Bump actions/download-artifact from 7 to 8 by dependabot[bot] · Pull Request #472 · senzing-garage/sz-sdk-python

dependabot · 2026-04-02T05:04:12Z

Bumps actions/download-artifact from 7 to 8.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Don't attempt to un-zip non-zipped downloads by @danwkennedy in actions/download-artifact#460

Add a setting to specify what to do on hash mismatch and default it to error by @danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

3e5f45b Add regression tests for CJK characters (#471)
e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
f258da9 Add change docs
ccc058e Fix linting issues
bd7976b Add a setting to specify what to do on hash mismatch and default it to error
ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
15999bf Add note about package bumps
974686e Bump the version to v8 and add release notes
fbe48b1 Update test names to make it clearer what they do
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Resolves #471
Resolves #472
Resolves #461
Resolves #460
Resolves actions/download-artifact#460
Resolves actions/download-artifact#461

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v7...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-04-02T05:05:15Z

🤖 Claude Code Review

Code Review

This PR bumps actions/download-artifact from v7 to v8 in two places within .github/workflows/publish-to-pypi.yaml.

Code Quality

✅ No commented-out code
✅ Meaningful variable names (N/A)
✅ DRY principle (N/A)
✅ No defects — straightforward version bump in two symmetrical locations

Testing

✅ No new functions requiring unit/integration tests
✅ N/A for test coverage

Documentation

❌ CHANGELOG.md not updated — dependency bumps are typically noted in the changelog

Security

✅ No hardcoded credentials
✅ No sensitive data
✅ No license files

Summary: The change is minimal and correct — both occurrences of the action are updated consistently. The only suggestion is to update `CHANGELOG.md` to record the dependency bump if this project maintains one.

Automated code review analyzing defects and coding standards

github-actions · 2026-04-02T05:07:01Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

github-actions · 2026-04-02T05:07:53Z

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
src/senzing
szengineflags.py
szerror.py
Project Total

_{This report was generated by python-coverage-comment-action}

…rtifact-8

github-actions · 2026-04-02T12:34:10Z

🤖 Claude Code Review

Code Review

Code Quality

✅ Style guide: Simple version bump, no style concerns.
✅ No commented-out code
✅ DRY principle: Both occurrences updated consistently.
✅ No defects: Straightforward actions/download-artifact version bump from v7 to v8 in .github/workflows/publish-to-pypi.yaml (lines 61 and 80).

Testing

✅ N/A: CI/CD workflow change only — no application logic modified.

Documentation

✅ CHANGELOG.md: Not required for a dependency bump in a CI workflow.
✅ No markdown changes requiring CommonMark validation.

Security

✅ No hardcoded credentials
✅ No sensitive data
✅ No license files

Summary: This is a clean, minimal PR that bumps `actions/download-artifact` from v7 to v8 in both publish jobs (PyPI and Test PyPI). No issues found. Approved.

Automated code review analyzing defects and coding standards

github-actions · 2026-04-02T12:35:43Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

dependabot Bot assigned kernelsam Apr 2, 2026

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 2, 2026

dependabot Bot requested a review from a team as a code owner April 2, 2026 05:04

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 2, 2026

docktermj approved these changes Apr 2, 2026

View reviewed changes

Merge branch 'main' into dependabot/github_actions/actions/download-a…

6a6bcbc

…rtifact-8

docktermj enabled auto-merge (squash) April 2, 2026 12:35

docktermj merged commit 7819135 into main Apr 2, 2026
90 checks passed

docktermj deleted the dependabot/github_actions/actions/download-artifact-8 branch April 2, 2026 12:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump actions/download-artifact from 7 to 8#472

Bump actions/download-artifact from 7 to 8#472
docktermj merged 2 commits into
mainfrom
dependabot/github_actions/actions/download-artifact-8

dependabot Bot commented on behalf of github Apr 2, 2026 •

edited by github-actions Bot

Loading

Uh oh!

github-actions Bot commented Apr 2, 2026

Uh oh!

github-actions Bot commented Apr 2, 2026

Uh oh!

github-actions Bot commented Apr 2, 2026

Uh oh!

github-actions Bot commented Apr 2, 2026

Uh oh!

github-actions Bot commented Apr 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

dependabot Bot commented on behalf of github Apr 2, 2026 • edited by github-actions Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v8.0.0

v8 - What's new

Direct downloads

Enforced checks (breaking)

ESM

What's Changed

Uh oh!

github-actions Bot commented Apr 2, 2026

🤖 Claude Code Review

Code Review

Code Quality

Testing

Documentation

Security

Summary: The change is minimal and correct — both occurrences of the action are updated consistently. The only suggestion is to update CHANGELOG.md to record the dependency bump if this project maintains one.

Uh oh!

github-actions Bot commented Apr 2, 2026

Super-linter summary

Uh oh!

github-actions Bot commented Apr 2, 2026

Coverage report

Uh oh!

github-actions Bot commented Apr 2, 2026

🤖 Claude Code Review

Code Review

Code Quality

Testing

Documentation

Security

Summary: This is a clean, minimal PR that bumps actions/download-artifact from v7 to v8 in both publish jobs (PyPI and Test PyPI). No issues found. Approved.

Uh oh!

github-actions Bot commented Apr 2, 2026

Super-linter summary

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

dependabot Bot commented on behalf of github Apr 2, 2026 •

edited by github-actions Bot

Loading

Summary: The change is minimal and correct — both occurrences of the action are updated consistently. The only suggestion is to update `CHANGELOG.md` to record the dependency bump if this project maintains one.

Summary: This is a clean, minimal PR that bumps `actions/download-artifact` from v7 to v8 in both publish jobs (PyPI and Test PyPI). No issues found. Approved.