Bump actions/download-artifact from 7 to 8

[dependabot]

Bumps actions/download-artifact from 7 to 8.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• 96bf374 One more test fix
• b8c4819 Fix skip decompress test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Resolves #461
Resolves #460
Resolves actions/download-artifact#460
Resolves actions/download-artifact#461

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This PR bumps actions/download-artifact from v7 to v8 in three GitHub Actions workflow files.

---

Code Quality

• ✅ Style guide: The change follows YAML workflow conventions used throughout the repository.
• ✅ No commented-out code: None present.
• ✅ Meaningful variable names: N/A for this change.
• ✅ DRY principle: The same version bump is applied consistently across all three affected files.
• ✅ Defects / logic errors: No logic changes introduced. The bump is a straightforward dependency version update. No race conditions, memory leaks, or security concerns introduced.
• ✅ CLAUDE.md: No issues found with the project configuration.

---

Testing

• ✅ Unit/integration tests: Not applicable — this is a GitHub Actions dependency version bump with no logic changes.
• ✅ Edge cases: N/A.

---

Documentation

• ❌ CHANGELOG.md not updated: The CHANGELOG.md exists but the [Unreleased] section does not reflect this dependency bump. It should include an entry such as:

  - Bump actions/download-artifact from v7 to v8
  

• ✅ README: No README changes required for this type of update.
• ✅ Inline comments: N/A.
• ✅ Markdown formatting: No markdown files were modified.

---

Security

• ✅ No hardcoded credentials: None present.
• ✅ Input validation: N/A.
• ✅ Error handling: N/A.
• ✅ No sensitive data in logs: N/A.
• ✅ No .lic files or AQAAAD strings: None found.

---

Summary

The change is clean and correct. The only issue is:

1. CHANGELOG.md (CHANGELOG.md:8-10) — The [Unreleased] section should be updated to document the actions/download-artifact bump from v7 to v8.

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter