deps(deps): bump actions/download-artifact from 4.3.0 to 8.0.1#249
Closed
dependabot[bot] wants to merge 1 commit into
Closed
deps(deps): bump actions/download-artifact from 4.3.0 to 8.0.1#249dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
added
the
dependencies
Security Scan ResultsRepository:
Scanned at 2026-05-19 10:03 UTC |
Semgrep Scan ResultsRepository:
Scanned at 2026-05-19 10:02 UTC |
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/download-artifact-8.0.1
branch
2 times, most recently
from
a257ff8 to
69e33f1
Compare
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/download-artifact-8.0.1
branch
7 times, most recently
from
12deaf6 to
4b4cf96
Compare
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@d3f86a1...3e5f45b) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/download-artifact-8.0.1
branch
from
4b4cf96 to
fdef607
Compare
5 tasks
Cre-eD
added a commit
that referenced
this pull request
May 20, 2026
…label (#279) ## Summary - **Consolidates 12 open Dependabot PRs into one merge** so we pay for CI / review once instead of 12+ times. Closes #275 #276 #274 #242 #243 #244 #233 #237 #248 #249 #250 #251 (and the stale #162, superseded by the gomod group in #275). - **Gates `branch.yaml` (Blacksmith / paid) on Dependabot PRs behind a `ci-run` label**, so future Dependabot PRs stop burning multi-vCPU minutes on a doomed build (they can't decrypt `secrets.SC_CONFIG`). Cheap PR workflows (CodeQL, Semgrep, govulncheck, Fuzz, TruffleHog, DCO) still run on every Dependabot PR — they're free-tier and catch the supply-chain risk that matters for a bump. - **Adapts three upstream API breaks** that this bump batch introduces (disgo, pulumi-cloudflare, pulumi backend) — `go build ./...` and tests compile clean. ## What's bumped ### Go modules (group #275, post-tidy) 24 direct + transitive: `cloud.google.com/go/storage` 1.49.0→1.62.2 · `aws/aws-lambda-go` 1.47.0→1.54.0 · `aws/aws-sdk-go-v2/config` 1.29.7→1.32.17 · `cloudflare/cloudflare-go` 0.104.0→0.116.0 · `disgoorg/disgo` 0.18.5→0.19.3 · `fatih/color` 1.18.0→1.19.0 · `go-git/go-git/v5` 5.19.0→5.19.1 (also #276) · `onsi/gomega` 1.38.2→1.41.0 · `pulumi-aws/sdk/v6` 6.83.0→6.83.3 · `pulumi-cloudflare/sdk/v6` 6.2.0→6.15.0 · `pulumi-docker/sdk/v4` 4.5.8→4.11.2 · `pulumi-gcp/sdk/v8` 8.0.0→8.41.1 · `pulumi-kubernetes/sdk/v4` 4.18.1→4.31.0 · `pulumi-mongodbatlas/sdk/v3` 3.30.0→3.38.0 · `pulumi-random/sdk/v4` 4.17.0→4.20.0 · `pulumi/pkg/v3` 3.184.0→3.241.0 · `pulumi/sdk/v3` 3.214.0→3.241.0 · `samber/lo` 1.38.1→1.53.0 · `tmc/langchaingo` 0.1.13→0.1.14 · `mongo-driver` 1.16.1→1.17.9 · `k8s.io/apimachinery` 0.35.0→0.36.1 · `k8s.io/client-go` 0.35.0→0.36.1 · others. Major bump (out of group): `pulumi/pulumi-command/sdk` 0.9.2→1.2.1 (#237). ### Docker (group #242 + digests #243 #244) - `alpine` 3.21 → 3.23 (`github-actions.Dockerfile`, `github-actions-staging.Dockerfile`) - `caddy` digest `14f5b3e` → `f96a3b7` - `alpine/kubectl` digest `e9acf90` → `405e713` ### Python docs (group #274) 3 updates in `docs/requirements.in` / `docs/requirements.txt`. ### GitHub Actions - `actions/upload-artifact` v4.6.2 → v7.0.1 (#251) - `actions/download-artifact` v4.3.0 → v8.0.1 (#249) - `actions/cache` v4.3.0 → v5.0.5 (#248) - `docker/setup-buildx-action` v3.12.0 → v4.0.0 (#250) - `reecetech/version-increment` 2023.10.2 → 2024.10.1 (#233) ## Upstream API breaks adapted in `83401af` | Dep | Break | Fix | |---|---|---| | `disgoorg/disgo` 0.19 | `webhook.Client` interface → struct | Field type `*webhook.Client` | | `disgoorg/disgo` 0.19 | `CreateMessage` gained required `rest.CreateWebhookMessageParams` arg | Pass empty `rest.CreateWebhookMessageParams{}` | | `pulumi-cloudflare/sdk` v6.15 | `LookupZoneResult.ZoneId` `*string` → `string` | Drop `lo.FromPtr(...)` wrapper at 4 sites | | `pulumi/pkg/v3` v3.241 | `backend.RemoveStack` gained `removeBackups bool` arg | Pass `false, false` (preserve no-backup-delete behaviour) | ## CI gate — what changes ```yaml # .github/workflows/branch.yaml on: pull_request: types: [opened, synchronize, reopened, labeled] # `labeled` re-triggers jobs: build-setup: if: >- github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]' || contains(github.event.pull_request.labels.*.name, 'ci-run') ``` `finalize` carries the same guard so a Dependabot PR doesn't get a "build failed" Telegram sticky for a pipeline that was intentionally never run. **Operationally** — when a future Dependabot PR (or another consolidated batch like this one) needs full Blacksmith validation before merge, add the `ci-run` label and the workflow re-fires on label. ## Test plan - [x] `go build ./...` clean (local Go 1.26, CI uses 1.25) - [x] `go test -count=1 -run '^$' -vet=off ./...` (compile every test binary) clean - [ ] Add `ci-run` label to this PR (it's authored by a human, not Dependabot, so the gate is inert — CI runs anyway) and let `branch.yaml` produce a real green build - [ ] Verify the Blacksmith build's `build-setup` decrypts `SC_CONFIG` correctly (Dependabot's failure mode was secret access, not code) - [ ] After merge: confirm next Monday's Dependabot PRs land with the heavy workflow showing as skipped (cascade from `build-setup`) and only cheap CI fires --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Dmitrii Creed <creeed22@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Contributor
Author
|
Looks like actions/download-artifact is up-to-date now, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/github_actions/actions/download-artifact-8.0.1
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/download-artifact from 4.3.0 to 8.0.1.
Release notes
Sourced from actions/download-artifact's releases.
... (truncated)
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they do