build(deps): bump actions/upload-artifact from 4 to 6

[dependabot]

Bumps actions/upload-artifact from 4 to 6.

Release notes

Sourced from actions/upload-artifact's releases.

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

New Contributors

• @​GhadimiR made their first contribution in actions/upload-artifact#681
• @​nebuk89 made their first contribution in actions/upload-artifact#712
• @​danwkennedy made their first contribution in actions/upload-artifact#727
• @​patrikpolyak made their first contribution in actions/upload-artifact#725

Full Changelog: actions/upload-artifact@v4...v5.0.0

v4.6.2

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in actions/upload-artifact#685

New Contributors

• @​salmanmkc made their first contribution in actions/upload-artifact#685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in actions/upload-artifact#673

... (truncated)

Commits

• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• ddc45ed docs: update README to correct action name for Node.js 24 support
• 615b319 chore: release v6.0.0 for Node.js 24 support
• 017748b Merge pull request #744 from actions/fix-storage-blob
• 38d4c79 chore: rebuild dist
• 7d27270 chore: add missing license cache files for @​actions/core, @​actions/io, and mi...
• 5f643d3 chore: update license files for @​actions/artifact@​5.0.1 dependencies
• 1df1684 chore: update package-lock.json with @​actions/artifact@​5.0.1
• b5b1a91 fix: update @​actions/artifact to ^5.0.0 for Node.js 24 punycode fix
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated internal build automation tooling to use a newer version of build infrastructure components, improving deployment reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• ✅ Full review completed - (🔄 Check again to review again)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mangelajo]

@coderabbitai is there any changes we should perform in our actions to support the new upload action?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@mangelajo Let me check your current workflows to see how you're using the upload-artifact action.

---

🏁 Script executed:

#!/bin/bash
# Find all GitHub workflow files
fd -e yml -e yaml . .github/workflows

# Search for usage of upload-artifact action in workflows
rg -n "upload-artifact" .github/workflows/ -A 5 -B 2

Length of output: 1039

---

Let me get a complete view of all upload-artifact usages in your workflows:

---

🏁 Script executed:

#!/bin/bash
# Get detailed view of all upload-artifact usages with more context
rg -n "actions/upload-artifact@" .github/workflows/ -B 5 -A 10

Length of output: 1352

---

🏁 Script executed:

#!/bin/bash
# Check if there are any other versions of upload-artifact being used
rg "upload-artifact@v[0-9]" .github/workflows/

# Also check the PR diff to see what's being changed
git diff origin/main -- .github/workflows/ 2>/dev/null || echo "Cannot access git diff"

Length of output: 1156

---

🌐 Web query:

upload-artifact v6 breaking changes API differences from v4

💡 Result:

upload-artifact v6 vs v4: breaking changes + API diffs

1) Primary breaking change in v6 (vs v4): runtime/runner requirements

• v6 runs on Node.js 24 and requires GitHub Actions Runner ≥ 2.327.1 (important for self-hosted runners). [1]
• In action.yml, the only functional metadata change is:
  • v4: runs.using: node20 [2]
  • v6: runs.using: node24 [3]

2) “API” (inputs/outputs) differences: effectively none

• Inputs and outputs are the same between v4 and v6 (same name, path, if-no-files-found, retention-days, compression-level, overwrite, include-hidden-files; same outputs like artifact-id, artifact-url, artifact-digest). The v6 notes list runtime/runner changes, not interface changes. [1][2][3]

3) Behavioral breaking changes introduced in v4 (still apply in v6)

If you’re upgrading from v4 → v6, these are not new—but they’re the big behavior constraints to keep in mind:

• Artifacts are immutable; you can’t “append” by uploading to the same artifact name multiple times (unless you delete/overwrite). [1]
• Hidden files excluded by default starting v4.4 (must opt in via include-hidden-files). [1]
• Artifacts are job-scoped and v4 isn’t cross-compatible with older versions (e.g., v3 uploads can’t be downloaded with download-artifact@v4). [4]

Sources: [1] actions/upload-artifact README (v6 + v4 notes) (github.com), [2] v4 action.yml (raw.githubusercontent.com), [3] v6 action.yml (raw.githubusercontent.com), [4] GitHub Changelog: Artifacts v4 GA (github.blog)

Citations:

• 1: https://github.com/actions/upload-artifact
• 2: https://raw.githubusercontent.com/actions/upload-artifact/v4/action.yml
• 3: https://raw.githubusercontent.com/actions/upload-artifact/v6/action.yml
• 4: https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available?utm_source=openai

---

@mangelajo Good news! No changes are required to your workflow files. The v6 upgrade has no API or interface changes from v4 - the inputs (name, path, etc.) and outputs remain identical.

