[deps]: Update GitHub Artifact Actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/download-artifact	action	major	v4.3.0 -> v6.0.0
actions/upload-artifact	action	major	v4.6.2 -> v5.0.0

---

Release Notes

actions/download-artifact (actions/download-artifact)

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

v5.0.0

Compare Source

What's Changed

• Update README.md by @​nebuk89 in #​407
• BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @​GrantBirki in #​416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

• By name: name: my-artifact → extracted to path/ (direct)
• By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

• By name: name: my-artifact → extracted to path/ (unchanged)
• By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

• You download artifacts by name
• You download multiple artifacts by ID
• You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist

### Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

- uses: actions/download-artifact@v5
  with:
    artifact-ids: 12345
    path: dist/my-artifact  # Explicitly specify the nested path

New Contributors

• @​nebuk89 made their first contribution in #​407

Full Changelog: actions/download-artifact@v4...v5.0.0

actions/upload-artifact (actions/upload-artifact)

v5.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.42%. Comparing base (ed1dfd4) to head (0c38897).

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1865       +/-   ##
===========================================
- Coverage   85.38%   43.42%   -41.97%     
===========================================
  Files        1726      569     -1157     
  Lines      145621    29951   -115670     
===========================================
- Hits       124345    13006   -111339     
+ Misses      21276    16945     -4331     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bitwarden-bot]

Internal tracking:

• ID: PM-24910
• Link: https://bitwarden.atlassian.net/browse/PM-24910

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[claude]

Claude finished @renovate[bot]'s task —— View job

---

Review Complete

I've reviewed this dependency update PR that upgrades GitHub Actions for artifact handling.

---

Summary

This PR updates artifact-related GitHub Actions across 5 workflow files:

• actions/upload-artifact: v4.6.2 → v5.0.0
• actions/download-artifact: v4.3.0 → v6.0.0

All changes are version bumps with no workflow configuration changes required.

---

Findings

Finding 1: 💭 PR description is comprehensive and includes migration information, but may benefit from explicit confirmation of breaking change analysis.

Context

The PR body includes detailed release notes about a breaking change in download-artifact v5 regarding path behavior for single artifact downloads by ID. However, after reviewing the codebase:

Analysis of breaking change impact:

• The breaking change affects single artifact downloads by ID using artifact-ids parameter
• I searched the codebase and found NO usage of artifact-ids parameter
• All artifact downloads use either:
  • name parameter (test-bwa.yml:212, test.yml:207)
  • run-id parameter (dispatch-and-download/action.yml:96)
  • gh run download CLI commands (Scripts/download-artifacts.sh)

Conclusion: The breaking change does not affect this repository. The migration guide in the PR description is informative but not actionable for this codebase.

Consider adding a brief note in the PR description confirming that the breaking change has been analyzed and does not impact this repository.

---

Finding 2: 💭 Consider verifying Node v24.x runtime compatibility, though this is likely handled by GitHub Actions infrastructure.

Context

The download-artifact v6 release notes state: "BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such."

Current status:

• GitHub-hosted runners manage Node.js versions for actions automatically
• All modified workflows run on either macos-26 or ubuntu-24.04 runners
• No explicit Node.js version pinning in workflows

Recommendation: This should work without changes, but if any CI failures occur related to Node.js compatibility after merge, investigate the runner's Node.js version.

---

Verification

✅ Artifact download by name - Used in test workflows, unaffected by breaking changes
✅ Artifact download by run-id - Used in dispatch-and-download action, unaffected by breaking changes
✅ Artifact upload - v5.0.0 has no breaking changes per release notes
✅ Script-based downloads - Uses gh run download CLI, not affected by action changes
✅ Code coverage maintained - Codecov reports 85.22% coverage unchanged

---

Recommendation

This PR is safe to merge. The dependency updates are straightforward version bumps with no impact from the documented breaking changes. The workflows will continue to function as expected.

The PR already has approval from @vvolkgang, and the changes align with automated dependency management best practices.

---

[github-actions]

Checkmarx One – Scan Summary & Details – cffbf011-aca0-45c7-902f-44caa97485fd

Great job! No new security vulnerabilities introduced in this pull request