chore(deps): update github actions by renovate[bot] · Pull Request #91 · CopilotKit/pathfinder

renovate · 2026-05-27T14:23:11Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
actions/configure-pages	action	major	`v4` → `v6`
actions/download-artifact	action	major	`v4` → `v8`
actions/github-script	action	major	`v7.1.0` → `v9.0.0`
dependabot/fetch-metadata	action	major	`v2.5.0` → `v3.1.0`
docker/login-action	action	major	`v3` → `v4`
node	uses-with	major	`22` → `24`

Release Notes

actions/configure-pages (actions/configure-pages)

`v6.0.0`

Compare Source

Changelog

upgrade to node 24 @salmanmkc (#186)
Upgrade IA Publish @Jcambass (#165)
Add workflow file for publishing releases to immutable action package @Jcambass (#163)
pin draft release version @YiMysty (#162)
Bump espree from 9.6.1 to 10.1.0 @dependabot (#160)
Bump eslint-config-prettier from 8.8.0 to 9.1.0 @dependabot (#143)
Be more friendly to Dependabot @yoannchaudet (#158)
Bump eslint-plugin-github from 4.10.2 to 5.0.1 @dependabot (#154)
Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group @dependabot (#156)
Bump undici from 5.28.3 to 5.28.4 @dependabot (#145)

See details of all code changes since previous release.

`v6`

Compare Source

`v5.0.0`

Compare Source

Breaking Changes

⚠️ This version contains breaking changes! ⚠️

When using the input param static_site_generator: next:
- Added support for Next.js >= 13.3.0
- Consequently, also dropped support for Next.js < 13.3.0

Full Changelog

Attempt to auto-detect configuration files with varying file extensions @JamesMGreene (#139)
Convert errors into Actions-compatible logging with annotations @JamesMGreene (#138)
Bump @actions/github from 5.1.1 to 6.0.0 @dependabot (#123)
Bump the non-breaking-changes group with 2 updates @dependabot (#136)
Update the Next.js configuration for v14 @JamesMGreene (#137)
Bump the non-breaking-changes group with 3 updates @dependabot (#132)
Bump release-drafter/release-drafter from 5 to 6 @dependabot (#133)
Bump github/codeql-action from 2 to 3 @dependabot (#127)
Bump actions/checkout from 3 to 4 @dependabot (#120)
Bump actions/setup-node from 3 to 4 @dependabot (#118)
Bump the non-breaking-changes group with 1 update @dependabot (#131)
Update Dependabot config to group non-breaking changes @JamesMGreene (#130)

See details of all code changes since previous release.

`v5`

Compare Source

actions/download-artifact (actions/download-artifact)

`v8.0.1`

Compare Source

What's Changed

Support for CJK characters in the artifact name by @danwkennedy in #471
Add a regression test for artifact name + content-type mismatches by @danwkennedy in #472

Full Changelog: actions/download-artifact@v8...v8.0.1

`v8.0.0`

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Don't attempt to un-zip non-zipped downloads by @danwkennedy in #460
Add a setting to specify what to do on hash mismatch and default it to error by @danwkennedy in #461

Full Changelog: actions/download-artifact@v7...v8.0.0

`v8`

Compare Source

`v7.0.0`

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Update GHES guidance to include reference to Node 20 version by @patrikpolyak in #440
Download Artifact Node24 support by @salmanmkc in #415
fix: update @actions/artifact to fix Node.js 24 punycode deprecation by @salmanmkc in #451
prepare release v7.0.0 for Node.js 24 support by @salmanmkc in #452

New Contributors

@patrikpolyak made their first contribution in #440
@salmanmkc made their first contribution in #415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

`v7`

Compare Source

`v6.0.0`

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

Update README for download-artifact v5 changes by @yacaovsnc in #417
Update README with artifact extraction details by @yacaovsnc in #424
Readme: spell out the first use of GHES by @danwkennedy in #431
Bump @actions/artifact to v4.0.0
Prepare v6.0.0 by @danwkennedy in #438

