Update GitHub actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	major	v3.2.0 → v4.1.0
actions/cache	action	major	v4.3.0 → v5.0.5
actions/checkout	action	major	v5.0.1 → v6.0.2
actions/upload-artifact	action	major	v4.6.2 → v7.0.1
gradle/actions	action	major	v4.4.4 → v6.1.0
jdx/mise-action	action	major	v3.6.3 → v4.0.1

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v4.1.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in #​836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in #​838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in #​835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

v4

Compare Source

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v5

Compare Source

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.0

Compare Source

v5

Compare Source

gradle/actions (gradle/actions)

v6.1.0

Compare Source

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

• Built on @actions/cache -- fully open source
• Caches ~/.gradle/caches and ~/.gradle/wrapper directories
• Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
• Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

• New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
• Simplified licensing notices in README, docs, and runtime log output
• Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

• Use a unique cache entry for wrapper-validation test by @​bigdaz in #​921
• Update Dependencies by @​bigdaz in #​922
• Update dependencies and resolve npm vulnerabilities by @​bigdaz in #​933
• Add open-source 'basic' cache provider and revamp licensing documentation by @​bigdaz in #​930
• Restructure caching documentation for basic and enhanced providers by @​bigdaz in #​934

Full Changelog: gradle/actions@v6.0.1...v6.1.0

v6.0.1

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

• Bump actions used in docs by @​Goooler in #​792
• Add typing information for use by typesafegithub by @​bigdaz in #​910
• Mute license warning when terms are accepted by @​bigdaz in #​911
• Mention explicit license acceptance in notice by @​bigdaz in #​912
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.1 to 2.21.2 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​907

Full Changelog: gradle/actions@v6.0.0...v6.0.1

v6.0.0

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

• Caching functionality of 'gradle-actions' has been extracted into a separate gradle-actions-caching library, and is no longer open-source. See this blog post for more context.
• Existing, rudimentary, configuration-cache support has been removed, pending a fully functional implementation in gradle-actions-caching.
• Dependencies updated to address security vulnerabilities

[!IMPORTANT]

Licensing notice

The caching functionality in `gradle-actions` has been extracted into `gradle-actions-caching`, a proprietary commercial component that is not covered by the MIT License.
The bundled `gradle-actions-caching` component is licensed and governed by a separate license, available at https://gradle.com/legal/terms-of-use/.

The `gradle-actions-caching` component is used only when caching is enabled and is not loaded or used when caching is disabled.

Use of the `gradle-actions-caching` component is subject to a separate license, available at https://gradle.com/legal/terms-of-use/.
If you do not agree to these license terms, do not use the `gradle-actions-caching` component.

What's Changed

• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​866
• Update known wrapper checksums by @​github-actions[bot] in #​868
• Dependency updates by @​bigdaz in #​876
• Update known wrapper checksums by @​github-actions[bot] in #​878
• Bump @​types/node from 25.3.3 to 25.3.5 in /sources in the npm-dependencies group across 1 directory by @​dependabot[bot] in #​877
• Bump the github-actions group across 3 directories with 3 updates by @​dependabot[bot] in #​867
• Update known wrapper checksums by @​github-actions[bot] in #​881
• Bump the npm-dependencies group in /sources with 6 updates by @​dependabot[bot] in #​879
• Bump the github-actions group across 3 directories with 5 updates by @​dependabot[bot] in #​880
• Remove configuration-cache support by @​bigdaz in #​884
• Extract caching logic into a separate gradle-actions-caching component by @​bigdaz in #​885
• Update gradle-actions-caching library to v0.3.0 by @​bot-githubaction in #​899
• Avoid windows shutdown bug by @​bigdaz in #​900
• Dependency updates by @​bigdaz in #​905
• Fix critical and high npm vulnerabilities by @​bigdaz in #​904
• Fix rendering of job-disabled message by @​bigdaz in #​909

Full Changelog: gradle/actions@v5.0.2...v6.0.0

v6

Compare Source

v5.0.2

Compare Source

Summary

This release contains no functional changes. It updates dependencies and known Gradle wrapper checksums.

