Bump actions/download-artifact from 6 to 7

[dependabot]

Bumps actions/download-artifact from 6 to 7.

Release notes

Sourced from actions/download-artifact's releases.

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/download-artifact#440
• Download Artifact Node24 support by @​salmanmkc in actions/download-artifact#415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in actions/download-artifact#451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in actions/download-artifact#452

New Contributors

• @​patrikpolyak made their first contribution in actions/download-artifact#440
• @​salmanmkc made their first contribution in actions/download-artifact#415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

Commits

• 37930b1 Merge pull request #452 from actions/download-artifact-v7-release
• 72582b9 doc: update readme
• 0d2ec9d chore: release v7.0.0 for Node.js 24 support
• fd7ae8f Merge pull request #451 from actions/fix-storage-blob
• d484700 chore: restore minimatch.dep.yml license file
• 03a8080 chore: remove obsolete dependency license files
• 56fe6d9 chore: update @​actions/artifact license file to 5.0.1
• 8e3ebc4 chore: update package-lock.json with @​actions/artifact@​5.0.1
• 1e3c4b4 fix: update @​actions/artifact to ^5.0.0 for Node.js 24 punycode fix
• 458627d chore: use local @​actions/artifact package for Node.js 24 testing
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

---

Resolves #452
Resolves #451
Resolves actions/download-artifact#440
Resolves actions/download-artifact#415
Resolves actions/download-artifact#451
Resolves actions/download-artifact#452

[github-actions]

🤖 Claude Code Review

Code Review Analysis

Summary

This PR updates the GitHub Actions download-artifact action from v6 to v7 in two workflow steps. This is a dependency update with no functional code changes.

---

Detailed Review

✅ Code Quality

• ✅ Code follows style guide: N/A - This is a YAML workflow configuration file, not application code
• ✅ No commented-out code: No commented code present
• ✅ Meaningful variable names: N/A - No variables introduced
• ✅ DRY principle followed: The same update is applied consistently in both locations (lines 65 and 86)
• ✅ Defects: No defects identified. The version bump from v6 to v7 is straightforward and both occurrences are updated consistently

✅ Testing

• ✅ Unit tests: N/A - This is a workflow dependency update, not application code
• ✅ Integration tests: N/A
• ✅ Edge cases: N/A
• ✅ Test coverage: N/A

Note: The workflow changes themselves should be validated by ensuring the GitHub Actions workflow runs successfully after merge.

⚠️ Documentation

• ❌ CHANGELOG.md updated: No CHANGELOG.md update detected in the diff. Even for dependency updates in workflows, it's good practice to document changes
  • Recommendation: Add entry like "Updated actions/download-artifact from v6 to v7 in publish-to-pypi workflow"
• ✅ Readme updated: N/A - No README update needed for workflow dependency updates
• ✅ API docs updated: N/A - No API changes
• ✅ Inline comments: N/A - YAML workflow is self-explanatory
• ✅ Markdown formatting: No markdown files modified

✅ Security

• ✅ No hardcoded credentials: No credentials present
• ✅ Input validation: N/A
• ✅ Proper error handling: N/A
• ✅ No sensitive data in logs: N/A
• ✅ No license files: No .lic files or AQAAAD strings detected

---

Overall Assessment

Status: ✅ APPROVED with minor recommendation

This is a clean dependency update that maintains consistency across the workflow file. The only recommendation is to add a CHANGELOG entry to document this infrastructure change.

Files Modified:

• .github/workflows/publish-to-pypi.yaml:65 - Updated download-artifact to v7
• .github/workflows/publish-to-pypi.yaml:86 - Updated download-artifact to v7

Recommendation:

Consider adding a CHANGELOG.md entry documenting this workflow dependency update for completeness and traceability.

Automated code review analyzing defects and coding standards

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
src/senzing_core
_helpers.py
Project Total

This report was generated by python-coverage-comment-action

[github-actions]

🤖 Claude Code Review

Code Review: GitHub Actions Dependency Bump (download-artifact v6 → v7)

Summary

This PR bumps actions/download-artifact from v6 to v7 in the PyPI publishing workflow. This is a straightforward dependency update with two identical changes.

