8000 Bump actions/download-artifact from 7.0.0 to 8.0.0 by dependabot[bot] · Pull Request #2280 · atlanhq/atlan-java · GitHub
[go: up one dir, main page]
Skip to content

Bump actions/download-artifact from 7.0.0 to 8.0.0#2280

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/download-artifact-8.0.0
Closed

Bump actions/download-artifact from 7.0.0 to 8.0.0#2280
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/download-artifact-8.0.0

Conversation

@dependabot
Copy link
Contributor
@dependabot dependabot bot commented on behalf of github Feb 27, 2026
edited
Loading

Bumps actions/download-artifact from 7.0.0 to 8.0.0.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • 96bf374 One more test fix
  • b8c4819 Fix skip decompress test
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 27, 2026
@dependabot dependabot bot requested a review from cmgrote as a code owner February 27, 2026 04:53
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 27, 2026
@greptile-apps
Copy link
greptile-apps bot commented Feb 27, 2026

Greptile Summary

Upgraded actions/download-artifact from v7.0.0 to v8.0.0 across all workflow files. The upgrade introduces improved security with digest verification defaulting to error (previously warn), and updates handling of non-zipped files. All 12 instances download artifacts uploaded by compatible actions/upload-artifact@v6.0.0, ensuring seamless operation.

  • Updated all workflow files to use commit hash 70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 for v8.0.0
  • Compatible with existing upload-artifact@v6.0.0 usage throughout workflows
  • Enhanced security: digest mismatches now fail workflows by default instead of logging warnings
  • All downloaded artifacts are JAR and ZIP files, properly handled by v8.0.0

Confidence Score: 5/5

  • This PR is safe to merge with no risk
  • Standard dependency upgrade with full compatibility. All artifacts are uploaded with upload-artifact@v6.0.0 which is designed to work with download-artifact@v8.0.0. The breaking change (digest verification defaulting to error) improves security without breaking existing functionality since all artifacts are from trusted sources within the same workflow.
  • No files require special attention

Important Files Changed
Filename Overview
.github/workflows/test.yml Updated download-artifact from v7.0.0 to v8.0.0 in three test jobs (integration-test, asset-import-test, package-test)
.github/workflows/merge.yml Updated download-artifact from v7.0.0 to v8.0.0 in publish-base-image job for SDK and package artifacts
.github/workflows/release.yml Updated download-artifact from v7.0.0 to v8.0.0 in publish-base-image job for release builds
.github/workflows/custom-package-container.yml Updated download-artifact from v7.0.0 to v8.0.0 for downloading custom package artifacts (amd64 and arm64)

Last reviewed commit: dc9e1b6

@dependabot
Bump actions/download-artifact from 7.0.0 to 8.0.0
517fe71 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.0.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@37930b1...70fc10c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/download-artifact-8.0.0 branch from dc9e1b6 to 517fe71 Compare March 9, 2026 04:55
cmgrote added a commit that referenced this pull request Mar 9, 2026
@cmgrote @claude
chore(deps): consolidate dependency updates
9c65b9f 
Consolidates updates from the following dependency PRs:
- #2296: Bump de.siegmar:fastcsv from 4.1.0 to 4.1.1
- #2294: Bump awssdk from 2.41.32 to 2.42.8
- #2293: Bump docker/build-push-action from 6.19.2 to 7.0.0
- #2292: Bump docker/setup-buildx-action from 3.12.0 to 4.0.0
- #2289: Bump com.google
8000
.cloud:libraries-bom from 26.76.0 to 26.77.0
- #2288: Bump jetty from 12.1.6 to 12.1.7
- #2286: Bump docker/login-action from 3.7.0 to 4.0.0
- #2284: Bump com.diffplug.spotless:spotless-plugin-gradle from 8.2.1 to 8.3.0
- #2281: Bump com.gradleup.shadow from 9.3.1 to 9.3.2
- #2280: Bump actions/download-artifact from 7.0.0 to 8.0.0
- #2278: Bump co.elastic.clients:elasticsearch-java from 9.3.1 to 9.3.2
- #2277: Bump actions/upload-artifact from 6.0.0 to 7.0.0
- #2276: Bump pkl from 0.30.2 to 0.31.0
- #2275: Bump org.pkl-lang:org.pkl-lang.gradle.plugin from 0.30.2 to 0.31.0
- #2269: Bump io.openlineage:openlineage-java from 1.44.0 to 1.44.1
- #2268: Bump com.jayway.jsonpath:json-path from 2.10.0 to 3.0.0
- #2266: Bump jackson from 2.21.0 to 2.21.1
- #2265: Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8

Also removes the claude.yml workflow (VPN step incompatible with public repo).

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Chris (He/Him) <cgrote@gmail.com>
@cmgrote cmgrote mentioned this pull request Mar 9, 2026
Merged
cmgrote added a commit that referenced this pull request Mar 9, 2026
@cmgrote @claude
chore(deps): consolidate dependency updates (#2297)
fd7149e 
Consolidates updates from the following dependency PRs:
- #2296: Bump de.siegmar:fastcsv from 4.1.0 to 4.1.1
- #2294: Bump awssdk from 2.41.32 to 2.42.8
- #2293: Bump docker/build-push-action from 6.19.2 to 7.0.0
- #2292: Bump docker/setup-buildx-action from 3.12.0 to 4.0.0
- #2289: Bump com.google.cloud:libraries-bom from 26.76.0 to 26.77.0
- #2288: Bump jetty from 12.1.6 to 12.1.7
- #2286: Bump docker/login-action from 3.7.0 to 4.0.0
- #2284: Bump com.diffplug.spotless:spotless-plugin-gradle from 8.2.1 to 8.3.0
- #2281: Bump com.gradleup.shadow from 9.3.1 to 9.3.2
- #2280: Bump actions/download-artifact from 7.0.0 to 8.0.0
- #2278: Bump co.elastic.clients:elasticsearch-java from 9.3.1 to 9.3.2
- #2277: Bump actions/upload-artifact from 6.0.0 to 7.0.0
- #2276: Bump pkl from 0.30.2 to 0.31.0
- #2275: Bump org.pkl-lang:org.pkl-lang.gradle.plugin from 0.30.2 to 0.31.0
- #2269: Bump io.openlineage:openlineage-java from 1.44.0 to 1.44.1
- #2268: Bump com.jayway.jsonpath:json-path from 2.10.0 to 3.0.0
- #2266: Bump jackson from 2.21.0 to 2.21.1
- #2265: Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8

Also removes the claude.yml workflow (VPN step incompatible with public repo).

Signed-off-by: Chris (He/Him) <cgrote@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
@dependabot @github
Copy link
Contributor Author
dependabot bot commented on behalf of github Mar 9, 2026

Looks like actions/download-artifact is up-to-date now, so this is no longer needed.

@dependabot dependabot bot closed this Mar 9, 2026
@dependabot dependabot bot deleted the dependabot/github_actions/actions/download-artifact-8.0.0 branch March 9, 2026 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmgrote cmgrote Awaiting requested review from cmgrote cmgrote is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

0