chore(deps): update github-actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v6 → v7
actions/configure-pages	action	major	v5 → v6
actions/deploy-pages	action	major	v4 → v5
actions/download-artifact	action	major	v7 → v8
actions/upload-artifact	action	major	v6 → v7
actions/upload-pages-artifact	action	major	v4 → v5
jdx/mise-action	action	major	v3 → v4
softprops/action-gh-release	action	major	v2 → v3

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

actions/configure-pages (actions/configure-pages)

v6.0.0

Compare Source

Changelog

• upgrade to node 24 @​salmanmkc (#​186)
• Upgrade IA Publish @​Jcambass (#​165)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#​163)
• pin draft release version @​YiMysty (#​162)
• Bump espree from 9.6.1 to 10.1.0 @​dependabot (#​160)
• Bump eslint-config-prettier from 8.8.0 to 9.1.0 @​dependabot (#​143)
• Be more friendly to Dependabot @​yoannchaudet (#​158)
• Bump eslint-plugin-github from 4.10.2 to 5.0.1 @​dependabot (#​154)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group @​dependabot (#​156)
• Bump undici from 5.28.3 to 5.28.4 @​dependabot (#​145)

See details of all code changes since previous release.

v6

Compare Source

actions/deploy-pages (actions/deploy-pages)

v5.0.0

Compare Source

Changelog

• Update Node.js version to 24.x @​salmanmkc (#​404)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#​374)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory @​dependabot (#​360)
• Make the rebuild dist workflow work nicer with Dependabot @​yoannchaudet (#​361)
• Bump the non-breaking-changes group across 1 directory with 3 updates @​dependabot (#​358)
• Delete repeated sentence @​garethsb (#​359)
• Update README.md @​tsusdere (#​348)
• Bump the non-breaking-changes group with 4 updates @​dependabot (#​341)
• Remove error message for file permissions @​TooManyBees (#​340)

---

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v5

Compare Source

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

[!IMPORTANT]
actions/download-artifact@​v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT]
Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

actions/upload-pages-artifact (actions/upload-pages-artifact)

v5.0.0

Compare Source

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#​139)
• feat: add include-hidden-files input @​jonchurch (#​137)

See details of all code changes since previous release.

v5

Compare Source

jdx/mise-action (jdx/mise-action)

v4.2.0: : Bootstrap mode & wget fallback

Compare Source

This release adds an opt-in bootstrap mode for projects that use mise bootstrap, and makes the action work on runner images that ship wget but not curl.

Added

Bootstrap mode (#​522) by @​jdx

Three new inputs let the action drive mise bootstrap instead of mise install:

- uses: jdx/mise-action@v4
  with:
    bootstrap: true
    bootstrap_skip: "tools,task"   # comma-separated parts to skip
    bootstrap_args: "--yes"        # extra args forwarded to mise bootstrap

• When bootstrap: true, the action runs mise bootstrap under the existing install gate and sets MISE_EXPERIMENTAL=1 automatically.
• If a repo mise lock file is present, it runs mise --locked bootstrap, matching the auto-lock behavior introduced for mise install in v4.1.0.
• install_args cannot be combined with bootstrap: true — the action fails fast and tells you to use bootstrap_skip / bootstrap_args instead, because full bootstrap doesn't support partial tool install args.
• A new {{bootstrap_hash}} template variable is included in the default cache key (and available in custom cache_key templates) so bootstrap and non-bootstrap configurations don't share caches.

bootstrap_skip relies on mise bootstrap --skip from jdx/mise#10497, so make sure you're on a recent mise version if you use it.

Fixed

• Fall back to wget when curl is unavailable (#​521) by @​risu729 — The action used to hard-code curl for fetching the mise binary, tar/zip archives, and the latest VERSION lookup, which broke on minimal runner images that only ship wget. It now prefers curl and transparently falls back to wget, preserving the streaming download | tar fast path for .tar.gz and .tar.zst installs on Linux/macOS. Proxy support is unchanged — both tools honor HTTP_PROXY/HTTPS_PROXY. Addresses jdx/mise#10488.

Documentation

• Link the known Rust cache interaction note from the README (#​496) by @​risu729.

Full Changelog: jdx/mise-action@v4.1.0...v4.2.0

v4.1.0: : automatic --locked installs

Compare Source

This release adds automatic locked installs when a mise.lock is present, and fixes a long-standing cache-key collision that could poison tool installs when workflows migrate between runner providers.

Added

Automatic --locked install when mise.lock exists (#​495) by @​zeitlinger

When a repo contains mise.lock, the action now automatically passes --locked to mise install (on mise versions that support it). This removes the need to manually set install_args: --locked and prevents mise install from silently mutating the lockfile in CI. Explicit install_args and older mise versions are still respected.

Note: workflows with a stale lockfile may now fail earlier and more explicitly instead of silently updating mise.lock mid-run — this surfaces lockfile drift rather than hiding it.

Fixed

• Cache key collisions across runner providers (#​456) — the default cache key now includes the runner image (e.g. macos15, ubuntu24 for GitHub-hosted runners; self-hosted otherwise). Previously, repos migrating between providers like github-hosted, namespace.so, BuildJet, and self-hosted runners with the same OS/arch could restore a peer provider's ~/.local/share/mise/installs/*, causing failures like does not have an executable named '…' or SIGILL crashes from binaries built against a different glibc/CPU featureset. Expect a one-time cache miss after upgrading; thereafter the cache stays scoped per image.
• mise-shim.exe missing on Windows (#​476) by @​risu729 — the action now installs mise-shim.exe alongside mise.exe and repairs restored caches that lack the shim. Fixes #​475.

Changed

• Migrated the bundled action build from ncc (CommonJS) to Rollup (ESM) (#​436). No user-facing behavior change.

Full Changelog: jdx/mise-action@v4.0.1...v4.1.0

v4.0.1: : Documentation and Internal Cleanup

Compare Source

A small maintenance release that updates the README documentation to reflect v4 and cleans up internal code. There are no functional changes to the action itself.

Changed

• Updated all README examples to reference jdx/mise-action@v4, actions/checkout@v6, and current tool versions by @​deining in #​407 and #​408
• Extracted getCwd() helper to deduplicate working directory resolution logic (internal refactor, no behavior change) by @​altendky in #​403

New Contributors

• @​deining made their first contribution in #​407

Full Changelog: jdx/mise-action@v4.0.0...v4.0.1

v4.0.0: : Node.js 24 Runtime

Compare Source

A major version bump that updates the action's runtime from Node.js 20 to Node.js 24. GitHub has deprecated Node.js 20 for Actions and will force Node.js 24 as the default starting June 2, 2026. This release proactively adopts the new runtime to eliminate deprecation warnings and ensure continued compatibility.

Breaking Changes

• The action now runs on the Node.js 24 runtime instead of Node.js 20. If your workflow pins jdx/mise-action@v3, you will continue to see deprecation warnings. Update to jdx/mise-action@v4 to resolve them:

  - uses: jdx/mise-action@v4

  This should be a seamless upgrade for the vast majority of users — no configuration changes are needed beyond updating the version reference.

Changed

• Updated GitHub Actions runtime from Node.js 20 to Node.js 24 by @​tumerorkun in #​395 (fixes #​394)

New Contributors

• @​tumerorkun made their first contribution in #​395

Full Changelog: jdx/mise-action@v3...v4.0.0

v4

Compare Source

softprops/action-gh-release (softprops/action-gh-release)

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.