New Contributors

@danwkennedy made their first contribution in #431

Full Changelog: actions/download-artifact@v5...v6.0.0

`v6`

Compare Source

`v5.0.0`

Compare Source

What's Changed

Update README.md by @nebuk89 in #407
BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @GrantBirki in #416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

By name: name: my-artifact → extracted to path/ (direct)
By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

By name: name: my-artifact → extracted to path/ (unchanged)
By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

You download artifacts by name
You download multiple artifacts by ID
You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist

### Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

- uses: actions/download-artifact@v5
  with:
    artifact-ids: 12345
    path: dist/my-artifact  # Explicitly specify the nested path

New Contributors

@nebuk89 made their first contribution in #407

Full Changelog: actions/download-artifact@v4...v5.0.0

`v5`

Compare Source

`v4.3.0`

Compare Source

What's Changed

feat: implement new artifact-ids input by @GrantBirki in #401
Fix workflow example for downloading by artifact ID by @joshmgross in #402
Prep for v4.3.0 release by @robherley in #404

New Contributors

@GrantBirki made their first contribution in #401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

`v4.2.1`

Compare Source

What's Changed

Add unit tests by @GhadimiR in #392
Fix bug introduced in 4.2.0 by @GhadimiR in #391

Full Changelog: actions/download-artifact@v4.2.0...v4.2.1

`v4.2.0`

Compare Source

What's Changed

Update README.md by @lkfortuna in #384
Bump artifact version, do digest check by @GhadimiR in #383

New Contributors

@lkfortuna made their first contribution in #384
@GhadimiR made their first contribution in #383

Full Changelog: actions/download-artifact@v4.1.9...v4.2.0

`v4.1.9`

Compare Source

What's Changed

Add workflow file for publishing releases to immutable action package by @Jcambass in #354
docs: small migration fix by @froblesmartin in #370
Update MIGRATION.md by @andyfeller in #372
Update artifact package to 2.2.2 by @yacaovsnc in #380

New Contributors

@Jcambass made their first contribution in #354
@froblesmartin made their first contribution in #370
@andyfeller made their first contribution in #372
@yacaovsnc made their first contribution in #380

Full Changelog: actions/download-artifact@v4.1.8...v4.1.9

`v4.1.8`

Compare Source

What's Changed

Update @actions/artifact version, bump dependencies by @robherley in #341

Full Changelog: actions/download-artifact@v4.1.7...v4.1.8

What's Changed

updating @actions/artifact dependency to v2.1.6 by @eggyhead in #324

Full Changelog: actions/download-artifact@v4.1.5...v4.1.6

`v4.1.5`

Compare Source

What's Changed

Update readme with v3/v2/v1 deprecation notice by @robherley in #322
Update dependencies @actions/core to v1.10.1 and @actions/artifact to v2.1.5

Full Changelog: actions/download-artifact@v4.1.4...v4.1.5

`v4.1.4`

Compare Source

What's Changed

Update @actions/artifact by @bethanyj28 in #307

Full Changelog: actions/download-artifact@v4...v4.1.4

`v4.1.3`

Compare Source

What's Changed

Update release-new-action-version.yml by @konradpabjan in #292
Update toolkit dependency with updated unzip logic by @bethanyj28 in #299
Update @actions/artifact by @bethanyj28 in #303

New Contributors

@bethanyj28 made their first contribution in #299

Full Changelog: actions/download-artifact@v4...v4.1.3

`v4.1.2`

Compare Source

Bump @actions/artifacts to latest version to include updated GHES host check

`v4.1.1`

Compare Source

Fix transient request timeouts #249
Bump @actions/artifacts to latest version

`v4.1.0`

Compare Source

What's Changed

Some cleanup by @robherley in #247
Fix default for run-id by @stchr in #252
Support pattern matching to filter artifacts & merge to same directory by @robherley in #259

New Contributors

@stchr made their first contribution in #252

Full Changelog: actions/download-artifact@v4...v4.1.0

actions/github-script (actions/github-script)

