github-actions Update GitHub Actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	patch	v6.0.1 → v6.0.2
actions/download-artifact	action	minor	v4 → v4.3.0
actions/upload-artifact	action	minor	v4 → v4.6.2
oras-project/setup-oras	action	minor	v1 → v1.2.4
sigstore/cosign-installer	action	minor	v4.0.0 → v4.1.1
softprops/action-gh-release	action	minor	v2.5.0 → v2.6.1

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/download-artifact (actions/download-artifact)

v4.3.0

Compare Source

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in #​401
• Fix workflow example for downloading by artifact ID by @​joshmgross in #​402
• Prep for v4.3.0 release by @​robherley in #​404

New Contributors

• @​GrantBirki made their first contribution in #​401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

v4.2.1

Compare Source

What's Changed

• Add unit tests by @​GhadimiR in #​392
• Fix bug introduced in 4.2.0 by @​GhadimiR in #​391

Full Changelog: actions/download-artifact@v4.2.0...v4.2.1

v4.2.0

Compare Source

What's Changed

• Update README.md by @​lkfortuna in #​384
• Bump artifact version, do digest check by @​GhadimiR in #​383

New Contributors

• @​lkfortuna made their first contribution in #​384
• @​GhadimiR made their first contribution in #​383

Full Changelog: actions/download-artifact@v4.1.9...v4.2.0

v4.1.9

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​354
• docs: small migration fix by @​froblesmartin in #​370
• Update MIGRATION.md by @​andyfeller in #​372
• Update artifact package to 2.2.2 by @​yacaovsnc in #​380

New Contributors

• @​Jcambass made their first contribution in #​354
• @​froblesmartin made their first contribution in #​370
• @​andyfeller made their first contribution in #​372
• @​yacaovsnc made their first contribution in #​380

Full Changelog: actions/download-artifact@v4.1.8...v4.1.9

v4.1.8

Compare Source

What's Changed

• Update @​actions/artifact version, bump dependencies by @​robherley in #​341

Full Changelog: actions/download-artifact@v4.1.7...v4.1.8

v4.1.7

Compare Source

What's Changed

• Update @​actions/artifact dependency by @​bethanyj28 in #​325

Full Changelog: actions/download-artifact@v4.1.6...v4.1.7

v4.1.6

Compare Source

What's Changed

• updating @actions/artifact dependency to v2.1.6 by @​eggyhead in #​324

Full Changelog: actions/download-artifact@v4.1.5...v4.1.6

v4.1.5

Compare Source

What's Changed

• Update readme with v3/v2/v1 deprecation notice by @​robherley in #​322
• Update dependencies @actions/core to v1.10.1 and @actions/artifact to v2.1.5

Full Changelog: actions/download-artifact@v4.1.4...v4.1.5

v4.1.4

Compare Source

What's Changed

• Update @​actions/artifact by @​bethanyj28 in #​307

Full Changelog: actions/download-artifact@v4...v4.1.4

v4.1.3

Compare Source

What's Changed

• Update release-new-action-version.yml by @​konradpabjan in #​292
• Update toolkit dependency with updated unzip logic by @​bethanyj28 in #​299
• Update @​actions/artifact by @​bethanyj28 in #​303

New Contributors

• @​bethanyj28 made their first contribution in #​299

Full Changelog: actions/download-artifact@v4...v4.1.3

v4.1.2

Compare Source

• Bump @​actions/artifacts to latest version to include updated GHES host check

v4.1.1

Compare Source

• Fix transient request timeouts #​249
• Bump @actions/artifacts to latest version

v4.1.0

Compare Source

What's Changed

• Some cleanup by @​robherley in #​247
• Fix default for run-id by @​stchr in #​252
• Support pattern matching to filter artifacts & merge to same directory by @​robherley in #​259

New Contributors

• @​stchr made their first contribution in #​252

Full Changelog: actions/download-artifact@v4...v4.1.0

actions/upload-artifact (actions/upload-artifact)

