Skip to content

Bump actions/download-artifact from 4 to 8#41

Merged
bernardladenthin merged 2 commits into
mainfrom
dependabot/github_actions/actions/download-artifact-8
May 10, 2026
Merged

Bump actions/download-artifact from 4 to 8#41
bernardladenthin merged 2 commits into
mainfrom
dependabot/github_actions/actions/download-artifact-8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 10, 2026

Copy link
Copy Markdown
Contributor

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


Bumps actions/download-artifact from 4 to 8.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

New Contributors

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v6.0.0

... (truncated)

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4...v8)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 10, 2026
@bernardladenthin bernardladenthin merged commit ce4e1c9 into main May 10, 2026
12 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/actions/download-artifact-8 branch May 10, 2026 22:37
@claude

claude Bot commented May 10, 2026

Copy link
Copy Markdown

Review: actions/download-artifact v4 → v8 Upgrade

This PR upgrades the GitHub Actions dependency with breaking changes that should be verified:

⚠️ Breaking Changes in v8:

  1. Hash Mismatch Enforcement — v8 now errors by default when artifact digest mismatches occur (previously just logged a warning). If the snapshot workflow downloads artifacts with mismatched hashes, this will fail the workflow run.

    • Mitigation: Monitor the next snapshot workflow run to confirm hash validation passes. If hash mismatches occur, you may need to add digest-mismatch: warn to the download-artifact step.
  2. Unzip Behavior — v8 no longer automatically unzips non-zipped downloads (checks Content-Type header first). The workflow downloads to plugin-jars/ — verify these are actually JAR files, not zipped artifacts. If they're raw JARs, the behavior is unchanged.

  3. Node.js 24 Requirement (v7) — v8 runs on Node.js 24. Ensure your GitHub Actions runners meet the minimum requirement (Actions Runner 2.327.1+).

✅ Verification Needed:

  • Next snapshot workflow run completes successfully
  • Artifact hashes match (no digest errors)
  • Plugin JARs are correctly downloaded to the target path

Recommendation: Monitor the next scheduled snapshot build to confirm the workflow still operates as expected.

steps:
- uses: actions/checkout@v6
- uses: actions/download-artifact@v4
- uses: actions/download-artifact@v8

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version Mismatch Alert: The upload step uses actions/upload-artifact@v7 (line 33) while the download now uses @v8. Consider upgrading the upload action to v8 as well to ensure consistent behavior and full compatibility. Latest v8 has improved handling of artifact uploads and downloads.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant