Skip to content

Bump actions/download-artifact from 7 to 8 in /.github/actions/node-deploy-cdk#108

Merged
robdmoore merged 1 commit intomainfrom
dependabot/github_actions/dot-github/actions/node-deploy-cdk/actions/download-artifact-8
Apr 2, 2026
Merged

Bump actions/download-artifact from 7 to 8 in /.github/actions/node-deploy-cdk#108
robdmoore merged 1 commit intomainfrom
dependabot/github_actions/dot-github/actions/node-deploy-cdk/actions/download-artifact-8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 23, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps actions/download-artifact from 7 to 8.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 23, 2026
@dependabot
Bump actions/download-artifact in /.github/actions/node-deploy-cdk
f7cdaf4 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v7...v8)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/github_actions/dot-github/actions/node-deploy-cdk/actions/download-artifact-8 branch from 0eeb81e to f7cdaf4 Compare April 2, 2026 02:20
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

🛡️ SHA Pinned Actions Report

Found 52 issue(s) across 28 file(s) scanned.

File Issue
.github/workflows/zendesk_github_add_comment.yml actions/github-script@v8 is not pinned to a full length commit SHA.
.github/workflows/zendesk_github_close_issue.yml actions/github-script@v8 is not pinned to a full length commit SHA.
.github/workflows/zendesk_github_ticket_solved.yml actions/github-script@v8 is not pinned to a full length commit SHA.
.github/workflows/node-trusted-publish.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-trusted-publish.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/workflows/node-trusted-publish.yml JS-DevTools/npm-publish@v4 is not pinned to a full length commit SHA.
.github/workflows/node-publish-public.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-publish-public.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/workflows/node-publish-public.yml JS-DevTools/npm-publish@v4 is not pinned to a full length commit SHA.
.github/workflows/zendesk_github_ticket_commented.yml actions/github-script@v8 is not pinned to a full length commit SHA.
.github/workflows/node-build-zip.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-build-zip.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/workflows/node-build-zip.yml actions/upload-artifact@v7 is not pinned to a full length commit SHA.
.github/workflows/ensure-sha-pinned-actions.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/ensure-sha-pinned-actions.yml actions/github-script@v8 is not pinned to a full length commit SHA.
.github/workflows/node-build.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-build.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/workflows/node-build.yml actions/upload-artifact@v7 is not pinned to a full length commit SHA.
.github/workflows/node-pnpm-build-zip.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-pnpm-build-zip.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/workflows/node-pnpm-build-zip.yml actions/upload-artifact@v7 is not pinned to a full length commit SHA.
.github/workflows/node-ci.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-ci.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/workflows/node-ci.yml phoenix-actions/test-reporting@v15 is not pinned to a full length commit SHA.
.github/workflows/node-deploy-azure-web-app.yml actions/download-artifact@v8 is not pinned to a full length commit SHA.
.github/workflows/node-deploy-azure-web-app.yml azure/webapps-deploy@v3 is not pinned to a full length commit SHA.
.github/workflows/python-uv-ci.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/python-uv-ci.yml astral-sh/setup-uv@v7 is not pinned to a full length commit SHA.
.github/workflows/python-uv-ci.yml actions/upload-artifact@v7 is not pinned to a full length commit SHA.
.github/workflows/release-please.yml googleapis/release-please-action@v4 is not pinned to a full length commit SHA.
.github/workflows/release-please.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-publish-internal.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/node-publish-internal.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/workflows/node-publish-internal.yml JS-DevTools/npm-publish@v4 is not pinned to a full length commit SHA.
.github/workflows/python-uv-build-zip.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/workflows/python-uv-build-zip.yml astral-sh/setup-uv@v7 is not pinned to a full length commit SHA.
.github/workflows/python-uv-build-zip.yml actions/upload-artifact@v7 is not pinned to a full length commit SHA.
.github/actions/prepare-artifact/action.yml actions/download-artifact@v7 is not pinned to a full length commit SHA.
.github/actions/build-node/action.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/actions/build-node/action.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/actions/build-node/action.yml actions/upload-artifact@v6 is not pinned to a full length commit SHA.
.github/actions/node-deploy-cdk/action.yml actions/download-artifact@v8 is not pinned to a full length commit SHA.
.github/actions/node-deploy-cdk/action.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/actions/node-deploy-cdk/action.yml aws-actions/configure-aws-credentials@v5 is not pinned to a full length commit SHA.
.github/actions/node-deploy-cdk/action.yml aws-actions/configure-aws-credentials@v5 is not pinned to a full length commit SHA.
.github/actions/build-node-zip/action.yml actions/checkout@v6 is not pinned to a full length commit SHA.
.github/actions/build-node-zip/action.yml actions/setup-node@v6 is not pinned to a full length commit SHA.
.github/actions/build-node-zip/action.yml actions/upload-artifact@v6 is not pinned to a full length commit SHA.
.github/actions/build-docker/action.yml docker/setup-buildx-action@v3 is not pinned to a full length commit SHA.
.github/actions/build-docker/action.yml actions/upload-artifact@v6 is not pinned to a full length commit SHA.
.github/actions/deploy-bicep/action.yml azure/bicep-deploy@v2 is not pinned to a full length commit SHA.
.github/actions/deploy-bicep/action.yml azure/bicep-deploy@v2 is not pinned to a full length commit SHA.

@robdmoore robdmoore merged commit 921821b into main Apr 2, 2026
1 check passed
@robdmoore robdmoore deleted the dependabot/github_actions/dot-github/actions/node-deploy-cdk/actions/download-artifact-8 branch April 2, 2026 02:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robdmoore robdmoore robdmoore approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robdmoore