chore(deps): bump the actions group across 1 directory with 8 updates

[dependabot]

Bumps the actions group with 8 updates in the / directory:

Package	From	To
actions/checkout	4.3.1	6.0.2
benchmark-action/github-action-benchmark	1.21.0	1.22.0
actions/upload-artifact	4.6.2	7.0.0
actions/download-artifact	4.2.1	8.0.1
marocchino/sticky-pull-request-comment	2.9.1	3.0.2
taiki-e/install-action	2.69.9	2.70.3
dorny/test-reporter	1.9.1	3.0.0
codecov/codecov-action	5.5.3	6.0.0

Updates actions/checkout from 4.3.1 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates benchmark-action/github-action-benchmark from 1.21.0 to 1.22.0

Release notes

Sourced from benchmark-action/github-action-benchmark's releases.

v1.22.0

• chore bump node to 24 (#339)

Full Changelog: benchmark-action/github-action-benchmark@v1.21.0...v1.22.0

Changelog

Sourced from benchmark-action/github-action-benchmark's changelog.

Unreleased

v1.22.0 - 31 Mar 2026

• chore bump node to 24 (#339)

v1.21.0 - 02 Mar 2026

• fix include package name for duplicate bench names (#330)
• fix avoid duplicate package suffix in Go benchmarks (#337)

v1.20.7 - 06 Sep 2025

• fix improve parsing for custom benchmarks (#323)

v1.20.5 - 02 Sep 2025

• feat allow to parse generic cargo bench/criterion units (#280)
• fix add summary even when failure threshold is surpassed (#285)
• fix time units are not normalized (#318)

v1.20.4 - 23 Oct 2024

• feat add typings and validation workflow (#257)

v1.20.3 - 19 May 2024

• fix Catch2 v.3.5.0 changed output format (#247)

v1.20.2 - 19 May 2024

• fix Support sub-nanosecond precision on Cargo benchmarks (#246)

v1.20.1 - 02 Apr 2024

• fix release script

v1.20.0 - 02 Apr 2024

• fix Rust benchmarks not comparing to baseline (#235)
• feat Comment on PR and auto update comment (#223)

v1.19.3 - 02 Feb 2024

• fix ratio is NaN when previous value is 0. Now, print 1 when both values are 0 and +-∞ when divisor is 0 (#222)
• fix action hangs in some cases for go fiber benchmarks (#225)

v1.19.2 - 26 Jan 2024

• fix markdown rendering for summary is broken (#218)

... (truncated)

Commits

• a60cea5 release v1.22.0
• See full diff in compare view

Updates actions/upload-artifact from 4.6.2 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

... (truncated)

Commits

• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• ddc45ed docs: update README to correct action name for Node.js 24 support
• 615b319 chore: release v6.0.0 for Node.js 24 support
• 017748b Merge pull request #744 from actions/fix-storage-blob
• 38d4c79 chore: rebuild dist
• Additional commits viewable in compare view

Updates actions/download-artifact from 4.2.1 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/download-artifact#440
• Download Artifact Node24 support by @​salmanmkc in actions/download-artifact#415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in actions/download-artifact#451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in actions/download-artifact#452

... (truncated)

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates marocchino/sticky-pull-request-comment from 2.9.1 to 3.0.2

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v3.0.2

What's Changed

• Add comprehensive tests for main.ts covering all branches by @​Copilot in marocchino/sticky-pull-request-comment#1660
• Don't create a comment with hide: true by @​marocchino in marocchino/sticky-pull-request-comment#1661

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.1...v3.0.2

v3.0.1

What's Changed

• Update deps
• Change build system from ncc to rollup
• Use pull_request trigger in github action

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.0...v3.0.1

v3.0.0

What's Changed

• Update node to 24
• Update deps

New Contributors

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.4...v3.0.0

v2.9.4

What's Changed

• build(deps-dev): Bump @​biomejs/biome from 2.0.0 to 2.0.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1554
• build(deps-dev): Bump @​types/node from 24.0.3 to 24.0.11 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1561
• build(deps-dev): Bump @​biomejs/biome from 2.0.4 to 2.1.1 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1562
• build(deps-dev): Bump @​types/node from 24.0.11 to 24.0.12 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1563
• build(deps-dev): Bump @​types/node from 24.0.12 to 24.0.13 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1564

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.3...v2.9.4

v2.9.3

What's Changed

• Update deps (including security issues)
• Test with vitest instead of jest
• Use biome

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.2...v2.9.3

v2.9.2

What's Changed

• Update @​octokit/graphql-schema & use biome by @​marocchino in marocchino/sticky-pull-request-comment#1517
• build(deps): Bump undici from 5.28.4 to 5.28.5 by @​dependabot in marocchino/sticky-pull-request-comment#1476
• build(deps-dev): Bump @​types/node from 22.10.7 to 22.14.0 by @​dependabot in marocchino/sticky-pull-request-comment#1515

... (truncated)

Commits

• 70d2764 📦️ Build
• 308b2fd Don't create a comment with hide: true (#1661)
• 3bbec31 Add comprehensive tests for main.ts covering all branches (#1660)
• aaf6178 🔖 Version bump (#1658)
• 7d67ef6 👷 Use pull_request
• 1ed3d7b ⬆️ Update deps
• 46a16ec build(deps-dev): Bump @​types/node from 24.5.2 to 25.0.3 (#1646)
• 0a36b9e build(deps): Bump @​actions/core from 1.11.1 to 2.0.2 (#1649)
• 74297c9 build(deps-dev): Bump @​vercel/ncc from 0.38.3 to 0.38.4 (#1592)
• e736d73 📦️ Build
• Additional commits viewable in compare view

Updates taiki-e/install-action from 2.69.9 to 2.70.3

Release notes

Sourced from taiki-e/install-action's releases.

2.70.3

• Update wasm-bindgen@latest to 0.2.116.

• Update cargo-insta@latest to 1.47.2.

• Update tombi@latest to 0.9.12.

• Update biome@latest to 2.4.10.

2.70.2

• Update vacuum@latest to 0.25.3.

• Update tombi@latest to 0.9.11.

2.70.1

• Update cargo-insta@latest to 1.47.1.

• Update cargo-binstall@latest to 1.17.9.

• Update tombi@latest to 0.9.10.

2.70.0

• Install uv, uvw (Windows-only), and uvx binaries when installing uv. Previously, only uv binary was installed. (#1632)

2.69.14

• Update just@latest to 1.48.1.

• Update wasm-bindgen@latest to 0.2.115.

2.69.13

• Update mise@latest to 2026.3.17.

• Update cargo-insta@latest to 1.47.0.

2.69.12

• Update uv@latest to 0.11.2.

2.69.11

• Update dprint@latest to 0.53.1.

• Update mise@latest to 2026.3.16.

2.69.10

• Update biome@latest to 2.4.9.

• Update mise@latest to 2026.3.15.

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

• Update mise@latest to 2026.3.18.

[2.70.3] - 2026-03-31

• Update wasm-bindgen@latest to 0.2.116.

• Update cargo-insta@latest to 1.47.2.

• Update tombi@latest to 0.9.12.

• Update biome@latest to 2.4.10.

[2.70.2] - 2026-03-30

• Update vacuum@latest to 0.25.3.

• Update tombi@latest to 0.9.11.

[2.70.1] - 2026-03-29

• Update cargo-insta@latest to 1.47.1.

• Update cargo-binstall@latest to 1.17.9.

• Update tombi@latest to 0.9.10.

[2.70.0] - 2026-03-28

• Install uv, uvw (Windows-only), and uvx binaries when installing uv. Previously, only uv binary was installed. (#1632)

[2.69.14] - 2026-03-28

• Update just@latest to 1.48.1.

• Update wasm-bindgen@latest to 0.2.115.

[2.69.13] - 2026-03-27

... (truncated)

Commits

• 6ef672e Release 2.70.3
• f89faaa Update wasm-bindgen@latest to 0.2.116
• 9adcff1 Update cargo-insta@latest to 1.47.2
• a322a79 Update tombi@latest to 0.9.12
• 875d0e5 Update biome@latest to 2.4.10
• e9e8e03 Release 2.70.2
• f225969 Update vacuum@latest to 0.25.3
• 2e8700a Update tombi@latest to 0.9.11
• 41213fb zizmor: Apply more lints
• fd0f63e Release 2.70.1
• Additional commits viewable in compare view

Updates dorny/test-reporter from 1.9.1 to 3.0.0

Release notes

Sourced from dorny/test-reporter's releases.

v3.0.0

Note: The v3 release requires NodeJS 24 runtime on GitHub Actions runners.

What's Changed

• Upgrade action runtime to Node.js 24 by @​dav-tb in dorny/test-reporter#738
• Explicitly use lowest permissions required to run workflow by @​jozefizso in dorny/test-reporter#745

Other Changes

• Bump @​typescript-eslint/parser from 8.57.0 to 8.57.1 by @​dependabot[bot] in dorny/test-reporter#742
• Bump @​types/adm-zip from 0.5.7 to 0.5.8 by @​dependabot[bot] in dorny/test-reporter#743
• Bump flatted from 3.4.1 to 3.4.2 by @​dependabot[bot] in dorny/test-reporter#744

New Contributors

• @​dav-tb made their first contribution in dorny/test-reporter#738

Full Changelog: dorny/test-reporter@v2.7.0...v3.0.0

v2.7.0

What's Changed

• Feature: Add slug-prefix output for link anchors dorny/test-reporter#731
• Feature: Report jest-junit testsuite errors as failures dorny/test-reporter#155
• Security: Update dependencies to fix reported security vulnerabilities

Other Changes

• Bump eslint from 9.39.3 to 9.39.4 by @​dependabot[bot] in dorny/test-reporter#732
• Bump @​typescript-eslint/parser from 8.56.1 to 8.57.0 by @​dependabot[bot] in dorny/test-reporter#733
• Bump jest from 30.2.0 to 30.3.0 by @​dependabot[bot] in dorny/test-reporter#734
• Bump undici from 6.23.0 to 6.24.1 by @​dependabot[bot] in dorny/test-reporter#736
• Update flatted package to v3.4.1 to fix a vulnerability by @​jozefizso in dorny/test-reporter#739

New Contributors

• @​dt-thomas-durand made their first contribution in dorny/test-reporter#731
• @​johnbartholomew made their first contribution in dorny/test-reporter#155

Full Changelog: dorny/test-reporter@v2.6.0...v2.7.0

v2.6.0

We updated all dependency packages to latest versions to fix reported security vulnerabilities.

What's Changed

• Fix: For workflow_run events, resolve the commit of the check run from related pull request head commits first (matching workflow_run.head_branch, then first PR), and fall back to workflow_run.head_sha for non-PR runs dorny/test-reporter#673
• Change: The test-reporter action will listed all artifacts associated with the build run dorny/test-reporter#693
• Maintenance: Upgrade to ESLint v9 dorny/test-reporter#629

New Contributors

• @​azchohfi made their first contribution in dorny/test-reporter#673

Full Changelog: dorny/test-reporter@v2.5.0...v2.6.0

... (truncated)

Changelog

Sourced from dorny/test-reporter's changelog.

Changelog

3.0.0

• Feature: Use NodeJS 24 LTS as default runtime dorny/test-reporter#738

2.7.0

• Feature: Add slug-prefix output for link anchors dorny/test-reporter#731
• Feature: Report jest-junit testsuite errors as failures dorny/test-reporter#155
• Security: Update dependencies to fix reported security vulnerabilities

2.6.0

• Fix: For workflow_run events, resolve the commit of the check run from related pull request head commits first (matching workflow_run.head_branch, then first PR), and fall back to workflow_run.head_sha for non-PR runs dorny/test-reporter#673
• Change: The test-reporter action will listed all artifacts associated with the build run dorny/test-reporter#693
• Maintenance: Upgrade to ESLint v9 dorny/test-reporter#629

2.5.0

• Feature: Add Nette Tester support with tester-junit reporter dorny/test-reporter#707
• Maintenance: Bump actions/upload-artifact from 5 to 6 dorny/test-reporter#695

2.4.0

• Feature: Add PHPUnit support with JUnit XML dialect parser dorny/test-reporter#422
• Feature: Add JUnit XML sample files and tests for validation dorny/test-reporter#701
• Fix: Refactor deprecated String.substr() function to use String.substring() dorny/test-reporter#704

2.3.0

• Feature: Add Python support with python-xunit reporter (pytest) dorny/test-reporter#643
• Feature: Add pytest traceback parsing and directory-mapping option dorny/test-reporter#238
• Performance: Update sax.js to fix large XML file parsing dorny/test-reporter#681
• Documentation: Complete documentation for all supported reporters dorny/test-reporter#691
• Security: Bump js-yaml and mocha in /reports/mocha (fixes prototype pollution) dorny/test-reporter#682

2.2.0

• Feature: Add collapsed option to control report summary visibility dorny/test-reporter#664
• Fix badge encoding for values including underscore and hyphens dorny/test-reporter#672
• Fix missing report-title attribute in action definition dorny/test-reporter#637
• Refactor variable names to fix shadowing issues dorny/test-reporter#630

2.1.1

• Fix error when a TestMethod element does not have a className attribute in a trx file dorny/test-reporter#623
• Add stack trace from trx to summary dorny/test-reporter#615
• List only failed tests dorny/test-reporter#606
• Add type definitions to github-utils.ts dorny/test-reporter#604
• Avoid split on undefined dorny/test-reporter#258
• Return links to summary report dorny/test-reporter#588
• Add step summary short summary dorny/test-reporter#589
• Fix for empty TRX TestDefinitions dorny/test-reporter#582
• Increase step summary limit to 1MiB dorny/test-reporter#581
• Fix input description for list options dorny/test-reporter#572

2.1.0

... (truncated)

