chore(deps): update github actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	major	v3.2.0 → v4.1.0
actions/create-github-app-token	action	major	v2.2.2 → v3.0.0
actions/download-artifact	action	major	v7.0.0 → v8.0.1
actions/upload-artifact	action	major	v6.0.0 → v7.0.0
docker/login-action	action	major	v3.7.0 → v4.0.0
release-drafter/release-drafter	action	major	v6.4.0 → v7.1.1

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v4.1.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in #​836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in #​838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in #​835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

actions/create-github-app-token (actions/create-github-app-token)

v3.0.0

Compare Source

• feat!: node 24 support (#​275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#​342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#​143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

actions/upload-artifact (actions/upload-artifact)

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

docker/login-action (docker/login-action)

v4.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​929
• Switch to ESM and update config/test wiring by @​crazy-max in #​927
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​919
• Bump @​aws-sdk/client-ecr from 3.890.0 to 3.1000.0 in #​909 #​920
• Bump @​aws-sdk/client-ecr-public from 3.890.0 to 3.1000.0 in #​909 #​920
• Bump @​docker/actions-toolkit from 0.63.0 to 0.77.0 in #​910 #​928
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in #​921
• Bump js-yaml from 4.1.0 to 4.1.1 in #​901

Full Changelog: docker/login-action@v3.7.0...v4.0.0

release-drafter/release-drafter (release-drafter/release-drafter)

v7.1.1

Compare Source

What's Changed

Bug Fixes

• fix: remove disable-releaser and disable-autolabeler from action.yaml (#​1564) @​cchanche

Full Changelog: release-drafter/release-drafter@v7.1.0...v7.1.1

v7.1.0

Compare Source

What's Changed

New

• feat: filter previous releases by range with semver (#​1445) @​cchanche
• feat: support advanced substitutions in replacers (#​1517) @​cchanche

Bug Fixes

• fix: support pull_request_target event in autolabeler (#​1560) @​jmeridth
• fix: empty template when prs all are excluded by labels (#​1429) @​Bledai
• fix: fall back to org .github repo when config not found in current repo (#​1554) @​jetersen

Maintenance

• ci: make sure PRs have a type label (#​1557) @​cchanche

Documentation

• docs: update README with pull_request_target example (#​1561) @​jmeridth

Full Changelog: release-drafter/release-drafter@v7.0.0...v7.1.0

v7.0.0

Compare Source

What's Changed

Breaking

• feat: new major version (#​1475) @​cchanche

Bug Fixes

• fix: JSON schema too strict with required fields (#​1535) @​jetersen

Maintenance

• chore(deps): update vitest to 4.1.0 (#​1544) @​renovate[bot]
• chore(deps): update linters (#​1549) @​renovate[bot]
• chore(deps): update dependency nock to 14.0.11 (#​1548) @​renovate[bot]
• chore(deps): update dependency @​graphql-codegen/near-operation-file-preset to 5.0.0 (#​1545) @​renovate[bot]
• chore(deps): update dependency @​types/node to 24.12.0 (#​1543) @​renovate[bot]
• chore(deps): update dependency @​graphql-codegen/cli to 6.2.1 (#​1542) @​renovate[bot]
• chore(deps): update vite (#​1541) @​renovate[bot]
• chore(deps): update linters (#​1540) @​renovate[bot]
• build(deps): bump actions/stale from 9 to 10 (#​1527) @​dependabot[bot]

Documentation

• docs: fix v7 docs (#​1532) @​cchanche

Other changes

• chore: migrate from ESLint + Prettier to Biome (#​1552) @​jetersen
• ci: fix licensed (#​1533) @​cchanche

Dependency Updates

• fix(deps): update dependency compare-versions to 6.1.1 (#​1547) @​renovate[bot]
• fix(deps): update dependency zod to 4.3.6 (#​1551) @​renovate[bot]
• fix(deps): update dependency semver to 7.7.4 (#​1550) @​renovate[bot]

Full Changelog: release-drafter/release-drafter@v6.4.0...v7.0.0

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.00%. Comparing base (4784bd3) to head (e961965).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1527      +/-   ##
==========================================
- Coverage   80.01%   80.00%   -0.02%     
==========================================
  Files         127      127              
  Lines       16573    16573              
==========================================
- Hits        13261    13259       -2     
- Misses       3312     3314       +2     

Flag	Coverage Δ
rust-tests	80.00% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[viccuad]

This needs a bit of thought, may break release job.

[flavio]

Agreed, given we're about to start tagging the RC1, maybe it's a good time to give them a chance...

I wonder if we should update our usage of the actions/attest-build-provenance action, according to the changelog:

Note

As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

Maybe we should follow the advice

[viccuad]

Given that we use globs for upload, I believe this will definitely break the release.

[flavio]

@copilot :

Note

As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

Change the code to use actions/attest instead.

[Copilot]

@flavio I've opened a new pull request, #1574, to work on those changes. Once the pull request is ready, I'll request review from you.

[flavio]

copilot switched to the attest action. We now have to double check the other actions that got major bumps