Skip to content

Update GitHub Actions dependencies (major)#5602

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/major-github-actions-dependencies
Open

Update GitHub Actions dependencies (major)#5602
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/major-github-actions-dependencies

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 6, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change Pending
actions/checkout action major v5.0.0v6.0.2
actions/checkout action major v4v6
actions/stale action major v9v10
actions/upload-artifact action major v4v7
slackapi/slack-github-action action major v1.26.0v3.0.2 v3.0.3

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

actions/stale (actions/stale)

v10.2.0

Compare Source

v10.1.1

Compare Source

What's Changed

Bug Fix
Improvement
Dependency Upgrades

New Contributors

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/stale@v10...v10.1.0

v10.0.0

Compare Source

What's Changed

Breaking Changes
Enhancement
Dependency Upgrades
Documentation changes

New Contributors

Full Changelog: actions/stale@v9...v10.0.0

v10

Compare Source

v9.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/stale@v9...v9.1.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6

Compare Source

v6.0.0

Compare Source

v5

Compare Source

v5.0.0

Compare Source

v4.6.2

Compare Source

What's Changed

  • Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

v4.4.3

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4.4.2...v4.4.3

v4.4.2

Compare Source

What's Changed

  • Bump @actions/artifact to 2.1.11 by @​robherley in #​627
    • Includes fix for relative symlinks not resolving properly

Full Changelog: actions/upload-artifact@v4.4.1...v4.4.2

v4.4.1

Compare Source

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4.4.0...v4.4.1

v4.4.0

Compare Source

Notice: Breaking Changes ⚠️

We will no longer include hidden files and folders by default in the upload-artifact action of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, include-hidden-files, to continue to do so.

See "Notice of upcoming deprecations and breaking changes in GitHub Actions runners" changelog and this issue for more details.

What's Changed

Full Changelog: actions/upload-artifact@v4.3.6...v4.4.0

v4.3.6

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.3.6

v4.3.5

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4.3.3...v4.3.4

v4.3.3

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4.3.2...v4.3.3

v4.3.2

Compare Source

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4.3.1...v4.3.2

v4.3.1

Compare Source

v4.3.0

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.3.0

v4.2.0

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.2.0

v4.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4...v4.1.0

slackapi/slack-github-action (slackapi/slack-github-action)

v3.0.2: Slack GitHub Action v3.0.2

Compare Source

Patch Changes
  • 79529d7: fix: resolve url.parse deprecation warning for webhook techniques

v3.0.1: Slack GitHub Action v3.0.1

Compare Source

What's Changed

Alongside the breaking changes of @v3.0.0 and a new technique to run Slack CLI commands, we tried the wrong name to publish to the GitHub Marketplace 🐙 This action is now noted as The Slack GitHub Action in listings 🎶 ✨

🎨 Maintenance

Full Changelog: slackapi/slack-github-action@v3.0.0...v3.0.1

v3

Compare Source

v3.0

Compare Source

v3.0.0: Slack GitHub Action v3.0.0

Compare Source

The @v3.0.0 release had a hiccup on publish and we recommend using @​v3.0.1 or a more recent version when updating! Oops!

🎽 Running Slack CLI commands and the active Node runtime, both included in this release 👟 ✨

⚠️ Breaking change: Node.js 24 the runtime

This major version updates the GitHub Actions required runtime to Node.js 24. Most GitHub-hosted runners already include this, but self-hosted runners may need to be updated ahead of planned deprecations of Node 20 on GitHub Actions runners.

📺 Enhancement: Run Slack CLI commands

This release introduces a new technique for running Slack CLI commands directly in GitHub Actions workflows. Use this to install the latest version (or a specific one) of the CLI and execute commands like deploy for merges to main, manifest validate with tests, and other commands.

Gather a token using the following CLI command to store with repo secrets, then get started with an example below:

$ slack auth token
🧪 Validate an app manifest on pull requests

Check that your app manifest is valid before merging changes:

🔗 https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/validate-a-manifest

- name: Validate the manifest
  uses: slackapi/slack-github-action/cli@v3.0.0
  with:
    command: "manifest validate --app ${{ vars.SLACK_APP_ID }}"
    token: ${{ secrets.SLACK_SERVICE_TOKEN }}
🚀 Deploy your app on push to main

Automate deployments whenever changes land on your main branch:

🔗 https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/deploy-an-app

- name: Deploy the app
  uses: slackapi/slack-github-action/cli@v3.0.0
  with:
    command: "deploy --app ${{ vars.SLACK_APP_ID }} --force"
    token: ${{ secrets.SLACK_SERVICE_TOKEN }}

Any Slack CLI command can be passed through the command option without the "slack" prefix 🍀

The token input accepts a service token for authentication. You can gather this token by running slack auth token with the Slack CLI and storing the value as a repository secret.

