[deps]: Update GitHub Artifact Actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/download-artifact	action	major	v5.0.0 -> v6.0.0
actions/upload-artifact	action	major	v4.6.0 -> v5.0.0
actions/upload-artifact	action	major	v4.6.2 -> v5.0.0

---

Release Notes

actions/download-artifact (actions/download-artifact)

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

actions/upload-artifact (actions/upload-artifact)

v5.0.0

Compare Source

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

• @​salmanmkc made their first contribution in #​685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in #​673

Full Changelog: actions/upload-artifact@v4...v4.6.1

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bitwarden-bot]

Internal tracking:

• ID: PM-27974
• Link: https://bitwarden.atlassian.net/browse/PM-27974

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.11%. Comparing base (db16c20) to head (2ff61c4).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17305      +/-   ##
==========================================
- Coverage   41.11%   41.11%   -0.01%     
==========================================
  Files        3543     3543              
  Lines      101843   101849       +6     
  Branches    15265    15266       +1     
==========================================
- Hits        41872    41871       -1     
- Misses      58208    58214       +6     
- Partials     1763     1764       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[djsmith85]

They mention, a breaking change by supporting Node 24. From the the way it is phrased I don't we are required to bump our workflows to use Node24 and can stay on Node 22. Currently I'd say this is save, but wanted to check with @bitwarden/dept-bre first. Any concerns?

[claude]

Claude finished @renovate[bot]'s task —— View job

---

PR Review: GitHub Artifact Actions Update

Summary

This renovate PR updates GitHub Actions for artifact handling from v4/v5 to v5/v6 respectively. The changes are technically correct and safe to merge. All version updates are applied consistently across 5 workflow files.

Version Updates

• actions/upload-artifact: v4.6.0 and v4.6.2 → v5.0.0 (57 occurrences)
• actions/download-artifact: v5.0.0 → v6.0.0 (8 occurrences)

Review Findings

Clean PR - No issues found

The PR successfully updates artifact actions across all build workflows. The changes are:

• ✅ Consistently applied across all 5 workflow files
• ✅ SHA hashes correctly updated alongside version tags
• ✅ No breaking changes in action usage patterns
• ✅ CI checks passing (confirmed by reviewers)
• ✅ Already approved by 2 team members (@djsmith85 and @gitclonebrian)

Breaking Change Note

The v6.0.0 release mentions Node v24.x support as a "breaking change," but this is labeled conservatively. The actions remain compatible with existing Node.js versions (Node 22 is still fully supported). This is not a functional breaking change requiring workflow modifications.

Recommendation

Approve and merge. This is a routine dependency update with no functional impact. The PR is ready for merge based on successful CI runs and team approvals.

[github-actions]

Checkmarx One – Scan Summary & Details – c8af65e7-7953-456f-892a-1a7ba2161c7e

Fixed Issues (53)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2024-40643	Npm-htmlparser2-3.10.1
	CVE-2025-12432	Npm-electron-37.7.0
	CVE-2025-12433	Npm-electron-37.7.0
	CVE-2025-12436	Npm-electron-37.7.0
	CVE-2025-7783	Npm-form-data-3.0.3
	CVE-2025-11205	Npm-electron-37.7.0
	CVE-2025-11206	Npm-electron-37.7.0
	CVE-2025-11209	Npm-electron-37.7.0
	CVE-2025-11458	Npm-electron-37.7.0
	CVE-2025-11460	Npm-electron-37.7.0
	CVE-2025-11756	Npm-electron-37.7.0
	CVE-2025-12036	Npm-electron-37.7.0
	CVE-2025-12428	Npm-electron-37.7.0
	CVE-2025-12429	Npm-electron-37.7.0
	CVE-2025-12430	Npm-electron-37.7.0
	CVE-2025-12437	Npm-electron-37.7.0
	CVE-2025-12438	Npm-electron-37.7.0
	CVE-2025-13226	Npm-electron-37.7.0
	CVE-2025-13227	Npm-electron-37.7.0
	CVE-2025-30360	Npm-webpack-dev-server-5.2.0
	CVE-2025-59343	Npm-tar-fs-2.1.3
	CVE-2025-64756	Npm-glob-10.4.5
	CVE-2025-64756	Npm-glob-11.0.3
	Cx39aef355-ca85	Npm-@eslint/plugin-kit-0.2.8
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6
	CVE-2025-11207	Npm-electron-37.7.0
	CVE-2025-11208	Npm-electron-37.7.0
	CVE-2025-11210	Npm-electron-37.7.0
	CVE-2025-11211	Npm-electron-37.7.0
	CVE-2025-12431	Npm-electron-37.7.0
	CVE-2025-12435	Npm-electron-37.7.0
	CVE-2025-12439	Npm-electron-37.7.0
	CVE-2025-12440	Npm-electron-37.7.0
	CVE-2025-12443	Npm-electron-37.7.0
	CVE-2025-12444	Npm-electron-37.7.0
	CVE-2025-12445	Npm-electron-37.7.0
	CVE-2025-12446	Npm-electron-37.7.0
	CVE-2025-12447	Npm-electron-37.7.0
	CVE-2025-30359	Npm-webpack-dev-server-5.2.0
	CVE-2025-54798	Npm-tmp-0.2.3
	CVE-2025-54798	Npm-tmp-0.0.33
	CVE-2025-59288	Npm-playwright-1.53.1
	CVE-2025-62522	Npm-vite-6.3.5
	CVE-2025-62522	Npm-vite-6.2.7
	CVE-2025-62595	Npm-koa-2.16.1
	CVE-2025-8129	Npm-koa-2.16.1
	CVE-2025-58751	Npm-vite-6.3.5
	CVE-2025-58751	Npm-vite-6.2.7
	CVE-2025-58752	Npm-vite-6.2.7
	CVE-2025-7339	Npm-on-headers-1.0.2
	Cx8bc4df28-fcf5	Npm-debug-2.6.9
	Cx8bc4df28-fcf5	Npm-debug-3.2.7
	Cxda14f253-4e52	Npm-bluebird-3.7.2

[gitclonebrian]

updated actions ran successfully in the PR checks, and other prod workflows are using upload-artifacts v5.0.0 successfully. 🚀

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.