Skip to content

github-actions: bump actions/upload-artifact from 4 to 7#573

Merged
bgentry merged 1 commit into
masterfrom
dependabot/github_actions/actions/upload-artifact-7
Jun 23, 2026
Merged

github-actions: bump actions/upload-artifact from 4 to 7#573
bgentry merged 1 commit into
masterfrom
dependabot/github_actions/actions/upload-artifact-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps actions/upload-artifact from 4 to 7.

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

... (truncated)

Commits
  • 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
  • 634250c Include changes in typespec/ts-http-runtime 0.3.5
  • e454baa Readme: bump all the example versions to v7 (#796)
  • 74fad66 Update the readme with direct upload details (#795)
  • bbbca2d Support direct file uploads (#764)
  • 589182c Upgrade the module to ESM and bump dependencies (#762)
  • 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
  • 02a8460 Add proxy integration test
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github May 17, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 17, 2026
@bgentry

bgentry commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot
github-actions: bump actions/upload-artifact from 4 to 7
0601ffc 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/upload-artifact-7 branch from c08ccb6 to 0601ffc Compare June 23, 2026 12:38
bgentry
bgentry approved these changes Jun 23, 2026
View reviewed changes

@bgentry bgentry left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Codex review: Security review looks good to me.

I reviewed this as a dependency-upgrade supply-chain/security pass for the actions/upload-artifact update from v4 to v7 at PR head 0601ffcf555cfb24bd1b0ff8c8d3f3c9799515d0.

Scope reviewed:

  • Confirmed the rebased PR only updates actions/upload-artifact references in the Docker workflows.
  • Compared upstream action metadata and source for the current v7 line, including the move from Node 20 to Node 24.
  • Checked the new archive input, which defaults to true; River UI does not set it, so the existing zipped artifact behavior remains the default.
  • Looked for unexpected secret reads, process execution, new credential sources, install hooks, or new network destinations beyond the expected GitHub artifact upload service behavior.

Local validation completed on the rebased head:

  • npm run lint
  • npm run test:once
  • npm run build
  • make lint
  • make test

No blocking findings. Residual risk is that the upstream action contains large generated dist bundle changes and the workflow still trusts a moving major-version action reference rather than a pinned commit SHA.

@bgentry bgentry merged commit 70a29cc into master Jun 23, 2026
14 of 16 checks passed
@bgentry bgentry deleted the dependabot/github_actions/actions/upload-artifact-7 branch June 23, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgentry bgentry bgentry approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bgentry