Skip to content

Bump actions/upload-artifact from 4 to 6#106

Merged
kernelsam merged 7 commits into
mainfrom
dependabot/github_actions/actions/upload-artifact-6
Feb 19, 2026
Merged

Bump actions/upload-artifact from 4 to 6#106
kernelsam merged 7 commits into
mainfrom
dependabot/github_actions/actions/upload-artifact-6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 10, 2026
edited by github-actions Bot
Loading

Bumps actions/upload-artifact from 4 to 6.

Release notes

Sourced from actions/upload-artifact's releases.

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: actions/upload-artifact@v4...v5.0.0

v4.6.2

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

What's Changed

... (truncated)

Commits
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • ddc45ed docs: update README to correct action name for Node.js 24 support
  • 615b319 chore: release v6.0.0 for Node.js 24 support
  • 017748b Merge pull request #744 from actions/fix-storage-blob
  • 38d4c79 chore: rebuild dist
  • 7d27270 chore: add missing license cache files for @​actions/core, @​actions/io, and mi...
  • 5f643d3 chore: update license files for @​actions/artifact@​5.0.1 dependencies
  • 1df1684 chore: update package-lock.json with @​actions/artifact@​5.0.1
  • b5b1a91 fix: update @​actions/artifact to ^5.0.0 for Node.js 24 punycode fix
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Resolves #745
Resolves #744
Resolves actions/upload-artifact#719
Resolves actions/upload-artifact#744
Resolves actions/upload-artifact#745
Resolves actions/upload-artifact#681
Resolves actions/upload-artifact#712
Resolves actions/upload-artifact#727
Resolves actions/upload-artifact#725
Resolves actions/upload-artifact#734
Resolves actions/upload-artifact#685
Resolves actions/upload-artifact#673

@dependabot
Bump actions/upload-artifact from 4 to 6
e1d3733 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 10, 2026
@dependabot dependabot Bot requested a review from a team as a code owner February 10, 2026 12:06
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 10, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 10, 2026

🤖 Claude Code Review

Code Review Analysis

Review Checklist Results

Code Quality

Code follows style guide

  • The changes are minimal and follow standard YAML formatting conventions for GitHub Actions workflows.

No commented-out code

  • No commented code present in this diff.

Meaningful variable names

  • N/A - No new variables introduced.

DRY principle followed

  • N/A - This is a simple version bump, no logic duplication.

Identify Defects

  • No defects identified. The upgrade from actions/upload-artifact@v4 to v6 is a standard dependency update.
  • Note: This change skips v5, jumping directly from v4 to v6. This is intentional and correct based on GitHub's action versioning (v5 was a short-lived release).

Project memory configuration

  • No ./.claude/CLAUDE.md file exists in this repository to consider.

Testing

⚠️ Unit tests for new functions

  • N/A - No new functions added. This is an infrastructure change to GitHub Actions workflow.

⚠️ Integration tests for new endpoints

  • N/A - No new endpoints.

⚠️ Edge cases covered

  • N/A - Workflow changes don't require test coverage in the traditional sense.

⚠️ Test coverage > 80%

  • N/A - Cannot verify test coverage from this diff alone, but this change doesn't affect application code coverage.

Documentation

Readme updated if needed

  • Not applicable for this change, but README doesn't need updating for internal workflow changes.

API docs updated

  • N/A - No API changes.

Inline comments for complex logic

  • N/A - No complex logic introduced.

CHANGELOG.md updated

  • .github/workflows/publish-npm.yaml: The CHANGELOG should be updated to reflect the upgrade of the actions/upload-artifact action from v4 to v6.

Markdown files follow CommonMark

  • No markdown files modified in this PR.

Security

No hardcoded credentials

  • No credentials present.

Input validation implemented

  • N/A - No user input handling.

Proper error handling

  • N/A - GitHub Actions handles errors at the workflow level.

No sensitive data in logs

  • No sensitive data exposure.

No license files (.lic) or AQAAAD strings

  • No license files or suspicious strings detected.

Summary

Overall Assessment: ✅ APPROVED with minor suggestion

This is a clean, straightforward dependency update that upgrades the GitHub Actions upload-artifact action from v4 to v6. The changes are minimal, safe, and follow best practices for keeping dependencies current.

