chore(deps): update github actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v5 → v6
actions/create-github-app-token	action	major	v2 → v3
actions/download-artifact	action	major	v6 → v8
actions/upload-artifact	action	major	v5 → v7

---

Release Notes

actions/checkout (actions/checkout)

v6

Compare Source

actions/create-github-app-token (actions/create-github-app-token)

v3

Compare Source

actions/download-artifact (actions/download-artifact)

v8

Compare Source

v7

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7

Compare Source

v6

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflow files to bump pinned action versions: actions/checkout updated to v6 (SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd) across build.yml, check-release.yml, ci.yml, publish-release.yml, and update-integration-tests.yml; actions/upload-artifact and actions/download-artifact were also updated in build.yml and check-release.yml to newer SHAs. No other workflow logic, parameters, or public API changes were made.

Sequence Diagram(s)

(omitted — changes are version bumps only, no new multi-component control flow)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(deps): update github actions (major) #21 — Also updates actions/checkout to v6 across workflow files.
• chore(deps): update github actions (major) #48 — Updates actions/upload-artifact and actions/download-artifact versions in workflows.

Suggested reviewers

• saltenasl
• Artmann
• dinohamzic

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly describes the main change: updating GitHub Actions to major versions across all workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Updates Docs	✅ Passed	Dependency maintenance update with no new features; documentation updates not required.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.56%. Comparing base (4eede54) to head (a0980a3).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #71   +/-   ##
=======================================
  Coverage   69.56%   69.56%           
=======================================
  Files          13       13           
  Lines         253      253           
  Branches       28       28           
=======================================
  Hits          176      176           
  Misses         73       73           
  Partials        4        4           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/check-release.yml:
- Around line 41-45: The "Upload Distributions" GitHub Action step using
actions/upload-artifact (the step named "Upload Distributions" / uses:
actions/upload-artifact@...) must be updated to include include-hidden-files:
true and if-no-files-found: error so dot-prefixed directories under
.jupyter_releaser_checkout/dist are uploaded and the workflow fails when no
files are found; add those two inputs to the step configuration to fix the
silent no-op behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f49d5a6b-232e-4fa3-a2cd-8f754217183e

📥 Commits

Reviewing files that changed from the base of the PR and between 6ac6b42 and fd168f3.

📒 Files selected for processing (5)

• .github/workflows/build.yml
• .github/workflows/check-release.yml
• .github/workflows/ci.yml
• .github/workflows/publish-release.yml
• .github/workflows/update-integration-tests.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

actions/upload-artifact v7 include-hidden-files dot directory behavior

💡 Result:

In actions/upload-artifact@v7, hidden (“dot”) files and directories are excluded by default—this behavior has been in place since upload-artifact@v4.4+. Hidden files are defined as any file starting with . or any file inside a directory starting with . (on Windows, the filesystem “hidden” attribute alone does not count unless the name starts with .). [1]

So if you set:

- uses: actions/upload-artifact@v7
  with:
    path: .

then anything under ./.something/... is skipped unless you explicitly enable:

include-hidden-files: true

With include-hidden-files: true, dotfiles/dot-directories under the provided path (including .) are included, and you can still exclude specific sensitive paths via negated patterns (e.g. !path/output/.production.env). [1]

Separately (not about dotfiles), v7 also introduced support for uploading non-zipped artifacts when archive: false is set. [2]

Sources:
[1] actions/upload-artifact README – “Uploading Hidden Files” / include-hidden-files input and definition of hidden files
[2] GitHub Changelog (2026-02-26) – non-zipped artifacts apply to actions/upload-artifact v7 with archive: false

---

🏁 Script executed:

# Check the workflow file to understand context
cat -n .github/workflows/check-release.yml | sed -n '35,50p'

Repository: deepnote/jupyterlab-deepnote

Length of output: 584

---

🌐 Web query:

actions/upload-artifact v7 if-no-files-found default value

💡 Result:

For actions/upload-artifact@v7, the if-no-files-found input defaults to warn (the step succeeds but prints a warning if no files match the path). Available values are warn, error, and ignore. [1]

Source(s):

• [1] (github.com)

Citations:

• 1: https://github.com/actions/upload-artifact

---

Add include-hidden-files: true and if-no-files-found: error.

upload-artifact@v7 skips files in dot-prefixed directories by default, and if-no-files-found defaults to warn. This step uploads from .jupyter_releaser_checkout/dist, so it will silently pass without uploading anything.

Suggested fix

       - name: Upload Distributions
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
           path: .jupyter_releaser_checkout/dist
+          include-hidden-files: true
+          if-no-files-found: error

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Upload Distributions
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
	with:
	name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
	path: .jupyter_releaser_checkout/dist
	- name: Upload Distributions
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
	with:
	name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
	path: .jupyter_releaser_checkout/dist
	include-hidden-files: true
	if-no-files-found: error

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/check-release.yml around lines 41 - 45, The "Upload
Distributions" GitHub Action step using actions/upload-artifact (the step named
"Upload Distributions" / uses: actions/upload-artifact@...) must be updated to
include include-hidden-files: true and if-no-files-found: error so dot-prefixed
directories under .jupyter_releaser_checkout/dist are uploaded and the workflow
fails when no files are found; add those two inputs to the step configuration to
fix the silent no-op behavior.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/check-release.yml (1)

41-45: ⚠️ Potential issue | 🟠 Major

Add include-hidden-files: true for dot-prefixed path.

upload-artifact@v7 excludes dot-directories by default. Path .jupyter_releaser_checkout/dist won't upload without it. Also consider if-no-files-found: error to catch failures.

Suggested fix

       - name: Upload Distributions
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: jupyterlab_deepnote-releaser-dist-${{ github.run_number }}
           path: .jupyter_releaser_checkout/dist
+          include-hidden-files: true
+          if-no-files-found: error

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/check-release.yml around lines 41 - 45, The "Upload
Distributions" GitHub Action step currently uses actions/upload-artifact@v7 but
will skip dot-prefixed directories like .jupyter_releaser_checkout; update the
step (named "Upload Distributions") to add include-hidden-files: true so the
.jupyter_releaser_checkout/dist artifact is uploaded, and also add
if-no-files-found: error to fail the workflow if the path is missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 100-102: The download-artifact step using
"actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c" needs
updating for v8 breaking changes: verify the workflow does not rely on automatic
decompression for the artifact named "extension-artifacts" and, if it does, add
the skip-decompress option (skip-decompress: true) and handle decompression
explicitly; also decide how to handle digest mismatches by adding the
digest-mismatch option (e.g., digest-mismatch: warn or ignore) or update test
expectations to accept errors, and confirm the runner version meets the new
minimum (≥ 2.327.1) before switching to v8.

---

Duplicate comments:
In @.github/workflows/check-release.yml:
- Around line 41-45: The "Upload Distributions" GitHub Action step currently
uses actions/upload-artifact@v7 but will skip dot-prefixed directories like
.jupyter_releaser_checkout; update the step (named "Upload Distributions") to
add include-hidden-files: true so the .jupyter_releaser_checkout/dist artifact
is uploaded, and also add if-no-files-found: error to fail the workflow if the
path is missing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 53be7187-f5bf-4172-8066-92eb710ff78b

📥 Commits

Reviewing files that changed from the base of the PR and between fd168f3 and a0980a3.

📒 Files selected for processing (5)

• .github/workflows/build.yml
• .github/workflows/check-release.yml
• .github/workflows/ci.yml
• .github/workflows/publish-release.yml
• .github/workflows/update-integration-tests.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/download-artifact v8 breaking changes from v6

💡 Result:

Breaking changes (and upgrade-impacting changes) when moving from actions/download-artifact@v6 → @v8:

• Runner/runtime change (v7): @v7 runs on Node.js 24 by default (runs.using: node24) and requires Actions Runner ≥ 2.327.1 (notably affects self-hosted runners). In @v6, Node 24 support existed, but the action still defaulted to Node 20. [1] [2]
• Hash/digest mismatch now fails the job (v8): @v8 changes the default behavior for a download digest/hash mismatch from warning → error (workflow fails). You can control this with the new digest-mismatch setting. [3]
• Decompression behavior changed for “direct / non-zipped” artifact downloads (v8): @v8 no longer blindly unzips everything; it checks Content-Type and skips unzipping for non-zip downloads (added for “non-zipped artifacts” / direct uploads). There’s a new skip-decompress option to control this behavior. [3] [4]
• Packaging change (v8): the action was migrated to ESM; this is intended to be transparent for normal usage, but forks/custom builds may need significant changes. [3]

Sources:
[1] actions/download-artifact v7.0.0 release notes (Node 24 default + runner minimum)
[2] actions/download-artifact v6.0.0 release notes (Node 24 support, but not default)
[3] actions/download-artifact v8.0.0 release notes (ESM, digest-mismatch default error, decompression changes)
[4] GitHub Changelog: non-zipped artifact upload/download support (requires download-artifact@v8 for that mode)

---

Address v6→v8 breaking changes in download-artifact.

v8 has significant breaking changes: artifact decompression behavior changed (now checks Content-Type instead of blindly unzipping), digest mismatches error by default instead of warn, and requires Actions Runner ≥ 2.327.1. Verify workflow doesn't rely on auto-decompression and test digest mismatch handling. Consider adding digest-mismatch and skip-decompress options if needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 100 - 102, The download-artifact
step using "actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"
needs updating for v8 breaking changes: verify the workflow does not rely on
automatic decompression for the artifact named "extension-artifacts" and, if it
does, add the skip-decompress option (skip-decompress: true) and handle
decompression explicitly; also decide how to handle digest mismatches by adding
the digest-mismatch option (e.g., digest-mismatch: warn or ignore) or update
test expectations to accept errors, and confirm the runner version meets the new
minimum (≥ 2.327.1) before switching to v8.