`v9.0.0`

Compare Source

New features:

getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

Add ACTIONS_ORCHESTRATION_ID to user-agent string by @Copilot in #695
ci: use deployment: false for integration test environments by @salmanmkc in #712
feat!: add getOctokit to script context, upgrade @actions/github v9, @octokit/core v7, and related packages by @salmanmkc in #700

New Contributors

@Copilot made their first contribution in #695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

`v9`

Compare Source

`v8.0.0`

Compare Source

`v8`: .0.0

Compare Source

What's Changed

Update Node.js version support to 24.x by @salmanmkc in #637
README for updating actions/github-script from v7 to v8 by @sneha-krip in #653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

@salmanmkc made their first contribution in #637
@sneha-krip made their first contribution in #653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

dependabot/fetch-metadata (dependabot/fetch-metadata)

`v3.1.0`

Compare Source

What's Changed

Add permissions to all workflows by @truggeri in #687
build(deps-dev): bump globals from 16.0.0 to 17.4.0 by @dependabot[bot] in #690
build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by @dependabot[bot] in #693
build(deps-dev): bump @hono/node-server from 1.19.10 to 1.19.13 by @dependabot[bot] in #694
build(deps-dev): bump hono from 4.12.7 to 4.12.12 by @dependabot[bot] in #695
Dynamically update the tracking tag in action by @truggeri in #696
fix: handle duplicate dependency names in parseMetadataLinks by @devantler in #700
fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by @devantler in #698
Updates to README for permissions clarification by @truggeri in #697
fix: resolve update-type null for Python, Composer, and Terraform PRs by @vitorsdcs in #704
build(deps-dev): bump globals from 17.4.0 to 17.5.0 by @dependabot[bot] in #703
build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @dependabot[bot] in #701
build(deps): bump @actions/github from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by @dependabot[bot] in #702
build(deps-dev): bump hono from 4.12.12 to 4.12.14 by @dependabot[bot] in #705
v3.1.0 by @fetch-metadata-action-automation[bot] in #692

New Contributors

@devantler made their first contribution in #700
@vitorsdcs made their first contribution in #704

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

`v3.0.0`

Compare Source

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

feat: Parse versions from metadata links by @ppkarwasz in #632
Upgrade actions core and actions github packages by @truggeri in #649
docs: Add notes for using alert-lookup with App Token by @sue445 in #656
feat!: update Node.js version to v24 by @sturman in #671
Switch build tooling from ncc to esbuild by @truggeri in #676
Add --legal-comments=none to esbuild build commands by @jeffwidman in #679
Bump tsconfig target from es2022 to es2024 by @jeffwidman in #680
Remove vestigial outDir from tsconfig.json by @jeffwidman in #681
Switch tsconfig module resolution to bundler by @jeffwidman in #682
Remove skipLibCheck from tsconfig.json by @jeffwidman in #683
Add typecheck step to CI by @jeffwidman in #685
Enable noImplicitAny in tsconfig.json by @jeffwidman in #684
Upgrade @actions/core to ^3.0.0 by @truggeri in #677
Upgrade @actions/github to ^9.0.0 and @octokit/request-error to ^7.1.0 by @truggeri in #678
Bump qs from 6.14.0 to 6.14.1 by @dependabot[bot] in #651
Bump hono from 4.11.1 to 4.11.4 by @dependabot[bot] in #652
Bump hono from 4.11.4 to 4.11.7 by @dependabot[bot] in #653
Bump hono from 4.11.7 to 4.12.0 by @dependabot[bot] in #657
Bump qs from 6.14.1 to 6.14.2 by @dependabot[bot] in #655
Bump @modelcontextprotocol/sdk from 1.25.1 to 1.26.0 by @dependabot[bot] in #654
Bump @hono/node-server from 1.19.9 to 1.19.10 by @dependabot[bot] in #665
Bump hono from 4.12.2 to 4.12.5 by @dependabot[bot] in #664
Bump minimatch from 3.1.2 to 3.1.5 by @dependabot[bot] in #667
Bump hono from 4.12.5 to 4.12.7 by @dependabot[bot] in #668
Bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @dependabot[bot] in #669
Bump flatted from 3.3.3 to 3.4.2 by @dependabot[bot] in #670
build(deps-dev): bump picomatch from 2.3.1 to 2.3.2 by @dependabot[bot] in #674