Required Action:

  • Update CHANGELOG.md to document this infrastructure change (e.g., "Updated GitHub Actions upload-artifact from v4 to v6")

Notes:

  • The jump from v4 to v6 is correct (v5 exists but v6 is the current major version)
  • No breaking changes expected in the workflow behavior
  • The artifact upload functionality remains the same with improved performance and bug fixes in v6

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 12, 2026

🤖 Claude Code Review

Code Review Analysis

Review Results

Code Quality

Code follows style guide - The changes are minimal dependency updates that don't involve code style

No commented-out code - No commented code in this diff

Meaningful variable names - N/A (no new variables)

DRY principle followed - N/A (no code duplication)

No defects identified - The change is a straightforward version bump of a GitHub Action from v4 to v6, which is consistent with the recent commit history showing this dependency update (e1d3733 Bump actions/upload-artifact from 4 to 6)

Project memory considerations - No .claude/CLAUDE.md file detected in the repository

Testing

⚠️ Testing considerations - While this is an infrastructure change (GitHub Actions workflow), there are no automated tests to verify the workflow behavior. However, this is acceptable for CI/CD configuration changes which are typically tested through actual workflow runs.

  • No unit tests needed for workflow configuration
  • Integration testing will occur naturally when the workflow runs
  • Edge cases: N/A for version bumps
  • Test coverage: N/A for YAML configuration

Documentation

CHANGELOG.md not updated - The dependency update from actions/upload-artifact@v4 to v6 should be documented in CHANGELOG.md (.github/workflows/publish-npm.yaml:47, 54)

README update not needed - This is an internal workflow change that doesn't affect user-facing functionality

API docs not needed - No API changes

Inline comments not needed - The YAML is self-explanatory

⚠️ Markdown formatting - Unable to verify without seeing the full CHANGELOG.md, but it should be updated to document this change

Security

No hardcoded credentials - None present

Input validation - N/A for workflow configuration

Proper error handling - GitHub Actions handles errors at the platform level

No sensitive data in logs - None present

No license files or AQAAAD strings - None detected in the diff

Summary

Approval Status: ✅ Approved with minor suggestion

This is a clean dependency update that bumps the actions/upload-artifact GitHub Action from v4 to v6. The change is consistent with modern best practices and matches the recent commit history.

Required Action:

  • Update CHANGELOG.md to document this infrastructure dependency update

Files Affected:

  • .github/workflows/publish-npm.yaml:47 - grpc package upload
  • .github/workflows/publish-npm.yaml:54 - grpc-web package upload

The change is low-risk and improves the CI/CD pipeline by using the latest version of the upload-artifact action, which likely includes performance improvements and bug fixes.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 12, 2026

🤖 Claude Code Review

Code Review Analysis

Code Quality

✅ Code follows style guide

The changes are minimal dependency updates that don't involve any code style issues. The YAML formatting is correct and consistent.

✅ No commented-out code

No commented-out code present in the diff.

✅ Meaningful variable names

All variable/parameter names in the workflow are clear and descriptive (name, path, retention-days).

✅ DRY principle followed

The pattern is repeated twice (grpc and grpc-web uploads) which is acceptable given these are distinct artifacts with different configurations.

✅ No defects identified

The version bump from v4 to v6 of actions/upload-artifact is a straightforward dependency update. This is a standard GitHub Actions update that improves performance and functionality. No logic errors, edge cases, race conditions, or security vulnerabilities introduced.

⚠️ Project memory configuration

No ./.claude/CLAUDE.md file was found in the repository to evaluate against.

Testing

⚠️ Testing considerations

File: .github/workflows/publish-npm.yaml

This is a GitHub Actions workflow configuration change, not application code. Testing considerations:

  • Workflow validation: The workflow syntax is valid YAML
  • Action compatibility: actions/upload-artifact@v6 is a stable, officially maintained action
  • Existing workflow tests: This change should be validated by running the workflow in a test environment or monitoring the next actual run

Note: Traditional unit/integration test requirements don't apply to workflow configuration files. The "test" is the successful execution of the workflow itself.

Documentation

✅ README update not required

This is an internal dependency update that doesn't affect the public API or user-facing functionality.

✅ API docs update not required

No API changes in this diff.

✅ Inline comments appropriate

GitHub Actions workflows typically don't require inline comments for standard action usage. The name fields provide sufficient context.