---

Code Quality

✅ Code follows style guide - The YAML formatting is consistent with existing style. No code style issues.

✅ No commented-out code - No commented code present.

✅ Meaningful variable names - N/A (workflow configuration only).

✅ DRY principle followed - The change is repeated in two locations because these are separate jobs in the workflow. This is acceptable in GitHub Actions workflows.

✅ Identify Defects - No bugs, logic errors, or security vulnerabilities introduced. The version bump appears safe based on the commit history showing this was likely a Dependabot update.

⚠️ Project memory consideration - The .claude/CLAUDE.md file in build-resources/ contains organization-level guidance. However, this file is in a subdirectory (build-resources/) which appears to be untracked/new based on git status. The actual project .claude/ directory was not found at the root level.

---

Testing

❌ Unit tests for new functions - Not applicable (workflow configuration change).

❌ Integration tests for new endpoints - Not applicable.

❌ Edge cases covered - Not applicable.

❌ Test coverage > 80% - Not applicable for workflow changes. However, the workflow itself should function correctly with v7.

Note: GitHub Actions dependency updates like this should ideally be tested in a non-production environment first. The commit history shows "Force re-test" which suggests this may have already been validated.

---

Documentation

✅ Readme updated if needed - Not required for internal workflow dependency updates.

⚠️ API docs updated - Not applicable.

⚠️ Inline comments for complex logic - Not applicable.

❌ CHANGELOG.md updated - The CHANGELOG.md was NOT updated for this change.

Location: /CHANGELOG.md:8

The [Unreleased] section should document this dependency update. While workflow changes may seem minor, documenting dependency updates is good practice for transparency. Consider adding:

## [Unreleased]

### Changed in Unreleased

- Bump actions/download-artifact from 6 to 7 in publish-to-pypi workflow

✅ Markdown formatting - The YAML file follows proper formatting conventions.

---

Security

✅ No hardcoded credentials - No credentials present.

✅ Input validation implemented - Not applicable.

✅ Proper error handling - Not applicable for this change.

✅ No sensitive data in logs - No new logging introduced.

🔴 CRITICAL: License file detected - A license file exists at testdata/senzing-license/g2.lic (line: testdata/senzing-license/g2.lic). However, this file does NOT contain the critical string AQAAAD and appears to be test data (located in testdata/ directory). This is likely acceptable as test fixture data but should be verified that it's not a production license.

---

Overall Assessment

Status: ✅ Approved with minor documentation recommendation

This is a clean, straightforward dependency update from actions/download-artifact@v6 to @v7. The changes are:

1. File: .github/workflows/publish-to-pypi.yaml:65 - Updated in publish-to-pypi job
2. File: .github/workflows/publish-to-pypi.yaml:86 - Updated in github-release job

Recommendations:

1. Update CHANGELOG.md to document this dependency bump
2. Verify the license file at testdata/senzing-license/g2.lic is intentionally committed test data and not a production license

The code change itself is sound and ready for merge.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Code Review Analysis

Let me analyze this pull request diff against the review checklist.

Overview

This PR contains two changes:

1. Bumping GitHub Actions dependency from v6 to v7
2. Updating a documentation URL

Detailed Review

Code Quality ✅

• ✅ Code follows style guide: The changes are minimal and follow YAML conventions. No Python code style issues.
• ✅ No commented-out code: None present.
• ✅ Meaningful variable names: N/A - only version numbers and URLs changed.
• ✅ DRY principle followed: N/A - changes don't introduce duplication.
• ✅ Defects: No bugs, logic errors, or security vulnerabilities introduced. The changes are:
  • Dependency version bump (standard maintenance)
  • URL correction (documentation fix)

Testing ⚠️

• ⚠️ Unit tests for new functions: N/A - No new functions added.
• ⚠️ Integration tests for new endpoints: N/A - No new endpoints.
• ⚠️ Edge cases covered: N/A - No logic changes.
• ⚠️ Test coverage > 80%: Unable to verify without running tests, but this change should not affect coverage as it's configuration-only.