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

• @​salmanmkc made their first contribution in #​685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in #​673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in #​662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in #​578
• Add new artifact-digest output by @​bdehamer in #​656

New Contributors

• @​hamirmahal made their first contribution in #​578
• @​bdehamer made their first contribution in #​656

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

v4.4.3

Compare Source

What's Changed

• Undo indirect dependency updates from #​627 by @​joshmgross in #​632

Full Changelog: actions/upload-artifact@v4.4.2...v4.4.3

v4.4.2

Compare Source

What's Changed

• Bump @actions/artifact to 2.1.11 by @​robherley in #​627
  • Includes fix for relative symlinks not resolving properly

Full Changelog: actions/upload-artifact@v4.4.1...v4.4.2

v4.4.1

Compare Source

What's Changed

• Add a section about hidden files by @​joshmgross in #​607
• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​621
• Update @​actions/artifact to latest version, includes symlink and timeout fixes by @​robherley in #​625

New Contributors

• @​Jcambass made their first contribution in #​621

Full Changelog: actions/upload-artifact@v4.4.0...v4.4.1

v4.4.0

Compare Source

Notice: Breaking Changes ⚠️

We will no longer include hidden files and folders by default in the upload-artifact action of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, include-hidden-files, to continue to do so.

See "Notice of upcoming deprecations and breaking changes in GitHub Actions runners" changelog and this issue for more details.

What's Changed

• Exclude hidden files by default by @​joshmgross in #​598

Full Changelog: actions/upload-artifact@v4.3.6...v4.4.0

v4.3.6

Compare Source

What's Changed

• Revert to @​actions/artifact 2.1.8 by @​robherley in #​594

Full Changelog: actions/upload-artifact@v4...v4.3.6

v4.3.5

Compare Source

What's Changed

• Bump @​actions/artifact to v2.1.9 by @​robherley in #​588
  • Fixed artifact upload chunk timeout logic #​1774
  • Use lazy stream to prevent issues with open file limits #​1771

Full Changelog: actions/upload-artifact@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

• Update @​actions/artifact version, bump dependencies by @​robherley in #​584

Full Changelog: actions/upload-artifact@v4.3.3...v4.3.4

v4.3.3

Compare Source

What's Changed

• updating @actions/artifact dependency to v2.1.6 by @​eggyhead in #​565

Full Changelog: actions/upload-artifact@v4.3.2...v4.3.3

v4.3.2

Compare Source

What's Changed

• Update release-new-action-version.yml by @​konradpabjan in #​516
• Minor fix to the migration readme by @​andrewakim in #​523
• Update readme with v3/v2/v1 deprecation notice by @​robherley in #​561
• updating @actions/artifact dependency to v2.1.5 and @actions/core to v1.0.1 by @​eggyhead in #​562

New Contributors

• @​andrewakim made their first contribution in #​523

Full Changelog: actions/upload-artifact@v4.3.1...v4.3.2

v4.3.1

Compare Source

• Bump @​actions/artifacts to latest version to include updated GHES host check

v4.3.0

Compare Source

What's Changed

• Reorganize upload code in prep for merge logic & add more tests by @​robherley in #​504
• Add sub-action to merge artifacts by @​robherley in #​505

Full Changelog: actions/upload-artifact@v4...v4.3.0

v4.2.0

Compare Source

What's Changed

• Ability to overwrite an Artifact by @​robherley in #​501

Full Changelog: actions/upload-artifact@v4...v4.2.0

v4.1.0

Compare Source

What's Changed

• Add migrations docs by @​robherley in #​482
• Update README.md by @​samuelwine in #​492
• Support artifact-url output by @​konradpabjan in #​496
• Update readme to reflect new 500 artifact per job limit by @​robherley in #​497