❌ CHANGELOG.md not updated

Issue: .github/workflows/publish-npm.yaml:47,54

While this is a minor infrastructure change, it should be documented in CHANGELOG.md under an "Infrastructure" or "CI/CD" section, especially since it's a major version bump (v4→v6) of a critical action used in the publishing workflow.

Recommendation:

### Infrastructure
- Updated `actions/upload-artifact` from v4 to v6 in publish workflow

ℹ️ Markdown formatting

No markdown files modified in this diff.

Security

✅ No hardcoded credentials

No credentials present in the diff.

✅ Input validation not applicable

This is configuration, not code with user inputs.

✅ Proper error handling

GitHub Actions handles errors at the workflow level. No custom error handling needed.

✅ No sensitive data in logs

The artifact uploads contain package files only (.tgz files), which are intended for publication.

✅ No license files (.lic) or AQAAAD strings

No license files or suspicious encoded strings detected in the diff.

Summary

Approval Status:Approved with minor recommendation

This is a clean dependency update with one minor documentation gap. The workflow change is safe and follows best practices.

Required Action:

  • Update CHANGELOG.md to document the infrastructure change

No blockers identified - this PR can be merged after the changelog update.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

🤖 Claude Code Review

I'll proceed with the review based on the diff provided and standard best practices.

Code Review

PR Summary: Updates actions/upload-artifact from v4 to v6 in .github/workflows/publish-npm.yaml.

Code Quality

  • Style guide — Minimal change; no style concerns introduced.

  • No commented-out code — None present.

  • Meaningful variable names — N/A for this change.

  • DRY principle — N/A for this change.

  • ⚠️ Defects / Logic errors — Skipping v5 and going directly to v6 is intentional per the actions/upload-artifact releases, as v5 and v6 are both available but v6 is current. However, note that actions/upload-artifact@v6 was not an official release as of the assistant's knowledge cutoff (August 2025) — latest stable was v4. This should be verified to ensure v6 actually exists and is stable before merging.

    • .github/workflows/publish-npm.yaml lines 47 and 54

Testing

  • Unit/integration tests — Not applicable; this is a CI workflow change only.

Documentation

  • README — No changes needed.
  • API docs — No changes needed.
  • Inline comments — No complex logic introduced.
  • CHANGELOG.md — Not updated. Dependency/workflow updates typically warrant a changelog entry.

Security

  • No hardcoded credentials — None present.
  • Input validation — N/A.
  • Error handling — N/A.
  • No sensitive data in logs — N/A.
  • No license files — None present.

Summary

Category Status
Code Quality ⚠️ Verify v6 exists
Testing ✅ N/A
Documentation ❌ CHANGELOG missing
Security ✅ Pass

Action items:

  1. Verify that actions/upload-artifact@v6 is a published, stable release before merging.
  2. Add a CHANGELOG.md entry for this dependency bump.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

🤖 Claude Code Review

PR Code Review

File: .github/workflows/publish-npm.yaml
Change: Bumps actions/upload-artifact from v4 to v6 in two steps.

Code Quality

❌ Defect — Version mismatch between upload and download artifact actions

The PR updates actions/upload-artifact to v6 (lines 47, 54) but leaves actions/download-artifact at v4 (lines 72, 99) in the same workflow. The upload-artifact@v6 action changed the internal artifact storage format; download-artifact@v4 is not compatible with artifacts uploaded by v6. This will cause the publish-grpc and publish-grpc-web jobs to fail at the download step when trying to consume artifacts produced by the build job.

Both download steps need to be bumped to actions/download-artifact@v6 to match:

  • .github/workflows/publish-npm.yaml:72uses: actions/download-artifact@v4
  • .github/workflows/publish-npm.yaml:99uses: actions/download-artifact@v4

✅ No commented-out code
✅ No DRY violations
✅ Meaningful names — no variable naming concerns in YAML workflow

Testing

✅ N/A — CI/CD workflow change; no unit/integration tests apply.

Documentation

✅ CHANGELOG.md — No update required for a CI infrastructure-only change.
✅ No API or README changes needed.

Security

✅ No hardcoded credentials
✅ No sensitive data
✅ No license files

Summary

Severity Finding
Critical actions/download-artifact still at v4 while upload-artifact is bumped to v6 — the workflow will break at the publish steps

The fix is straightforward: update lines 72 and 99 to actions/download-artifact@v6.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

🤖 Claude Code Review

Code Review

PR Summary: Upgrades actions/upload-artifact from v4 to v6 in the publish-npm workflow.