Note: These changes are to CI configuration and documentation only. No code logic changes require testing.

Documentation ✅

• ✅ Readme updated if needed: N/A - Changes don't require README updates.
• ✅ API docs updated: N/A - No API changes.
• ✅ Inline comments for complex logic: N/A - No code logic changes.
• ⚠️ CHANGELOG.md updated: Not updated in this PR. Consider adding an entry like:
  • "Updated GitHub Actions dependency actions/download-artifact from v6 to v7"
  • "Fixed documentation URL for breaking changes"
• ✅ Markdown formatting: The Migration.md file follows CommonMark specification. The URL change maintains proper markdown link syntax with no extra whitespace.

Files affected:

• Migration.md:525 - URL updated correctly

Security ✅

• ✅ No hardcoded credentials: None present.
• ✅ Input validation implemented: N/A - No input handling code.
• ✅ Proper error handling: N/A - No code logic changes.
• ✅ No sensitive data in logs: N/A - No logging changes.
• ✅ No license files or AQAAAD strings: None detected.

Specific Findings

✅ .github/workflows/publish-to-pypi.yaml:65, 86

Positive: Bumping actions/download-artifact from v6 to v7 is good for:

• Security patches
• Bug fixes
• Compatibility improvements

Recommendation: Verify that v7 doesn't introduce breaking changes in the artifact download behavior. The action maintains backward compatibility, so this should be safe.

✅ Migration.md:525

Positive: URL correction from:

• https://senzing.com/docs/4_beta/4_0_breaking_changes/index.html
• to https://www.senzing.com/docs/release/4/4_0_breaking_changes/

This appears to be updating from a beta documentation path to the release documentation path, which is appropriate.

Recommendation: Verify the new URL is accessible and contains the expected content.

Summary

Overall Assessment: ✅ APPROVED

This is a clean, low-risk PR with two maintenance updates:

1. Standard GitHub Actions dependency bump
2. Documentation URL correction

Minor Issue:

• ❌ CHANGELOG.md not updated - Consider documenting these changes

Action Items:

1. Add entry to CHANGELOG.md documenting both changes
2. Verify the new documentation URL is accessible

Risk Level: Low - No functional code changes, only configuration and documentation updates.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Code Review - Pull Request Analysis

Summary

This PR contains two changes:

1. GitHub Actions: Upgrade actions/download-artifact from v6 to v7 (2 instances in .github/workflows/publish-to-pypi.yaml)
2. Documentation: Update broken Senzing documentation URL in Migration.md

---

Review Checklist Results

Code Quality ✅

• ✅ Code follows style guide: N/A - No Python code changes
• ✅ No commented-out code: Clean changes, no commented code
• ✅ Meaningful variable names: N/A - No code changes
• ✅ DRY principle followed: N/A - No code changes
• ✅ Identify Defects: No bugs, logic errors, or security vulnerabilities detected
• ✅ Project memory configuration: The changes don't affect the ./.claude/CLAUDE.md file and are consistent with general repository maintenance

Testing ⚠️

• ❌ Unit tests for new functions: N/A - No new functions added
• ❌ Integration tests for new endpoints: N/A - No new endpoints
• ❌ Edge cases covered: N/A - No functional changes
• ⚠️ Test coverage > 80%: Cannot verify from this diff, but no functional code changed that would affect coverage

Note: These changes are infrastructure and documentation updates, not requiring new tests.

