Skip to content
This repository was archived by the owner on Mar 26, 2026. It is now read-only.

chore(deps): update github actions (major) #71

Draft
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore(deps): update github actions (major) #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Base Setup
uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1
Expand Down Expand Up @@ -81,7 +81,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload extension packages
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: extension-artifacts
path: dist/jupyterlab_deepnote*
Expand All @@ -97,7 +97,7 @@ jobs:
with:
python-version: '3.9'
architecture: 'x64'
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: extension-artifacts
Comment on lines +100 to 102
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/download-artifact v8 breaking changes from v6

💡 Result:

Breaking changes (and upgrade-impacting changes) when moving from actions/download-artifact@v6@v8:

  • Runner/runtime change (v7): @v7 runs on Node.js 24 by default (runs.using: node24) and requires Actions Runner ≥ 2.327.1 (notably affects self-hosted runners). In @v6, Node 24 support existed, but the action still defaulted to Node 20. [1] [2]
  • Hash/digest mismatch now fails the job (v8): @v8 changes the default behavior for a download digest/hash mismatch from warning → error (workflow fails). You can control this with the new digest-mismatch setting. [3]
  • Decompression behavior changed for “direct / non-zipped” artifact downloads (v8): @v8 no longer blindly unzips everything; it checks Content-Type and skips unzipping for non-zip downloads (added for “non-zipped artifacts” / direct uploads). There’s a new skip-decompress option to control this behavior. [3] [4]
  • Packaging change (v8): the action was migrated to ESM; this is intended to be transparent for normal usage, but forks/custom builds may need significant changes. [3]

Sources:
[1] actions/download-artifact v7.0.0 release notes (Node 24 default + runner minimum)
[2] actions/download-artifact v6.0.0 release notes (Node 24 support, but not default)
[3] actions/download-artifact v8.0.0 release notes (ESM, digest-mismatch default error, decompression changes)
[4] GitHub Changelog: non-zipped artifact upload/download support (requires download-artifact@v8 for that mode)

Address v6→v8 breaking changes in download-artifact.

v8 has significant breaking changes: artifact decompression behavior changed (now checks Content-Type instead of blindly unzipping), digest mismatches error by default instead of warn, and requires Actions Runner ≥ 2.327.1. Verify workflow doesn't rely on auto-decompression and test digest mismatch handling. Consider adding digest-mismatch and skip-decompress options if needed.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 100 - 102, The download-artifact
step using "actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"
needs updating for v8 breaking changes: verify the workflow does not rely on
automatic decompression for the artifact named "extension-artifacts" and, if it
does, add the skip-decompress option (skip-decompress: true) and handle
decompression explicitly; also decide how to handle digest mismatches by adding
the digest-mismatch option (e.g., digest-mismatch: warn or ignore) or update
test expectations to accept errors, and confirm the runner version meets the new
minimum (≥ 2.327.1) before switching to v8.

- name: Install and Test
Expand Down Expand Up @@ -182,7 +182,7 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1
- uses: jupyterlab/maintainer-tools/.github/actions/check-links@d72f5cb72b472c1e59036840891e918c9bda4dae # v1
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/check-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
Expand All @@ -39,7 +39,7 @@ jobs:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload Distributions
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
path: .jupyter_releaser_checkout/dist
Comment on lines 41 to 45
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

actions/upload-artifact v7 include-hidden-files dot directory behavior

💡 Result:

In actions/upload-artifact@v7, hidden (“dot”) files and directories are excluded by default—this behavior has been in place since upload-artifact@v4.4+. Hidden files are defined as any file starting with . or any file inside a directory starting with . (on Windows, the filesystem “hidden” attribute alone does not count unless the name starts with .). [1]

So if you set:

- uses: actions/upload-artifact@v7
  with:
    path: .

then anything under ./.something/... is skipped unless you explicitly enable:

include-hidden-files: true

With include-hidden-files: true, dotfiles/dot-directories under the provided path (including .) are included, and you can still exclude specific sensitive paths via negated patterns (e.g. !path/output/.production.env). [1]

Separately (not about dotfiles), v7 also introduced support for uploading non-zipped artifacts when archive: false is set. [2]

Sources:
[1] actions/upload-artifact README – “Uploading Hidden Files” / include-hidden-files input and definition of hidden files
[2] GitHub Changelog (2026-02-26) – non-zipped artifacts apply to actions/upload-artifact v7 with archive: false

🏁 Script executed:

# Check the workflow file to understand context
cat -n .github/workflows/check-release.yml | sed -n '35,50p'

Repository: deepnote/jupyterlab-deepnote

Length of output: 584

🌐 Web query:

actions/upload-artifact v7 if-no-files-found default value

💡 Result:

For actions/upload-artifact@v7, the if-no-files-found input defaults to warn (the step succeeds but prints a warning if no files match the path). Available values are warn, error, and ignore. [1]

Source(s):

Citations:

Add include-hidden-files: true and if-no-files-found: error.

upload-artifact@v7 skips files in dot-prefixed directories by default, and if-no-files-found defaults to warn. This step uploads from .jupyter_releaser_checkout/dist, so it will silently pass without uploading anything.

Suggested fix 
       - name: Upload Distributions
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
           path: .jupyter_releaser_checkout/dist
+          include-hidden-files: true
+          if-no-files-found: error
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Upload Distributions
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
path: .jupyter_releaser_checkout/dist
- name: Upload Distributions
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
path: .jupyter_releaser_checkout/dist
include-hidden-files: true
if-no-files-found: error
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/check-release.yml around lines 41 - 45, The "Upload
Distributions" GitHub Action step using actions/upload-artifact (the step named
"Upload Distributions" / uses: actions/upload-artifact@...) must be updated to
include include-hidden-files: true and if-no-files-found: error so dot-prefixed
directories under .jupyter_releaser_checkout/dist are uploaded and the workflow
fails when no files are found; add those two inputs to the step configuration to
fix the silent no-op behavior.

12 changes: 6 additions & 6 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

Expand All @@ -42,7 +42,7 @@ jobs:
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Base Setup
uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1
Expand All @@ -66,7 +66,7 @@ jobs:
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Base Setup
uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1
Expand All @@ -90,7 +90,7 @@ jobs:
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Base Setup
uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1
Expand All @@ -113,7 +113,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Base Setup
uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1

Expand All @@ -128,7 +128,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Base Setup
uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
Expand All @@ -38,7 +38,7 @@ jobs:

- uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1

- uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
- uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/update-integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ secrets.GITHUB_TOKEN }}

Expand Down
Loading