Looking at your current usage in .github/workflows/build-oci-bundle.yaml:

- name: Upload FIT artifacts
  uses: actions/upload-artifact@v6
  with:
    name: FIT-images
    path: python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/data/*.itb

This is perfectly compatible with v6. The only breaking change is that v6 runs on Node.js 24 and requires GitHub Actions Runner version 2.327.1 or higher.

What you need to verify:

• ✅ GitHub-hosted runners: No action needed - they're automatically updated
• ⚠️ Self-hosted runners (if you use any): Ensure they're running version 2.327.1+

Your workflow configuration itself requires no modifications! 🎉

(\_/)
(•ᴗ•)
/>📦 Ready to upload!

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/build-oci-bundle.yaml:
- Line 22: The workflow uses actions/upload-artifact@v6 which requires
self-hosted runners to be Actions Runner v2.327.1 or higher; update the
self-hosted runner labelled ubuntu-24.04-arm to v2.327.1+ before merging or
alternatively revert the workflow to a compatible upload action (e.g., pin to an
earlier supported tag like actions/upload-artifact@v3) to avoid failure at the
uses: actions/upload-artifact@v6 line.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/build-oci-bundle.yaml

Repository: jumpstarter-dev/jumpstarter

Length of output: 1304

---

🌐 Web query:

actions/upload-artifact v6 minimum github actions runner version requirement changelog

💡 Result:

• Minimum GitHub Actions runner version for actions/upload-artifact@v6: 2.327.1 (relevant for self-hosted runners; GitHub-hosted runners are managed by GitHub). v6 also switches the action runtime to Node.js 24 (runs.using: node24). [1][2]
• Changelog / release notes: v6.0.0 (released Dec 12, 2025) documents the Node.js 24 runtime change and the minimum runner version requirement; the “Full Changelog” comparison is v5.0.0...v6.0.0. [2]

Sources:
[1] actions/upload-artifact repository (“v6 – What’s new”)
[2] actions/upload-artifact GitHub Releases (v6.0.0)

---

🌐 Web query:

actions/upload-artifact v6 breaking changes from v4 migration guide

💡 Result:

actions/upload-artifact: v4 → v6 migration (breaking changes)

1) Runtime / runner requirements (new in v5/v6)

• v5.0.0 is marked as a breaking change because it adds Node.js 24 support (the project treated this as breaking even though behavior may be unchanged for most users). [1]
• v6.0.0 changes the default runtime to Node.js 24 (runs.using: node24) and requires GitHub Actions Runner >= 2.327.1 (important for self-hosted runners). [1]

2) v4 behavioral “gotchas” you must already be compatible with (still apply in v6)

• You cannot upload to the same artifact name multiple times within a workflow run (common failure in matrix jobs); artifact names must be unique, or you must upload once / merge via other means. [2]
• Hidden files are excluded by default (from v4.4+), to reduce accidental secret uploads; opt back in with include-hidden-files: true if you rely on dotfiles. [2][3]
• Artifact-per-job limit: max 500 artifacts per job. [2]
• Self-hosted runners may need extra firewall rules for the v4+ backend. [2]
• Version compatibility: if you upload with actions/upload-artifact@v4+, you should also download with actions/download-artifact@v4+ (don’t mix v3 with v4+). [4]
• GHES: upload-artifact@v4+ is not supported on GitHub Enterprise Server (per the action docs); you’d need v3/v3-node20 there. [2]

3) Minimal migration change

Change:

- uses: actions/upload-artifact@v4

to:

- uses: actions/upload-artifact@v6

…and if you use self-hosted runners, ensure they’re updated to Runner 2.327.1+ before upgrading. [1]

---

Self-hosted runner must be updated to Actions Runner version 2.327.1+ before merging.

The upgrade to actions/upload-artifact@v6 requires GitHub Actions Runner 2.327.1 or higher on self-hosted runners. Since ubuntu-24.04-arm is a self-hosted runner, this workflow will fail at line 22 unless the runner is updated to meet this minimum version requirement. This is a blocker for deployment.

🤖 Prompt for AI Agents

In @.github/workflows/build-oci-bundle.yaml at line 22, The workflow uses
actions/upload-artifact@v6 which requires self-hosted runners to be Actions
Runner v2.327.1 or higher; update the self-hosted runner labelled
ubuntu-24.04-arm to v2.327.1+ before merging or alternatively revert the
workflow to a compatible upload action (e.g., pin to an earlier supported tag
like actions/upload-artifact@v3) to avoid failure at the uses:
actions/upload-artifact@v6 line.