New Contributors

• @​samuelwine made their first contribution in #​492

Full Changelog: actions/upload-artifact@v4...v4.1.0

oras-project/setup-oras (oras-project/setup-oras)

v1.2.4

Compare Source

Highlights

• Support oras v1.3.0

Other Changes

• Update dependencies

What's Changed

• chore(deps): Bump @​types/node from 22.15.2 to 22.15.17 by @​dependabot[bot] in #​97
• chore(deps): Bump @​types/node from 22.15.17 to 22.15.19 by @​dependabot[bot] in #​98
• chore(deps): Bump @​types/node from 22.15.19 to 22.15.21 by @​dependabot[bot] in #​99
• chore(deps): Bump @​types/node from 22.15.21 to 22.15.29 by @​dependabot[bot] in #​100
• chore(deps): Bump @​types/node from 22.15.29 to 22.15.30 by @​dependabot[bot] in #​101
• chore(deps): Bump @​types/node from 22.15.30 to 24.0.1 by @​dependabot[bot] in #​102
• chore(deps): Bump @​types/node from 24.0.1 to 24.0.3 by @​dependabot[bot] in #​103
• chore(deps): Bump @​types/node from 24.0.3 to 24.0.7 by @​dependabot[bot] in #​104
• chore(deps): Bump @​types/node from 24.0.7 to 24.0.13 by @​dependabot[bot] in #​106
• chore(deps): Bump @​types/node from 24.0.13 to 24.0.15 by @​dependabot[bot] in #​107
• chore(deps): Bump @​types/node from 24.0.15 to 24.1.0 by @​dependabot[bot] in #​108
• chore(deps): Bump typescript from 5.8.3 to 5.9.2 by @​dependabot[bot] in #​109
• chore(deps): Bump @​types/node from 24.1.0 to 24.2.1 by @​dependabot[bot] in #​110
• chore(deps): Bump @​types/node from 24.2.1 to 24.3.0 by @​dependabot[bot] in #​111
• chore(deps): Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​112
• chore(deps): Bump @​types/node from 24.3.0 to 24.3.1 by @​dependabot[bot] in #​113
• chore(deps): Bump actions/setup-node from 4 to 5 by @​dependabot[bot] in #​114
• bump: add oras v1.3.0 to setup-oras by @​wangxiaoxuan273 in #​115

Full Changelog: oras-project/setup-oras@v1.2.3...v1.2.4

v1.2.3

Compare Source

Highlights

• Support oras v1.2.3

Other Changes

• Update dependencies

What's Changed

• chore(deps): Bump @​types/node from 22.10.7 to 22.10.10 by @​dependabot in #​79
• chore(deps): Bump @​types/node from 22.10.10 to 22.13.0 by @​dependabot in #​80
• chore(deps): Bump @​types/node from 22.13.0 to 22.13.1 by @​dependabot in #​81
• chore(deps): Bump apache/skywalking-eyes from 0.6.0 to 0.7.0 by @​dependabot in #​82
• chore(deps): Bump @​types/node from 22.13.1 to 22.13.4 by @​dependabot in #​83
• chore(deps): Bump @​types/node from 22.13.4 to 22.13.5 by @​dependabot in #​84
• chore(deps): Bump @​types/node from 22.13.5 to 22.13.8 by @​dependabot in #​86
• chore(deps): Bump typescript from 5.7.3 to 5.8.2 by @​dependabot in #​85
• chore(deps): Bump @​types/node from 22.13.8 to 22.13.11 by @​dependabot in #​89
• docs: add Xiaoxuan Wang as a maintainer by @​shizhMSFT in #​87
• chore(deps): Bump @​types/node from 22.13.11 to 22.13.14 by @​dependabot in #​90
• chore(deps): Bump typescript from 5.8.2 to 5.8.3 by @​dependabot in #​91
• chore(deps): Bump @​types/node from 22.13.14 to 22.14.0 by @​dependabot in #​92
• chore(deps): Bump @​types/node from 22.14.0 to 22.14.1 by @​dependabot in #​93
• chore(deps): Bump @​types/node from 22.14.1 to 22.15.2 by @​dependabot in #​94
• bump: add oras v1.2.3 to setup-oras by @​wangxiaoxuan273 in #​95

Full Changelog: oras-project/setup-oras@v1.2.2...v1.2.3

v1.2.2

Compare Source

Highlights

• Support oras v1.2.1 and oras v1.2.2

Other Changes

• Update dependencies

What's Changed

• chore(deps): Bump @​types/node from 22.7.7 to 22.10.2 by @​dependabot in #​70
• chore(deps): Bump @​vercel/ncc from 0.38.2 to 0.38.3 by @​dependabot in #​66
• chore(deps): Bump @​types/node from 22.10.2 to 22.10.5 by @​dependabot in #​71
• chore(deps): Bump typescript from 5.6.3 to 5.7.2 by @​wangxiaoxuan273 in #​72
• chore(deps): Bump typescript from 5.7.2 to 5.7.3 by @​dependabot in #​73
• chore(deps): Bump @​types/node from 22.10.5 to 22.10.7 by @​dependabot in #​74
• chore(deps): bump @​actions/tool-cache from 2.0.1 to 2.0.2 by @​wangxiaoxuan273 in #​76
• bump: add oras v1.2.1, v1.2.2 to setup-oras by @​wangxiaoxuan273 in #​77

Full Changelog: oras-project/setup-oras@v1.2.1...v1.2.2

v1.2.1

Compare Source

Bug Fixes

• Fix: s390x architecture is not properly handled (#​57)

Other Changes

• Update dependencies

What's Changed

• build(ci): enable dependabot by @​qweeah in #​32
• chore(deps): Bump @​vercel/ncc from 0.36.1 to 0.38.1 by @​dependabot in #​38
• chore(deps): Bump actions/setup-node from 3 to 4 by @​dependabot in #​37
• chore(deps): Bump apache/skywalking-eyes from 0.4.0 to 0.6.0 by @​dependabot in #​34
• chore(deps): Bump actions/checkout from 3 to 4 by @​dependabot in #​36
• chore(deps): Bump @​types/node from 20.5.9 to 20.14.9 by @​dependabot in #​35
• build(ci): make dependabot run weekly by @​qweeah in #​40
• chore(deps): Bump by @​qweeah in #​41
• chore(deps): Bump @​types/node from 20.14.9 to 20.14.10 by @​dependabot in #​42
• chore: update README CLI docs website by @​t3hmrman in #​43
• chore(deps): Bump @​types/node from 20.14.10 to 20.14.11 by @​dependabot in #​44
• chore(deps): Bump @​types/node from 20.14.11 to 22.0.0 by @​dependabot in #​46
• chore(deps): Bump typescript from 5.5.3 to 5.5.4 by @​dependabot in #​45
• chore(deps): Bump @​types/node from 22.0.0 to 22.5.0 by @​dependabot in #​50
• chore(deps): Bump @​types/node from 22.5.0 to 22.5.2 by @​dependabot in #​51
• chore(deps): Bump @​types/node from 22.5.2 to 22.5.4 by @​dependabot in #​52
• chore(deps): Bump typescript from 5.5.4 to 5.6.2 by @​dependabot in #​54
• chore(deps): Bump @​types/node from 22.5.4 to 22.7.4 by @​dependabot in #​55
• chore(deps): Bump typescript from 5.6.2 to 5.6.3 by @​dependabot in #​60
• chore(deps): Bump @​types/node from 22.7.4 to 22.7.7 by @​dependabot in #​61
• fix: s390x architecture is not handled by @​mkulke in #​57
• chore(deps): bump @​actions/core and @​vercel/ncc by @​qweeah in #​62

New Contributors

• @​t3hmrman made their first contribution in #​43
• @​mkulke made their first contribution in #​57

Full Changelog: oras-project/setup-oras@v1.2.0...v1.2.1

v1.2.0

Compare Source

New Features

• Support oras v1.2.0
• Support installing custom versions of ORAS by specifying url for downloading and checksum for integration check