New Contributors

@ppkarwasz made their first contribution in #632
@truggeri made their first contribution in #649
@sue445 made their first contribution in #656
@sturman made their first contribution in #671

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

`v3`

Compare Source

docker/login-action (docker/login-action)

`v4.2.0`

Compare Source

Bump @actions/core from 3.0.0 to 3.0.1 in #976
Bump @aws-sdk/client-ecr and @aws-sdk/client-ecr-public to 3.1050.0 in #960
Bump @docker/actions-toolkit from 0.86.0 to 0.90.0 in #970
Bump brace-expansion from 2.0.1 to 5.0.6 in #993
Bump fast-xml-builder from 1.1.4 to 1.2.0 in #985
Bump fast-xml-parser from 5.3.6 to 5.8.0 in #963
Bump http-proxy-agent and https-proxy-agent to 9.0.0 in #961
Bump postcss from 8.5.6 to 8.5.10 in #979
Bump tar from 6.2.1 to 7.5.15 in #991
Bump vite from 7.3.1 to 7.3.3 in #986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

`v4.1.0`

Compare Source

Fix scoped Docker Hub cleanup path when registry is omitted by @crazy-max in #945
Bump @aws-sdk/client-ecr and @aws-sdk/client-ecr-public to 3.1020.0 in #930
Bump @docker/actions-toolkit from 0.77.0 to 0.86.0 in #932 #936
Bump brace-expansion from 1.1.12 to 1.1.13 in #952
Bump fast-xml-parser from 5.3.4 to 5.3.6 in #942
Bump flatted from 3.3.3 to 3.4.2 in #944
Bump glob from 10.3.12 to 10.5.0 in #940
Bump handlebars from 4.7.8 to 4.7.9 in #949
Bump http-proxy-agent and https-proxy-agent to 8.0.0 in #937
Bump lodash from 4.17.23 to 4.18.1 in #958
Bump minimatch from 3.1.2 to 3.1.5 in #941
Bump picomatch from 4.0.3 to 4.0.4 in #948
Bump undici from 6.23.0 to 6.24.1 in #938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

`v4.0.0`

Compare Source

Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @crazy-max in #929
Switch to ESM and update config/test wiring by @crazy-max in #927
Bump @actions/core from 1.11.1 to 3.0.0 in #919
Bump @aws-sdk/client-ecr from 3.890.0 to 3.1000.0 in #909 #920
Bump @aws-sdk/client-ecr-public from 3.890.0 to 3.1000.0 in #909 #920
Bump @docker/actions-toolkit from 0.63.0 to 0.77.0 in #910 #928
Bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in #921
Bump js-yaml from 4.1.0 to 4.1.1 in #901

Full Changelog: docker/login-action@v3.7.0...v4.0.0

`v4`

Compare Source

`v3.7.0`

Compare Source

Add scope input to set scopes for the authentication token by @crazy-max in #912
Add support for AWS European Sovereign Cloud ECR by @dphi in #914
Ensure passwords are redacted with registry-auth input by @crazy-max in #911
build(deps): bump lodash from 4.17.21 to 4.17.23 in #915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

`v3.6.0`

Compare Source

Add registry-auth input for raw authentication to registries by @crazy-max in #887
Bump @aws-sdk/client-ecr to 3.890.0 in #882 #890
Bump @aws-sdk/client-ecr-public to 3.890.0 in #882 #890
Bump @docker/actions-toolkit from 0.62.1 to 0.63.0 in #883
Bump brace-expansion from 1.1.11 to 1.1.12 in #880
Bump undici from 5.28.4 to 5.29.0 in #879
Bump tmp from 0.2.3 to 0.2.4 in #881