chore(deps): update github actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	major	v3.2.0 → v4.1.0
actions/create-github-app-token	action	major	v2.2.2 → v3.0.0
actions/download-artifact	action	major	v7.0.0 → v8.0.1
actions/upload-artifact	action	major	v6.0.0 → v7.0.0
azure/setup-helm	action	major	v4.3.1 → v5.0.0
release-drafter/release-drafter	action	major	v6.4.0 → v7.1.1

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v4.1.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in #​836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in #​838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in #​835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

actions/create-github-app-token (actions/create-github-app-token)

v3.0.0

Compare Source

• feat!: node 24 support (#​275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#​342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#​143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

actions/upload-artifact (actions/upload-artifact)

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

azure/setup-helm (azure/setup-helm)

v5.0.0

Compare Source

release-drafter/release-drafter (release-drafter/release-drafter)

v7.1.1

Compare Source

What's Changed

Bug Fixes

• fix: remove disable-releaser and disable-autolabeler from action.yaml (#​1564) @​cchanche

Full Changelog: release-drafter/release-drafter@v7.1.0...v7.1.1

v7.1.0

Compare Source

What's Changed

New

• feat: filter previous releases by range with semver (#​1445) @​cchanche
• feat: support advanced substitutions in replacers (#​1517) @​cchanche

Bug Fixes

• fix: support pull_request_target event in autolabeler (#​1560) @​jmeridth
• fix: empty template when prs all are excluded by labels (#​1429) @​Bledai
• fix: fall back to org .github repo when config not found in current repo (#​1554) @​jetersen

Maintenance

• ci: make sure PRs have a type label (#​1557) @​cchanche

Documentation

• docs: update README with pull_request_target example (#​1561) @​jmeridth

Full Changelog: release-drafter/release-drafter@v7.0.0...v7.1.0

v7.0.0

Compare Source

What's Changed

Breaking

• feat: new major version (#​1475) @​cchanche

Bug Fixes

• fix: JSON schema too strict with required fields (#​1535) @​jetersen

Maintenance

• chore(deps): update vitest to 4.1.0 (#​1544) @​renovate[bot]
• chore(deps): update linters (#​1549) @​renovate[bot]
• chore(deps): update dependency nock to 14.0.11 (#​1548) @​renovate[bot]
• chore(deps): update dependency @​graphql-codegen/near-operation-file-preset to 5.0.0 (#​1545) @​renovate[bot]
• chore(deps): update dependency @​types/node to 24.12.0 (#​1543) @​renovate[bot]
• chore(deps): update dependency @​graphql-codegen/cli to 6.2.1 (#​1542) @​renovate[bot]
• chore(deps): update vite (#​1541) @​renovate[bot]
• chore(deps): update linters (#​1540) @​renovate[bot]
• build(deps): bump actions/stale from 9 to 10 (#​1527) @​dependabot[bot]

Documentation

• docs: fix v7 docs (#​1532) @​cchanche

Other changes

• chore: migrate from ESLint + Prettier to Biome (#​1552) @​jetersen
• ci: fix licensed (#​1533) @​cchanche

Dependency Updates

• fix(deps): update dependency compare-versions to 6.1.1 (#​1547) @​renovate[bot]
• fix(deps): update dependency zod to 4.3.6 (#​1551) @​renovate[bot]
• fix(deps): update dependency semver to 7.7.4 (#​1550) @​renovate[bot]

Full Changelog: release-drafter/release-drafter@v6.4.0...v7.0.0

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.49%. Comparing base (075f3fb) to head (574a125).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1527      +/-   ##
==========================================
+ Coverage   80.42%   80.49%   +0.06%     
==========================================
  Files         127      127              
  Lines       16398    16398              
==========================================
+ Hits        13188    13199      +11     
+ Misses       3210     3199      -11     

Flag	Coverage Δ
rust-tests	80.49% <ø> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[viccuad]

This needs a bit of thought, may break release job.

[flavio]

Agreed, given we're about to start tagging the RC1, maybe it's a good time to give them a chance...

I wonder if we should update our usage of the actions/attest-build-provenance action, according to the changelog:

Note

As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

Maybe we should follow the advice

[viccuad]

Given that we use globs for upload, I believe this will definitely break the release.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[Copilot]

Pull request overview

This PR updates several GitHub Actions used across CI, release automation, and dependency update workflows to newer major versions, and adjusts the release-drafter setup to align with release-drafter v7’s split autolabeler.

Changes:

• Bump major versions of multiple actions (create-github-app-token, download/upload-artifact, setup-helm, attest-build-provenance, release-drafter).
• Update Release Drafter workflow to v7 token input format and separate autolabeler into its own workflow.
• Reformat/adjust .github/release-drafter.yml autolabeler configuration structure and quoting.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/update-dependencies.yaml	Updates actions/create-github-app-token to v3.0.0 SHA pin.
.github/workflows/release.yml	Updates actions/download-artifact to v8.0.1 SHA pin for release asset assembly.
.github/workflows/release-drafter.yml	Updates release-drafter to v7.1.1 and switches to with: token. Removes embedded autolabeler trigger.
.github/workflows/open-release-pr.yml	Updates create-github-app-token to v3.0.0 and azure/setup-helm to v5.0.0.
.github/workflows/ci.yml	Updates azure/setup-helm to v5.0.0 for helm unit tests job.
.github/workflows/build-kwctl.yml	Updates attest-build-provenance to v4.1.0 and upload-artifact to v7.0.0.
.github/workflows/autolabeler.yml	Adds new workflow to run release-drafter autolabeler on PR events.
.github/release-drafter.yml	Updates quoting and autolabeler config structure for release-drafter v7.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jvanz]

As far as I can see, we can merge this updates. The upload-arfitact changes should not be a problem because we do not upload files using blobs. Furthermore, the feature mentioned in the changelog is disable by default:

Callers will need to opt into this change by setting the new archive flag to false (to maintain backwards compatibility, the flag defaults to true right now). Only a single file can be uploaded right now. If the action detects multiple files, it will error.

And the download-artifact update should not be an issue neither. The change is that it will try to unzip only zipped files. But all the artifacts it downloads from our CI are zipped.

Besides that, I've fixed the release-drafter configuration and CI files

[viccuad]

Thanks! Looking forward to have the autolabeler back.

I would expect the autolabeler to need write permissions for the issues/prs at least, but I'm happy merging and seeing.

[jvanz]

Thanks! Looking forward to have the autolabeler back.

I would expect the autolabeler to need write permissions for the issues/prs at least, but I'm happy merging and seeing.

Surprise! #1608
🤦