What's Changed

• Update dependencies by @​bigdaz in #​851
• Bump the github-actions group across 2 directories with 3 updates by @​dependabot[bot] in #​850
• Update DV config by @​bigdaz in #​848
• Convert project to ESM and update dependencies by @​bigdaz in #​854
• Workflow fixes by @​bigdaz in #​856
• Remove superfluous text from log message by @​bigdaz in #​861
• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in #​860
• Bump the npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​859
• Update known wrapper checksums by @​github-actions[bot] in #​857
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.0 to 2.21.1 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​862
• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​863
• Bump github/codeql-action from 4.32.3 to 4.32.4 in the github-actions group across 1 directory by @​dependabot[bot] in #​864

Full Changelog: gradle/actions@v5.0.1...v5.0.2

v5.0.1

Compare Source

What's Changed

• Bump npm code dependency versions
• Bump Gradle versions used in sample builds
• Bump dependencies versions in Gradle sample builds
• Bump GitHub actions used for build and test
• Update known wrapper checksums to include Gradle 9.2+

Full Changelog: gradle/actions@v5.0.0...v5.0.1

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade to node 24 by @​amyu in #​721

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency upgrades

• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in #​748

Full Changelog: gradle/actions@v4...v5.0.0

v5

Compare Source

jdx/mise-action (jdx/mise-action)

v4.0.1: : Documentation and Internal Cleanup

Compare Source

A small maintenance release that updates the README documentation to reflect v4 and cleans up internal code. There are no functional changes to the action itself.

Changed

• Updated all README examples to reference jdx/mise-action@v4, actions/checkout@v6, and current tool versions by @​deining in #​407 and #​408
• Extracted getCwd() helper to deduplicate working directory resolution logic (internal refactor, no behavior change) by @​altendky in #​403

New Contributors

• @​deining made their first contribution in #​407

Full Changelog: jdx/mise-action@v4.0.0...v4.0.1

v4.0.0

Compare Source

What's Changed

• chore(deps): lock file maintenance by @​renovate[bot] in #​392
• chore(deps): update actions/setup-node digest to 53b8394 by @​renovate[bot] in #​396
• feat!: Update Node.js version from 20 to 24 by @​tumerorkun in #​395
• chore(deps): update github/codeql-action digest to 820e316 by @​renovate[bot] in #​397
• chore: release v4.0.0 by @​mise-en-dev in #​398

New Contributors

• @​tumerorkun made their first contribution in #​395

Full Changelog: jdx/mise-action@v3...v4.0.0

v4

Compare Source

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "after 7am every weekday,before 8pm every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: BUILD-9291

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

SonarQube reviewer guide

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Post-upgrade command 'pre-commit autoupdate --freeze || true' has not been added to the allowed list in allowedCommands

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR updates 6 GitHub Actions dependencies to their latest major versions:

• actions/checkout v5 → v6 (applied across ~10 workflow files and action definitions)
• actions/cache v4 → v5 (cache/save and cache/restore steps)
• actions/upload-artifact v4 → v7 (artifact uploads in builds)
• actions/attest-build-provenance v3 → v4 (build attestation)
• gradle/actions v4 → v6 (Gradle setup)
• jdx/mise-action v3 → v4 (tool version manager)

All changes are version pins (semver tags + commit hashes). The PR is generated via Renovate and includes detailed release notes for each action.

What reviewers should know

Verification checklist:

• Breaking changes: Review the release notes in the description for each action, especially actions/attest-build-provenance (v4 is now a wrapper on actions/attest) and any changes to required inputs
• Configuration compatibility: Scan workflows and action.yml files to ensure no job configurations rely on removed/renamed parameters from v3→v4 jumps
• gradle/actions v6 jump: Two major versions—verify the Gradle setup step in config-gradle/action.yml still works with your Develocity/cache configuration
• Scope: Changes are consistent across all workflows and composite action definitions; no selective updates

Where to focus:

• Start with the high-level impact: test one build workflow (e.g., test-build-number.yml) to confirm checkout v6 + other updates work end-to-end
• Check build-gradle, build-maven, build-npm for any attestation or artifact upload behavior changes with v7 upload-artifact
• Verify mise-action v4 compatibility in the version pinning (currently set to 2026.5.9 etc.)

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

Clean, complete update — no issues. All 6 actions are updated consistently across every workflow file and composite action definition; a grep over all .yml files confirms zero stale SHAs or version tags remain.

🗣️ Give feedback