Skip to content

chore(actions-update): Update github-actions#95

Open
gdrenovate wants to merge 1 commit into
masterfrom
renovate/github-actions-updates
Open

chore(actions-update): Update github-actions#95
gdrenovate wants to merge 1 commit into
masterfrom
renovate/github-actions-updates

Conversation

@gdrenovate

@gdrenovate gdrenovate commented Dec 31, 2025

Copy link
Copy Markdown
Collaborator

This PR contains the following updates:

Package Type Update Change
actions/cache action major v4v6
actions/checkout action major v6v7
actions/upload-artifact action major v5v7

Release Notes

actions/cache (actions/cache)

v6.1.0

Compare Source

What's Changed

Full Changelog: actions/cache@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v6.0.0

v6

Compare Source

v5.1.0

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.1.0

v5.0.5

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

What's Changed
New Contributors

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2: v.5.0.2

Compare Source

v5.0.2
What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.


v5.0.1
What's Changed
v5.0.0
What's Changed

Full Changelog: actions/cache@v5...v5.0.1

v5.0.0

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.


What's Changed

Full Changelog: actions/cache@v4.3.0...v5.0.0

v5

Compare Source

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

v6 - What's new

[!IMPORTANT]
actions/upload-artifact@​v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v6

Compare Source


Configuration

📅 Schedule: (in timezone Europe/Prague)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@gdrenovate gdrenovate force-pushed the renovate/github-actions-updates branch from e158514 to c4ae0cc Compare February 28, 2026 23:02
@gdrenovate

Copy link
Copy Markdown
Collaborator Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@gdrenovate gdrenovate force-pushed the renovate/github-actions-updates branch from c4ae0cc to 1e90d93 Compare June 30, 2026 22:24
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions versions used in CI workflows. The actions/checkout action is upgraded from v6 to v7, actions/cache (and actions/cache/restore) from v4 to v6, and actions/upload-artifact from v5 to v7 across the post-merge and pre-merge workflow files. No workflow logic, commands, or cache keys/paths are changed.

Changes

CI Workflow Action Upgrades

Layer / File(s) Summary
Post-merge workflow upgrade
.github/workflows/post-merge.yml
test-kotlin job updates actions/checkout to v7 and actions/cache to v6.
Pre-merge workflow upgrade
.github/workflows/pre-merge.yml
build-kotlin and test-kotlin jobs update actions/checkout to v7, actions/cache/actions/cache/restore to v6, and actions/upload-artifact to v7, with build/test commands and cache key/path unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

  • gooddata/github-actions#171: Tracks Renovate updates to actions/checkout, actions/cache, and actions/upload-artifact matching the version bumps made in this PR.

Poem

A rabbit hops through YAML fields so neat,
Bumping versions with quick little feet,
Checkout, cache, upload — all anew,
v7, v6, marching through,
Hop, hop, CI is fresh and complete! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly indicates a GitHub Actions dependency update and matches the workflow-version changes in the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/pre-merge.yml (1)

16-16: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider disabling credential persistence on checkout steps.

Both checkout steps in build-kotlin and test-kotlin lack persist-credentials: false. This is pre-existing, but the major version bump is an opportune time to harden this configuration.

- uses: actions/checkout@v7
  with:
    persist-credentials: false

Also applies to: 39-39

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pre-merge.yml at line 16, The checkout steps in the Kotlin
workflows are missing hardened credential settings; update each actions/checkout
usage in the build-kotlin and test-kotlin jobs to include persist-credentials:
false. Use the existing checkout steps as the anchor point and keep the change
limited to those action invocations so credentials are not persisted during the
workflow.
.github/workflows/post-merge.yml (1)

19-19: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider disabling credential persistence on checkout.

The actions/checkout@v7 step does not set persist-credentials: false, which leaves Git credentials persisted in the workspace. This is a pre-existing configuration, but since this is a major version bump, it's a good opportunity to harden the security posture.

- uses: actions/checkout@v7
  with:
    persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/post-merge.yml at line 19, The post-merge workflow’s
actions/checkout step should be hardened by disabling persisted Git credentials.
Update the checkout configuration to set persist-credentials to false on the
existing actions/checkout@v7 step so the workflow does not leave credentials
available in the workspace.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/post-merge.yml:
- Line 19: The post-merge workflow’s actions/checkout step should be hardened by
disabling persisted Git credentials. Update the checkout configuration to set
persist-credentials to false on the existing actions/checkout@v7 step so the
workflow does not leave credentials available in the workspace.

In @.github/workflows/pre-merge.yml:
- Line 16: The checkout steps in the Kotlin workflows are missing hardened
credential settings; update each actions/checkout usage in the build-kotlin and
test-kotlin jobs to include persist-credentials: false. Use the existing
checkout steps as the anchor point and keep the change limited to those action
invocations so credentials are not persisted during the workflow.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 93915b9a-649f-4222-b0c9-568287ff344e

📥 Commits

Reviewing files that changed from the base of the PR and between e1997d2 and 1e90d93.

📒 Files selected for processing (2)
  • .github/workflows/post-merge.yml
  • .github/workflows/pre-merge.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant