chore(deps): Update github-actions dependency actions/download-artifact to v8

[renovate-sh-app]

This PR contains the following updates:

Package	Type	Update	Change
actions/download-artifact	action	major	v7.0.0 → v8.0.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

---

Configuration

📅 Schedule: Branch creation - Between 06:00 AM and 10:59 AM, only on Monday ( * 6-10 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[jharvey10]

@cursor will the breaking changes outlined in the description affect the workflows modified in this PR?

[cursor]

Based on my analysis of the workflows and the breaking changes, no, the breaking changes will not negatively affect the workflows modified in this PR.

Here's why:

Breaking Changes in v8:

1. Direct Downloads / Selective Unzipping: The action now checks Content-Type headers and only unzips files that are actually zipped (instead of attempting to unzip everything)

   • Impact: ✅ None - All artifacts in your workflows are uploaded using actions/upload-artifact@v4, which automatically zips them. v8 will correctly detect and unzip these.

2. Enforced Digest Checks: Hash mismatches now default to error instead of warn

   • Impact: ✅ Positive - This is a security improvement. If there's a hash mismatch, you want the workflow to fail rather than silently use potentially corrupted artifacts.

3. ESM Migration: Internal package upgrade

   • Impact: ✅ None - This is transparent to users

Your Workflow Patterns:

All 6 usages across your 3 workflows:

• Download artifacts created by actions/upload-artifact@v4.6.2 in the same repo
• Use standard parameters (name, path, and in one case run-id + github-token)
• Don't use any deprecated parameters
• Follow the standard GitHub Actions artifact pattern

The workflows will continue to work exactly as before, with the added benefit of stricter security through enforced hash validation.

  

[cla-assistant]

All committers have signed the CLA.

[renovate-sh-app]

Rebase requested. Renovate is processing this repository now.