The latest Slack CLI version is used by default, but a specific one can be set with the version input.

🏆 Huge thanks to @​ewanek1 for explorations and prototypes toward the scripted CLI technique!

For full documentation on the CLI technique, check out the docs and explore the related pages 📚

What's Changed

👾 Enhancements
📚 Documentation
🧰 Maintenance
🎁 Dependencies

👋 New Contributors

Full Changelog: slackapi/slack-github-action@v2.1.1...v3.0.0

v2.1.1: Slack Send v2.1.1

Compare Source

What's Changed

This release fixes an issue where substituted variables might've broken valid JSON or YAML parsings when using the payload-file-path input option.

🐛 Bug fixes
  • fix: parse provided payloads before replacing templated variables in #​449 - Thanks @​zimeg!
📚 Documentation
🤖 Dependencies
🧰 Maintenance

Full Changelog: slackapi/slack-github-action@v2.1.0...v2.1.1

v2.1.0: Slack Send v2.1.0

Compare Source

What's changed

This release improves error messages from odd payload parsings. An api option is now also available in inputs to change the destination of data with the method technique.

Read more on the new site for documentation: https://tools.slack.dev/slack-github-action/

👾 Enhancements
  • feat: include an 'api' option to customize the slack api method url in #​409 - Thanks @​zimeg!
🐛 Bug fixes
  • fix: avoid erroring if conflicting techniques are set from environment variables in #​374 - Thanks @​zimeg!
  • fix: require a custom 'api' url to send to instead of absolute urls as a 'method' in #​420 - Thanks @​zimeg!
  • fix: include cause of parsing errors in action output logs in #​431 - Thanks @​zimeg!
📚 Documentation

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • "before 6am on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label May 6, 2026
@renovate renovate Bot requested a review from a team May 6, 2026 08:54
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown
Contributor

hashicorp-vault-sonar-prod Bot commented May 6, 2026
edited by atlassian Bot
Loading

Renovate Jira issue ID: SONARJAVA-6353

@sonar-review-alpha
Copy link
Copy Markdown
Contributor

sonar-review-alpha Bot commented May 6, 2026
edited
Loading

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR bumps several major versions of GitHub Actions dependencies:

  • actions/checkout: v5.0.0 → v6.0.2 (also v4 → v6 in one file)
  • actions/upload-artifact: v4 → v7
  • actions/stale: v9 → v10
  • slackapi/slack-github-action: v1.26.0 → v3.0.2

All action references now use pinned commit hashes alongside version tags for reproducibility. The changes are applied consistently across 6 workflow files and 1 composite action.

What reviewers should know

Starting points:

  • Most changes cluster in .github/workflows/build.yml (checkout v5→v6 in 9 places)
  • Slack action and stale action get their major bumps in separate workflows
  • Composite action .github/actions/upload-actual/action.yml also updated for upload-artifact

Things to verify:

  • Compatibility: Check release notes for breaking changes in v3 of slack-github-action and v7 of upload-artifact (may have new required inputs or behavior changes)
  • Behavior: Confirm any action-specific config parameters are still compatible with new versions (especially for stale action which may have new defaults)
  • Build stability: These are production workflows—watch for any integration issues after merge

Non-obvious details:

  • The checkout bumps span from v5.0.0→v6.0.2, so review v6.0.0 and v6.0.1 changes too (not just the final patch)
  • All pinned hashes are present, reducing supply-chain risk for major version updates
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented May 6, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean update overall — all nine actions/checkout references migrate to the same pinned hash consistently, and there are no missed occurrences of the old action versions anywhere in .github/. The one thing worth confirming before merge is the Slack action upgrade.

🗣️ Give feedback

Comment thread .github/workflows/dogfood.yml
Comment on lines +40 to 43
uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2
env:
SLACK_BOT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }}
with:
Copy link
Copy Markdown
Contributor

@sonar-review-alpha sonar-review-alpha Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The jump from v1.26.0 to v3.0.2 crosses a major rewrite (v2) that changed the action's input API. In v2+, the recommended approach moved to an explicit method/payload model. Whether slack-message + SLACK_BOT_TOKEN env var are still accepted in v3 needs to be verified.

GitHub Actions silently ignores unrecognised inputs, so if slack-message was dropped, this step would run, appear successful in the log, and send nothing — invisible until an actual pipeline failure reveals it.

Please test this against a real failure or check the v3 action README to confirm the shorthand inputs are still supported. If they're not, the fix is to switch to the payload input:

uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2
env:
  SLACK_BOT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }}
with:
  method: chat.postMessage
  token: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }}
  payload: |
    {
      "channel": "squad-jvm-notifs",
      "text": "Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *failed*, see the logs at https://github.com/SonarSource/sonar-java/actions/workflows/dogfood.yml"
    }
  • Mark as noise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants