🚨 Update github actions (main) (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	major	v5.0.4 → v6.0.0
actions/checkout	action	major	v6.0.2 → v7.0.0
actions/configure-pages	action	major	v5.0.0 → v6.0.0
actions/create-github-app-token	action	major	v2.2.2 → v3.2.0
actions/deploy-pages	action	major	v4.0.5 → v5.0.0
actions/download-artifact	action	major	v7.0.0 → v8.0.1
actions/upload-artifact	action	major	v6.0.0 → v7.0.1
actions/upload-pages-artifact	action	major	v4.0.0 → v5.0.0
codecov/codecov-action	action	major	v5.5.4 → v7.0.0
docker/setup-qemu-action	action	major	v3.7.0 → v4.1.0
softprops/action-gh-release	action	major	v2 → v3

---

Release Notes

actions/cache (actions/cache)

v6.0.0

Compare Source

What's Changed

• Update packages, migrate to ESM by @​Samirat in #​1760

Full Changelog: actions/cache@v5...v6.0.0

v6

Compare Source

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

actions/configure-pages (actions/configure-pages)

v6.0.0

Compare Source

Changelog

• upgrade to node 24 @​salmanmkc (#​186)
• Upgrade IA Publish @​Jcambass (#​165)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#​163)
• pin draft release version @​YiMysty (#​162)
• Bump espree from 9.6.1 to 10.1.0 @​dependabot (#​160)
• Bump eslint-config-prettier from 8.8.0 to 9.1.0 @​dependabot (#​143)
• Be more friendly to Dependabot @​yoannchaudet (#​158)
• Bump eslint-plugin-github from 4.10.2 to 5.0.1 @​dependabot (#​154)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group @​dependabot (#​156)
• Bump undici from 5.28.3 to 5.28.4 @​dependabot (#​145)

See details of all code changes since previous release.

v6

Compare Source

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

v3.1.1

Compare Source

Bug Fixes

• improve error message when app identifier is empty (#​362) (07e2b76), closes #​249

v3.1.0

Compare Source

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#​357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#​353) (e6bd4e6)
• update permission inputs (#​358) (076e948)

v3.0.0

Compare Source

• feat!: node 24 support (#​275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#​342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#​143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3

Compare Source

actions/deploy-pages (actions/deploy-pages)

v5.0.0

Compare Source

Changelog

• Update Node.js version to 24.x @​salmanmkc (#​404)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#​374)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory @​dependabot (#​360)
• Make the rebuild dist workflow work nicer with Dependabot @​yoannchaudet (#​361)
• Bump the non-breaking-changes group across 1 directory with 3 updates @​dependabot (#​358)
• Delete repeated sentence @​garethsb (#​359)
• Update README.md @​tsusdere (#​348)
• Bump the non-breaking-changes group with 4 updates @​dependabot (#​341)
• Remove error message for file permissions @​TooManyBees (#​340)

---

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v5

Compare Source

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

[!IMPORTANT]
actions/download-artifact@​v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT]
Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

actions/upload-pages-artifact (actions/upload-pages-artifact)

v5.0.0

Compare Source

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#​139)
• feat: add include-hidden-files input @​jonchurch (#​137)

See details of all code changes since previous release.

v5

Compare Source

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

⚠️ Due to migration issues with keybase, we are unable to update our keys under the codecovsecurity account. We have deleted the account and are using codecovsecops with the original gpg key

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in #​1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in #​1957

Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0

v7

Compare Source

v6.0.2

Compare Source

This is a copy of the v7.0.0 release to make updates easier

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in #​1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in #​1957

Full Changelog: codecov/codecov-action@v6.0.1...v6.0.2

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in #​1929
• Th/6.0.0 by @​thomasrockhu-codecov in #​1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

docker/setup-qemu-action (docker/setup-qemu-action)

v4.1.0

Compare Source

• Add reset input to uninstall current emulators by @​crazy-max in #​21
• Bump @​docker/actions-toolkit from 0.77.0 to 0.91.0 in #​250 #​247
• Bump brace-expansion from 1.1.12 to 1.1.15 in #​265
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in #​286
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​255
• Bump flatted from 3.3.3 to 3.4.2 in #​257
• Bump glob from 10.3.15 to 10.5.0 in #​254
• Bump handlebars from 4.7.8 to 4.7.9 in #​262
• Bump lodash from 4.17.23 to 4.18.1 in #​273
• Bump postcss from 8.5.6 to 8.5.10 in #​285
• Bump tar from 6.2.1 to 7.5.15 in #​287
• Bump tmp from 0.2.5 to 0.2.6 in #​291
• Bump undici from 6.23.0 to 6.26.0 in #​251
• Bump vite from 7.3.1 to 7.3.2 in #​271

Full Changelog: docker/setup-qemu-action@v4.0.0...v4.1.0

v4.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​245
• Switch to ESM and update config/test wiring by @​crazy-max in #​241
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​244
• Bump @​docker/actions-toolkit from 0.67.0 to 0.77.0 in #​243
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in #​240
• Bump js-yaml from 3.14.1 to 3.14.2 in #​231
• Bump lodash from 4.17.21 to 4.17.23 in #​238

Full Changelog: docker/setup-qemu-action@v3.7.0...v4.0.0

v4

Compare Source

softprops/action-gh-release (softprops/action-gh-release)

v3.0.1

Compare Source

3.0.1

• maintenance release with updated dependencies

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	53.44% <ø> (ø)
generative	16.79% <ø> (ø)
integration	27.66% <ø> (ø)
unit	69.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

Review

Findings

High

• [protected-path] .github/workflows/ — All 6 modified files are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). This PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required for all protected-path changes.
  Remediation: Link this PR to an issue or provide explicit justification for modifying CI workflow files. A human maintainer must approve changes to protected paths regardless.

Info

• [permission-expansion] .github/workflows/release.yaml — Multiple GitHub Actions are bumped to new major versions in a workflow with elevated permissions (contents: write, pages: write, id-token: write). The workflow permissions themselves are unchanged, but updated action internals should be verified against their changelogs for security-relevant behavioral changes.
• [secret-exposure] .github/workflows/update-go-containerregistry.yaml:54 — actions/create-github-app-token is bumped from v2.2.2 to v3.2.0. This action receives the EC_AUTOMATION_KEY private key secret. The usage pattern is unchanged. Verify the v3 changelog does not alter how the private key is handled or logged.
• [permission-expansion] .github/workflows/checks-codecov.yaml — codecov/codecov-action is bumped from v5.5.4 to v7.0.0 (skipping v6 entirely). This action receives CODECOV_TOKEN. Two major version jumps may introduce significant behavioral changes. Verify the v6 and v7 changelogs for changes to token handling or network behavior.
• [sub-agent-failure] The style-conventions sub-agent did not return findings: model unavailable (claude-sonnet-4-5@20250929 not available on vertex deployment).
• [sub-agent-failure] The intent-coherence sub-agent did not return findings: model unavailable (claude-sonnet-4-5@20250929 not available on vertex deployment).

Previous run

Review

Findings

High

• [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path. This PR has no linked issue and no explicit justification for modifying governance/infrastructure files. Protected-path changes always require human approval. Affected files: checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml.

Medium

• [api-contract] .github/workflows/checks-codecov.yaml:197 — codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The workflow passes CODECOV_TOKEN via the env block (not with: token:) and uses disable_search: true across four codecov steps (lines 200, 209, 218, 227). These inputs and the env-based token approach may have changed in v7. Verify that codecov/codecov-action v7.0.0 still supports the disable_search input and env-based CODECOV_TOKEN. If either was removed or renamed, update accordingly.

Low

• [api-contract] .github/workflows/checks-codecov.yaml:89 — upload-artifact is bumped from v6 to v7 while download-artifact is bumped from v7 to v8 in the same workflow pipeline (Upload job depends on Test and Acceptance jobs). Both use GitHub's v2 artifact backend and are expected to be compatible, but the cross-major-version pairing is worth a quick verification.

Info

• [sub-agent-failure] N/A — The intent-coherence and style-conventions sub-agents did not return findings: model claude-sonnet-4-5@20250929 is not available on this Vertex deployment. These are sonnet-tier sub-agents; for this mechanical Renovate PR the gap is low-risk.

Previous run (2)

Review

Findings

High

• [protected-path] .github/workflows/* — All 6 modified files are under the .github/ protected path. This PR has no linked issue and modifies governance/infrastructure workflow files. Human approval is required for all protected-path changes. Protected files: .github/workflows/checks-codecov.yaml, .github/workflows/codeql.yaml, .github/workflows/lint.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml.
  Remediation: A human maintainer must review and approve this PR. Consider linking a tracking issue that authorizes these CI dependency updates.

Medium

• [api-contract] .github/workflows/checks-codecov.yaml:198 — The codecov/codecov-action is being bumped from v5.5.4 to v7.0.0, skipping major version v6. The disable_search input parameter is used in all four codecov upload steps. If this parameter was renamed or removed in v7, the action would silently ignore the unknown input (GitHub Actions does not fail on unrecognized inputs), causing codecov to search for coverage files instead of using only the explicitly specified file. This could lead to incorrect or duplicate coverage reporting.
  Remediation: Verify that disable_search is still a valid input for codecov/codecov-action v7.0.0 by checking the action's action.yml at commit fb8b3582c8e4def4969c97caa2f19720cb33a72f.

Low

• [api-contract] .github/workflows/checks-codecov.yaml:89 — upload-artifact is bumped from v6 to v7 and download-artifact from v7 to v8. These actions share artifacts between the Test/Acceptance jobs and the Upload job. Cross-major-version artifact compatibility should be verified.

Info

• [permission-expansion] .github/workflows/release.yaml — Multiple GitHub Actions are bumped to new major versions. All workflow permissions: blocks remain unchanged and actions remain SHA-pinned. Informational only.
• [sub-agent-failure] The intent-coherence sub-agent did not return findings: model unavailable on deployment.
• [sub-agent-failure] The style-conventions sub-agent did not return findings: model unavailable on deployment.

Previous run (3)

Review

Findings

High

• [privilege-escalation] .github/workflows/update-go-containerregistry.yaml:54 — The bump from actions/create-github-app-token v2 to v3 introduces a breaking change in default token scoping. In v2, omitting the repositories input scoped the token to the current repository. In v3, omitting repositories (when owner is also omitted) may grant the token access to ALL repositories where the GitHub App is installed. The workflow does not specify repositories or owner, so the token generated for the peter-evans/create-pull-request step could have broader repository access than intended, violating least-privilege.
  Remediation: Explicitly add repositories: ${{ github.event.repository.name }} to the actions/create-github-app-token step to preserve the v2 behavior of scoping the token to only the current repository.

• [protected-path] .github/workflows/ — All four modified files (.github/workflows/checks-codecov.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml) are under the .github/ protected path. The PR has no linked issue and the description does not explain why these governance/infrastructure files are being changed. Human approval is required for all protected-path changes.

Medium

• [api-contract] .github/workflows/checks-codecov.yaml:195 — codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The disable_search input parameter is used in all four codecov upload steps. If disable_search is no longer supported in v7, Codecov may silently search for and upload unintended coverage files instead of using only the explicitly specified files. Additionally, skipping a major version makes incremental change auditing harder, particularly relevant given codecov's prior supply-chain compromise history.
  Remediation: Verify that disable_search: true is still a supported input in codecov/codecov-action v7.0.0 by checking the action's v7 action.yml. Review the v6 and v7 changelogs for changes in secret handling or upload behavior.

Low

• [api-contract] .github/workflows/release.yaml:204 — softprops/action-gh-release is bumped from v2 to v3. The make_latest parameter is used in both the rolling release and versioned release steps. If v3 changed this input's type or semantics, release behavior could be affected.
  Remediation: Verify that softprops/action-gh-release v3 still supports the make_latest input with the same semantics.

Info

• [permissions-audit] .github/workflows/checks-codecov.yaml — No permissions: blocks were changed in any of the four modified workflow files. The existing permission scoping remains unchanged by this diff.

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable.

• [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model unavailable.

Previous run (4)

Review

Findings

High

• [protected-path] .github/workflows/ — All four modified files are under .github/, a protected path. This PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required for protected-path changes regardless of context.
  • Affected files: checks-codecov.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml

Medium

• [api-contract] .github/workflows/checks-codecov.yaml:200 — codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The workflow uses disable_search: true in four codecov upload steps (lines 200, 209, 218, 227). This input may have been removed or renamed across the two major version jumps. If unrecognized, the action may fall back to auto-discovery, potentially uploading wrong or duplicate coverage files. Verify the codecov-action v6 and v7 changelogs confirm disable_search, files, flags inputs and the CODECOV_TOKEN env var pattern are still supported.

Low

• [api-contract] .github/workflows/update-go-containerregistry.yaml:57 — actions/create-github-app-token v3.1.0 deprecated the app-id input in favor of client-id. The workflow still uses app-id. While deprecated inputs typically continue to work, this should be migrated to client-id to avoid future breakage.

• [api-contract] .github/workflows/checks-codecov.yaml:89 — actions/upload-artifact is bumped from v6 to v7 while actions/download-artifact is bumped from v7 to v8. These cross-job artifact actions must use compatible backend versions. Confirm in the release notes that upload v7 artifacts can be downloaded by download v8.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on this deployment.

• [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on this deployment.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] api-contract

actions/create-github-app-token v3.1.0 deprecated the app-id input in favor of client-id. The workflow still uses app-id. While deprecated inputs typically continue to work, this should be migrated to avoid future breakage.

Suggested fix: Replace app-id with client-id in the create-github-app-token step.

[fullsend-ai-review]

[low] api-contract

upload-artifact v6 to v7 and download-artifact v7 to v8 are both major bumps used cross-job. Confirm in release notes that upload v7 artifacts can be downloaded by download v8.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:18 PM UTC · Completed 9:27 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] privilege-escalation

The bump from actions/create-github-app-token v2 to v3 introduces a breaking change in default token scoping. In v2, omitting the repositories input scoped the token to the current repository. In v3, omitting repositories (when owner is also omitted) may grant the token access to ALL repositories where the GitHub App is installed. The workflow does not specify repositories or owner, so the token generated for the peter-evans/create-pull-request step could have broader repository access than intended, violating least-privilege.

Suggested fix: Explicitly add repositories: ${{ github.event.repository.name }} to the actions/create-github-app-token step to preserve the v2 behavior of scoping the token to only the current repository.

[fullsend-ai-review]

[medium] api-contract

codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The disable_search input parameter is used in all four codecov upload steps. If disable_search is no longer supported in v7, Codecov may silently search for and upload unintended coverage files instead of using only the explicitly specified files. Additionally, skipping a major version makes incremental change auditing harder, particularly relevant given codecov's prior supply-chain compromise history.

Suggested fix: Verify that disable_search: true is still a supported input in codecov/codecov-action v7.0.0 by checking the action's v7 action.yml. Review the v6 and v7 changelogs for changes in secret handling or upload behavior.

[fullsend-ai-review]

[low] api-contract

softprops/action-gh-release is bumped from v2 to v3. The make_latest parameter is used in both the rolling release and versioned release steps. If v3 changed this input's type or semantics, release behavior could be affected.

Suggested fix: Verify that softprops/action-gh-release v3 still supports the make_latest input with the same semantics.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:54 PM UTC · Completed 6:05 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] api-contract

The codecov/codecov-action is being bumped from v5.5.4 to v7.0.0, skipping major version v6. The disable_search input parameter is used in all four codecov upload steps. If this parameter was renamed or removed in v7, the action would silently ignore the unknown input, causing codecov to search for coverage files instead of using only the explicitly specified file. This could lead to incorrect or duplicate coverage reporting.

Suggested fix: Verify that disable_search is still a valid input for codecov/codecov-action v7.0.0 by checking the action's action.yml at commit fb8b3582c8e4def4969c97caa2f19720cb33a72f. If renamed, update all four usages in the Upload job.

[fullsend-ai-review]

[low] api-contract

upload-artifact is bumped from v6 to v7 and download-artifact from v7 to v8. These actions share artifacts between the Test/Acceptance jobs and the Upload job within the same workflow run. Cross-major-version artifact compatibility should be verified.

Suggested fix: Confirm that upload-artifact v7 and download-artifact v8 are backend-compatible by checking the respective release notes.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:14 PM UTC · Completed 5:24 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] api-contract

codecov/codecov-action is bumped from v5.5.4 to v7.0.0, skipping v6 entirely. The workflow passes CODECOV_TOKEN via the env block (not with: token:) and uses disable_search: true across four codecov steps. These inputs and the env-based token approach may have changed in v7.

Suggested fix: Verify that codecov/codecov-action v7.0.0 still supports the disable_search input and env-based CODECOV_TOKEN. If either was removed or renamed, update accordingly.

[fullsend-ai-review]

[low] api-contract

upload-artifact is bumped from v6 to v7 while download-artifact is bumped from v7 to v8 in the same workflow pipeline. Both use the v2 artifact backend and are expected to be compatible, but the cross-major-version pairing is worth a quick verification.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:44 PM UTC · Completed 6:53 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[info] secret-exposure

actions/create-github-app-token is bumped from v2.2.2 to v3.2.0. This action receives the EC_AUTOMATION_KEY private key secret. The usage pattern is unchanged. Verify the v3 changelog does not alter how the private key is handled or logged.