "on tuesday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/major-github-actions-deps branch 4 times, most recently from 424d58f to 48fe132 Compare March 9, 2026 18:19
@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/major-github-actions-deps branch 3 times, most recently from cc42f97 to b55da35 Compare March 16, 2026 10:19
@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/major-github-actions-deps branch 3 times, most recently from 30cbbfe to 5942647 Compare March 20, 2026 22:20
@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/major-github-actions-deps branch 5 times, most recently from 1126ef3 to a2be27b Compare March 30, 2026 06:20
@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/major-github-actions-deps branch 5 times, most recently from 8f6c6ed to 1cfdec2 Compare April 11, 2026 10:20
@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/major-github-actions-deps branch 3 times, most recently from 84b436f to 69a9a2e Compare April 18, 2026 22:20
@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/major-github-actions-deps branch from 69a9a2e to 0399ef7 Compare April 26, 2026 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies renovatebot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants