Bump actions/upload-artifact from 4 to 7#9
Conversation
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
📝 WalkthroughWalkthroughОбновление версии действия GitHub Actions для загрузки артефактов в рабочем процессе CI. В job ChangesОбновление CI workflow
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 165: Replace the floating tag usage of the GitHub Action in the workflow
step that currently says "uses: actions/upload-artifact@v7" with the exact
commit SHA to pin the version for supply-chain safety; update that line to
"uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" so the
CI step uses the fixed commit instead of the mutable tag.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 12eef8bb-0863-4c17-bb7b-f7370ddf45e1
📒 Files selected for processing (1)
.github/workflows/ci.yml
|
|
||
| - name: Upload APK artifact | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Получение хеша коммита для actions/upload-artifact@v7
gh api repos/actions/upload-artifact/git/refs/tags/v7 --jq '.object.sha' 2>/dev/null || \
gh api repos/actions/upload-artifact/releases/tags/v7 --jq '.target_commitish' 2>/dev/null || \
echo "Не удалось получить хеш для v7. Проверьте вручную на https://github.com/actions/upload-artifact/releases"Repository: rkfsociety/UploadSimulator
Length of output: 111
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# show relevant section around line ~165
nl -ba .github/workflows/ci.yml | sed -n '140,190p'Repository: rkfsociety/UploadSimulator
Length of output: 113
🌐 Web query:
actions/upload-artifact v7 default archive true archive=false breaking changes
💡 Result:
In actions/upload-artifact v7, a new input parameter named archive has been introduced, allowing users to opt into direct file uploads without zip compression [1][2]. Key details regarding this feature and v7 changes: 1. New 'archive' Input: The new archive parameter defaults to 'true' to maintain backward compatibility [1][2]. When set to 'false', the action will attempt to upload a single file directly without archiving [1][3]. 2. Limitations of 'archive: false': - It only supports uploading a single file [1][4]. The action will fail if the provided path resolves to multiple files [1][2]. - The 'name' parameter is ignored when 'archive: false' is used [1][4]. Instead, the filename of the uploaded file becomes the name of the artifact [1][4]. 3. Breaking Changes: While v7 is a major version, there are no traditional "breaking" changes for existing workflows, as the new archive parameter is optional and defaults to 'true' [1][2]. The primary technical change is the upgrade of the action to ESM (ECMAScript Modules) to support new @actions/* package versions [1][5]. Some users have noted that the release notes did not explicitly document the ESM upgrade as a breaking change [6]. 4. Ecosystem Requirements: If you choose to use 'archive: false' to upload non-zipped artifacts, you must also use actions/download-artifact v8 (or newer) to download them [3]. Top results: [1], [2], [3], [4]
Citations:
- 1: https://github.com/actions/upload-artifact/releases/tag/v7.0.0
- 2: Support direct file uploads actions/upload-artifact#764
- 3: https://github.blog/changelog/2026-02-26-github-actions-now-supports-uploading-and-downloading-non-zipped-artifacts/
- 4: https://github.com/actions/upload-artifact/blob/main/action.yml
- 5: actions/upload-artifact@v6...v7
- 6: [docs] No documented breaking changes in v7 actions/upload-artifact#776
🌐 Web query:
actions/upload-artifact v7 node version requirement v6 v7 runtime
💡 Result:
Starting with version 6, the actions/upload-artifact action runs on Node.js 24 [1][2]. This requirement persists in version 7 [1][3]. Key details regarding the Node.js 24 runtime requirement include: - Default Runtime: Beginning with v6.0.0, the action transitioned to using Node.js 24 (runs.using: node24) by default [1][2]. While v5 included preliminary support, it continued to default to Node.js 20 [2][4]. - Runner Compatibility: Upgrading to v6 or v7 requires a minimum Actions Runner version of 2.327.1 [2][4]. Users of self-hosted runners must ensure their runners are updated to at least this version before upgrading the action [1][2]. - Version 7 Updates: While v7 maintains the Node.js 24 runtime requirement, its primary changes over v6 include the addition of direct file uploads (allowing unzipped uploads via the new archive: false parameter) and an upgrade to ESM (ECMAScript Modules) to support updated @actions packages [3].
Citations:
- 1: chore(deps): Update github-actions dependency actions/upload-artifact to v7 grafana/alloy#5944
- 2: https://github.com/actions/upload-artifact/releases/tag/v6.0.0
- 3: https://github.com/actions/upload-artifact/releases/tag/v7.0.0
- 4: https://github.com/actions/upload-artifact/tree/refs/heads/upload-artifact-v6-release
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# show the exact upload-artifact usage area without relying on `nl`
sed -n '150,180p' .github/workflows/ci.yml
# find related artifact download steps in the workflow
rg -n "download-artifact@|upload-artifact@" .github/workflows/ci.ymlRepository: rkfsociety/UploadSimulator
Length of output: 1344
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n "download-artifact@|upload-artifact@" .github/workflows/ci.yml
# Show nearby context for any matches
rg -n "download-artifact@|upload-artifact@" .github/workflows/ci.yml | cut -d: -f1 | sort -nu | while read -r line; do
echo "---- around line $line ----"
sed -n "$((line-10)),$((line+10))p" .github/workflows/ci.yml
doneRepository: rkfsociety/UploadSimulator
Length of output: 964
Закрепите actions/upload-artifact по commit SHA (supply-chain безопасность).
Сейчас используется тег actions/upload-artifact@v7 (стр. ~165); теги могут перемещаться. Замените на actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 165-165: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 165, Replace the floating tag usage of the
GitHub Action in the workflow step that currently says "uses:
actions/upload-artifact@v7" with the exact commit SHA to pin the version for
supply-chain safety; update that line to "uses:
actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" so the CI step
uses the fixed commit instead of the mutable tag.
Bumps actions/upload-artifact from 4 to 7.
Release notes
Sourced from actions/upload-artifact's releases.
... (truncated)
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)bbbca2dSupport direct file uploads (#764)589182cUpgrade the module to ESM and bump dependencies (#762)47309c9Merge pull request #754 from actions/Link-/add-proxy-integration-tests02a8460Add proxy integration testb7c566aMerge pull request #745 from actions/upload-artifact-v6-releasee516bc8docs: correct description of Node.js 24 support in READMEDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit