Skip to content

ci(#590): bump upload-artifact v4→v7 + codeql-action v3→v4#593

Merged
atlas-apex merged 1 commit into
devfrom
ci/GH-590-bump-artifact-codeql
Jun 9, 2026
Merged

ci(#590): bump upload-artifact v4→v7 + codeql-action v3→v4#593
atlas-apex merged 1 commit into
devfrom
ci/GH-590-bump-artifact-codeql

Conversation

@atlas-apex

@atlas-apex atlas-apex commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

Manual application of the two dependabot bumps that couldn't auto-land on dev:

  • actions/upload-artifact v4 → v7 — in extract-subpacks-on-release.yml, security-scan.yml, scorecard.yml.
  • github/codeql-action v3 → v4codeql.yml (init + analyze) and scorecard.yml (upload-sarif).

Dependabot's #539/#541 were cut from main and conflict with dev's diverged workflow files, and dependabot can't target dev until the target-branch: dev config (merged in #588) reaches main via a release. This applies the same bumps directly to dev; #539 and #541 will be closed referencing this PR.

Testing

CI on this PR exercises the bumped actions: the CodeQL workflow runs codeql-action@v4 (init/analyze), and the upload-artifact steps run @v7 — green CI is the validation that the major bumps don't break the workflows.

Closes #590

Glossary

Term Definition
Major action bump Upgrading a GitHub Action across a major version (possible breaking changes), validated by the PR's own CI run.
upload-sarif The codeql-action step that uploads SARIF results (used by the OSSF scorecard workflow).

@me2resh @claude
ci(#590): bump upload-artifact v4->v7 + codeql-action v3->v4
79e6d37 
Manual application of dependabot #539 (upload-artifact) and #541 (codeql)
against dev — their branches were cut from main and conflict with dev's
diverged workflows, and dependabot can't target dev until the config
(#588) reaches main via a release. Supersedes #539/#541.

- upload-artifact@v4 -> v7: extract-subpacks-on-release, security-scan, scorecard
- codeql-action @V3 -> v4: codeql (init+analyze), scorecard (upload-sarif)

Closes #590

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@atlas-apex atlas-apex merged commit 38dcf45 into dev Jun 9, 2026
5 checks passed
@atlas-apex atlas-apex deleted the ci/GH-590-bump-artifact-codeql branch June 9, 2026 04:46
This was referenced Jun 9, 2026
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

github-issue has-ticket

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@atlas-apex @me2resh