Code Quality

✅ No commented-out code

✅ No DRY violations — The two upload steps are appropriately distinct.

❌ Defect: Version mismatch between upload-artifact and download-artifact

This is a breaking bug. The PR upgrades upload-artifact to v6 but leaves download-artifact at v4 in two places in the same file:

  • .github/workflows/publish-npm.yaml line 69: uses: actions/download-artifact@v4
  • .github/workflows/publish-npm.yaml line 87: uses: actions/download-artifact@v4

upload-artifact@v6 uses a different internal artifact storage API than v4. Artifacts uploaded with v6 cannot be downloaded with download-artifact@v4. This will cause the publish-grpc and publish-grpc-web jobs to fail at the download step, breaking the entire publish pipeline.

Both download-artifact references must also be bumped to v6.

Testing

✅ N/A — Workflow configuration change; no unit/integration tests apply.

Documentation

❌ CHANGELOG.md not updated — Dependency/tooling updates (even CI) are typically noted. No entry exists for this change in CHANGELOG.md.

Security

✅ No hardcoded credentials

✅ No sensitive data in logs

✅ No license files checked in

Summary

Severity Issue
Critical download-artifact still at v4 — will break artifact download in publish-grpc and publish-grpc-web jobs
Minor CHANGELOG.md not updated

The PR is not ready to merge in its current state. The download-artifact action at lines 69 and 87 must be updated to @v6 to match.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@kernelsam kernelsam enabled auto-merge (squash) February 19, 2026 18:47
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

🤖 Claude Code Review

Code Review: actions/upload-artifact v4 → v6

Code Quality

✅ No commented-out code

✅ No hardcoded credentials or sensitive data

✅ Change is minimal and focused — only two lines changed, both consistent with each other.

⚠️ Version mismatch between upload and download artifact actions

The PR upgrades upload-artifact to v6, but download-artifact is already at v7 (lines 72 and 99 in publish-npm.yaml). These two actions are developed in tandem and their major versions typically indicate shared API compatibility. Having upload-artifact@v6 paired with download-artifact@v7 is an inconsistency worth validating. If download-artifact@v7 introduced breaking changes to the artifact storage format or API, this pairing could fail at runtime.

Recommendation: Either upgrade upload-artifact to v7 to match download-artifact@v7, or verify that cross-version compatibility is explicitly supported.

❌ Version skips v5 — The PR jumps from v4 to v6, skipping v5. This is unusual for a Dependabot PR. Verify this is intentional and that v5 never had a stable release or that v6 is the correct current version.

Testing

⚠️ No automated test for workflow correctness — GitHub Actions workflows are not unit-testable in the traditional sense. Manual validation that the artifact upload/download pipeline still works end-to-end after this change is advisable.

Documentation

✅ CHANGELOG.md — CI/workflow-only changes (no user-facing behavior) do not typically require a changelog entry. No issue here.

✅ No README or API doc changes required — this is an infrastructure-only change.

Security

✅ No hardcoded credentials

✅ No license files (.lic) or AQAAAD-prefixed strings

✅ Permissions are appropriately scoped — the workflow uses permissions: {} at the top level with specific per-job grants (contents: read, id-token: write), which is correct.

Summary

Item Status
Code style
No commented-out code
DRY / meaningful names
Defects / logic errors ⚠️ Version mismatch (upload@v6 / download@v7)
Version skip (v4→v6) ⚠️ Verify v6 is correct latest
Tests N/A
CHANGELOG updated ✅ (not required)
Security

Primary concern: The upload-artifact@v6 / download-artifact@v7 version mismatch at .github/workflows/publish-npm.yaml:47,54 vs 72,99. This should be explicitly verified or resolved by aligning both to the same major version.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@kernelsam kernelsam merged commit f441b65 into main Feb 19, 2026
27 checks passed
@kernelsam kernelsam deleted the dependabot/github_actions/actions/upload-artifact-6 branch February 19, 2026 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docktermj docktermj docktermj approved these changes

@arawinters arawinters arawinters approved these changes

Assignees

@arawinters arawinters

@kernelsam kernelsam

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@docktermj @arawinters @kernelsam @senzingdevops