Documentation ✅

• ✅ Readme updated if needed: Not required - no functional changes affecting README
• ✅ API docs updated: N/A - No API changes
• ✅ Inline comments for complex logic: N/A - No code changes
• ⚠️ CHANGELOG.md updated: Missing - The dependency upgrade should be documented in CHANGELOG.md
  • Location: /home/runner/work/sz-sdk-python-core/sz-sdk-python-core/CHANGELOG.md
  • Recommendation: Add an entry under [Unreleased] section like:

    ### Changed
    - Updated GitHub Actions dependency: actions/download-artifact from v6 to v7
    - Fixed broken documentation URL in Migration.md

• ✅ Markdown files follow CommonMark: The Migration.md change appears properly formatted

Security ✅

• ✅ No hardcoded credentials: No credentials in the diff
• ✅ Input validation implemented: N/A - No new input handling
• ✅ Proper error handling: N/A - No code changes
• ✅ No sensitive data in logs: No logging changes
• ✅ No license files (.lic) or AQAAAD strings: No license files or sensitive strings detected

---

Detailed Findings

1. GitHub Actions Upgrade (.github/workflows/publish-to-pypi.yaml:65, 86)

Change: actions/download-artifact@v6 → actions/download-artifact@v7

Analysis: ✅ APPROVED

• This is a legitimate version upgrade for GitHub Actions
• Both instances updated consistently (lines 65 and 86)
• Upgrading Actions dependencies is good practice for security and bug fixes
• The workflow structure remains unchanged, only the version number is updated

2. Documentation URL Fix (Migration.md:525)

Change:

-[breaking-changes]: https://senzing.com/docs/4_beta/4_0_breaking_changes/index.html
+[breaking-changes]: https://www.senzing.com/docs/release/4/4_0_breaking_changes/

Analysis: ✅ APPROVED

• This fixes a broken/outdated URL reference
• The old URL points to a beta documentation path
• The new URL points to the official release documentation
• Good maintenance to keep documentation links current

---

Required Actions

❌ CHANGELOG.md Update Required

File: /home/runner/work/sz-sdk-python-core/sz-sdk-python-core/CHANGELOG.md

The CHANGELOG.md should be updated to document these changes. Add to the [Unreleased] section:

## [Unreleased]

### Changed

- Updated GitHub Actions workflow: actions/download-artifact from v6 to v7
- Updated Migration.md documentation URL to point to release documentation instead of beta

---

Overall Assessment

Recommendation: ✅ APPROVE WITH MINOR CHANGE

This PR is clean and makes sensible updates:

• Infrastructure dependency upgrade (GitHub Actions)
• Documentation link fix

Required before merge:

• Update CHANGELOG.md with these changes

No blocking issues found. The changes are low-risk maintenance updates that improve the repository's infrastructure and documentation quality.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Code Review Analysis

Code Quality

✅ Code Style Compliance

The changes follow basic coding standards. The modifications are minimal and consist of:

• Version bump in GitHub Actions workflow (v6 → v7)
• URL update in documentation

✅ No Commented-Out Code

No commented-out code present in the diff.

✅ Meaningful Variable Names

Not applicable - no new variables introduced.

✅ DRY Principle

Not applicable - changes are configuration and documentation updates.

✅ Defects Analysis

No bugs, logic errors, or security vulnerabilities introduced. The changes are:

1. GitHub Actions version bump (.github/workflows/publish-to-pypi.yaml:65, 86): Updating from actions/download-artifact@v6 to v7 is a standard dependency update.
2. Documentation URL update (Migration.md:525): Updating the Senzing documentation link from beta to release version.

⚠️ Project Configuration Consideration

The .claude/CLAUDE.md project memory exists and has been considered. These changes don't conflict with any project-specific guidelines. However, note that the project memory mentions the SDK requires "Senzing version >= 4.0.0 and < 5.0.0" - the documentation link update to version 4.0 breaking changes is consistent with this requirement.

Testing

✅ Unit Tests

Not required - these are infrastructure and documentation changes that don't affect code logic.

✅ Integration Tests

Not required - no functional code changes.

✅ Edge Cases

Not applicable.

✅ Test Coverage

Not applicable - no code requiring test coverage was added.

Documentation

✅ Readme Updated

Not applicable - no readme changes needed.

✅ API Docs

Not applicable - no API changes.

✅ Inline Comments

Not applicable - no complex logic added.

❌ CHANGELOG.md Updated

Issue: The CHANGELOG.md has not been updated to reflect these changes. While minor, dependency updates (especially GitHub Actions) should be documented.

Recommendation: Add an entry like:

### Changed
- Updated GitHub Actions `download-artifact` from v6 to v7
- Updated documentation link for Senzing 4.0 breaking changes

⚠️ Markdown Formatting (Migration.md:525)

The updated URL follows CommonMark spec. However, without seeing the full file context, I cannot verify if there are any extra whitespaces or prettier formatting issues in the surrounding content.

Security

✅ No Hardcoded Credentials

No credentials present.

✅ Input Validation

Not applicable.

✅ Proper Error Handling

Not applicable.

✅ No Sensitive Data in Logs

Not applicable.

✅ License Files

No .lic files or AQAAAD strings detected in the diff.

---

Summary

Overall Assessment: ✅ APPROVED with minor recommendation

The changes are straightforward maintenance updates:

1. GitHub Actions dependency update is standard practice
2. Documentation URL correction improves user experience

Action Items:

1. Minor: Update CHANGELOG.md to document these changes
2. Verification: Ensure the new documentation URL (https://www.senzing.com/docs/release/4/4_0_breaking_changes/) is accessible and contains the expected content

Risk Level: Low - These changes have minimal impact on functionality and improve the project's maintenance posture.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Code Review Analysis

I'll review this pull request against the provided checklist.

Summary

This PR updates the actions/download-artifact GitHub Action from v6 to v7 in two workflow jobs.

---

Detailed Review

Code Quality

✅ Code follows style guide

• This is a GitHub Actions workflow update, not application code
• YAML formatting is correct and consistent
• No style guide violations

✅ No commented-out code

• No commented code present

✅ Meaningful variable names

• N/A - This is a workflow configuration change with no new variables

✅ DRY principle followed

• The same upgrade is applied consistently across both jobs (publish-to-pypi and github-release)
• No code duplication issues

✅ No defects identified

• This is a straightforward dependency version bump
• The artifact name (python-package-distributions) and path (dist/) remain unchanged, ensuring compatibility
• No logic errors, edge cases, or security vulnerabilities introduced

✅ Project memory configuration adherence

• The change doesn't conflict with any project-specific requirements in .claude/CLAUDE.md
• This is infrastructure code, not SDK code

---

Testing

⚠️ Testing considerations

• N/A for direct unit/integration tests - this is CI/CD configuration
• The workflow itself should be tested by running it, but that's not captured in traditional test files
• Recommendation: Monitor the next workflow run to ensure artifact download works correctly with v7

---

Documentation

✅ Documentation requirements

• README update: Not needed - internal workflow change
• API docs: Not applicable
• Inline comments: Not needed for this simple version bump
• CHANGELOG.md: ❓ Should be updated - This is a dependency update that affects the build/release process
  • Recommended entry: "Updated GitHub Actions actions/download-artifact from v6 to v7"

✅ Markdown formatting

• The workflow file is YAML, not Markdown
• No Markdown files modified in this PR

---

Security

✅ No hardcoded credentials

• No credentials present

✅ Input validation

• Not applicable to this change

✅ Proper error handling

• The GitHub Action handles its own errors
• No changes to error handling

✅ No sensitive data in logs

• No logging changes

✅ No license files checked in

• No .lic files or AQAAAD strings present

---

Recommendations

1. CHANGELOG.md Update: Consider adding an entry documenting this dependency update in .github/workflows/publish-to-pypi.yaml:83,85,104,106

2. Verify Compatibility: Ensure the workflow runs successfully with v7. Check the actions/download-artifact release notes for any breaking changes between v6 and v7.

3. Consistency Check: Verify if there are other workflows in .github/workflows/ that also use actions/download-artifact@v6 that should be updated for consistency.

---

Overall Assessment

✅ APPROVED - This is a clean, focused dependency update with no issues identified. The change is minimal, consistent, and follows best practices for keeping GitHub Actions dependencies up to date. Only minor documentation consideration around CHANGELOG.md.

Automated code review analyzing defects and coding standards