Other Changes

• Upgrade to Node 20

What's Changed

• bump: run with node20 by @​liangyuanpeng in #​25
• feat: support downloading from customized url by @​wangxiaoxuan273 in #​27
• bump: add oras v1.2.0 to setup-oras by @​wangxiaoxuan273 in #​28
• chore: update README to add an example by @​wangxiaoxuan273 in #​30

New Contributors

• @​liangyuanpeng made their first contribution in #​25

Full Changelog: oras-project/setup-oras@v1.1.0...v1.2.0

v1.1.0

Compare Source

New Features

• Re-implementation of setup-oras using TypeScript
• More secure oras CLI binary acquisition by verifying checksums
• Supporting more oras CLI versions: v1.0.1 and v1.1.0

What's Changed

• doc: update doc to use released tag v1 by @​qweeah in #​10
• chore: update icon on marketplace by @​qweeah in #​11
• fix broken logo link by @​FeynmanZhou in #​12
• docs: fix broken link in README by @​wangxiaoxuan273 in #​13
• doc: add SECURITY.md file by @​TerryHowe in #​16
• chore(deps): Bump semver from 6.3.0 to 6.3.1 by @​dependabot in #​15
• refactor: revamp setup action with typescript by @​qweeah in #​18
• chore: add 1.0.0 as a viable version by @​qweeah in #​20
• build: update major and minor tags update publishing by @​qweeah in #​22

New Contributors

• @​FeynmanZhou made their first contribution in #​12
• @​wangxiaoxuan273 made their first contribution in #​13
• @​TerryHowe made their first contribution in #​16
• @​dependabot made their first contribution in #​15

Full Changelog: oras-project/setup-oras@v1.0.0...v1.1.0

sigstore/cosign-installer (sigstore/cosign-installer)

v4.1.1

Compare Source

What's Changed

• chore: update default cosign-release to v3.0.5 in #​223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

• Bump cosign to 3.0.5 in #​220
• fix: add retry to curl downloads for transient network failures in #​210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

softprops/action-gh-release (softprops/action-gh-release)

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in #​765

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in #​372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in #​760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in #​759
• docs: clarify working_directory input by @​chenrui333 in #​761
• ci: verify dist bundle freshness by @​chenrui333 in #​762
• fix: clarify immutable prerelease uploads by @​chenrui333 in #​763

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: prefer token input over GITHUB_TOKEN by @​chenrui333 in #​751
• fix: clean up duplicate drafts after canonicalization by @​chenrui333 in #​753
• fix: support Windows-style file globs by @​chenrui333 in #​754
• fix: normalize refs-tag inputs by @​chenrui333 in #​755
• fix: expand tilde file paths by @​chenrui333 in #​756

Other Changes 🔄

• docs: clarify token precedence by @​chenrui333 in #​752
• docs: clarify GitHub release limits by @​chenrui333 in #​758
• documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: canonicalize releases after concurrent create by @​chenrui333 in #​746
• fix: preserve prereleased events for prereleases by @​chenrui333 in #​748
• fix: restore dotfile asset labels by @​chenrui333 in #​749
• fix: handle upload already_exists races across workflows by @​api2062 in #​745
• fix: clean up orphan drafts when tag creation is blocked by @​chenrui333 in #​750

New Contributors

• @​api2062 made their first contribution in #​745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

• fix: fetch correct asset URL after finalization; test; some refactoring by @​pzhlkj6612 in #​738
• fix: release marked as 'latest' despite make_latest: false by @​Boshen in #​715
• fix: use getReleaseByTag API instead of iterating all releases by @​kim-em in #​725

Other Changes 🔄

• dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

• @​autarch made their first contribution in #​716
• @​pzhlkj6612 made their first contribution in #​738
• @​Boshen made their first contribution in #​715
• @​kim-em made their first contribution in #​725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.