Commits

• a43b3a5 test-reporter release v3.0.0
• 79216dc Merge pull request #744 from dorny/dependabot/npm_and_yarn/flatted-3.4.2
• 62c3873 Merge pull request #745 from dorny/feature/workflow_permissions
• bd74ca6 Explicitly use lowest permissions required to run workflow
• 0c2b2aa Merge pull request #738 from dav-tb/feature/node24-runtime
• f7eee30 Use the @types/node definitions for NodeJS 24 runtime
• ad0a96f Upgrade action runtime to Node.js 24
• 543415c Merge pull request #741 from dorny/release/v2.7.0
• f1284d0 Bump flatted from 3.4.1 to 3.4.2
• 3c1b53f Merge pull request #743 from dorny/dependabot/npm_and_yarn/types/adm-zip-0.5.8
• Additional commits viewable in compare view

Updates codecov/codecov-action from 5.5.3 to 6.0.0

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.0

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in codecov/codecov-action#1929
• Th/6.0.0 by @​thomasrockhu-codecov in codecov/codecov-action#1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v5.5.4

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in codecov/codecov-action#1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in codecov/codecov-action#1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by

[github-actions]

Benchmark Report

_{Commit: 74b6b676a7ae1a54cef3498cf727ef0b0c2dd860}

Sequence Lock (mantis-seqlock)

Linux

CPU: AMD EPYC 7763 64-Core Processor | Arch: x86_64 | Compiler: rustc 1.97.0-nightly (17584a181 2026-04-13)

seqlock_read_contended

Variant	ns/op
u64	66.87
msg64	225.51

seqlock_read_uncontended

Variant	ns/op
u64	0.63
msg64	1.43
msg128	2.5

seqlock_write

Variant	ns/op
u64	1.56
msg64	1.88
msg128	3.12

macOS

CPU: Apple M1 (Virtual) | Arch: arm64 | Compiler: rustc 1.97.0-nightly (17584a181 2026-04-13)

seqlock_read_contended

Variant	ns/op
u64	405.14
msg64	941.19

seqlock_read_uncontended

Variant	ns/op
u64	1.26
msg64	1.96
msg128	3.9

seqlock_write

Variant	ns/op
u64	6.29
msg64	6.55
msg128	7.17

Fixed-Point Arithmetic (mantis-fixed)

Linux

CPU: AMD EPYC 7763 64-Core Processor | Arch: x86_64 | Compiler: rustc 1.97.0-nightly (17584a181 2026-04-13)

fixed_checked_add

Variant	ns/op
FixedI64_6_	1.25
raw_i64	1.25

fixed_checked_div

Variant	ns/op
trunc	5.09
round	5.93

fixed_checked_mul_trunc

Variant	ns/op
D=4	3.92
D=2	4.2
D=6	4.34
D=8	4.35

fixed_decimal_parse

Variant	ns/op
f64_roundtrip_short_0.53	12.18
mantis_bytes_integer_67396	14.1
mantis_bytes_short_0.53	14.99
mantis_str_short_0.53	14.99
f64_roundtrip_medium_67396.70	15.66
mantis_bytes_medium_67396.70	17.63
mantis_str_medium_67396.70	17.76
mantis_bytes_long_0.00012345	22.86

fixed_display

Variant	ns/op
FixedI64_6_	49.05

fixed_mul_round_vs_trunc

Variant	ns/op
trunc	4.34
round	13.63

fixed_parse

Variant	ns/op
short	11.9
integer_only	15.45
full_precision	19.43

fixed_rescale

Variant	ns/op
D2_to_D8_widen	0.63
D6_to_D2_trunc	0.92

macOS

CPU: Apple M1 (Virtual) | Arch: arm64 | Compiler: rustc 1.97.0-nightly (17584a181 2026-04-13)

fixed_checked_add

Variant	ns/op
FixedI64_6_	1.7
raw_i64	1.71

fixed_checked_div

Variant	ns/op
trunc	3.1
round	4.2

fixed_checked_mul_trunc

Variant	ns/op
D=4	1.85
D=8	1.85
D=6	1.88
D=2	1.96

fixed_decimal_parse

Variant	ns/op
f64_roundtrip_short_0.53	6.62
mantis_bytes_short_0.53	7.75
mantis_str_short_0.53	7.98
mantis_bytes_integer_67396	8.49
f64_roundtrip_medium_67396.70	8.78
mantis_str_medium_67396.70	13.55
mantis_bytes_medium_67396.70	13.64
mantis_bytes_long_0.00012345	14.37

fixed_display

Variant	ns/op
FixedI64_6_	32.74

fixed_mul_round_vs_trunc

Variant	ns/op
trunc	1.85
round	2.19

fixed_parse

Variant	ns/op
short	7.47
integer_only	9.78
full_precision	17.94

fixed_rescale

Variant	ns/op
D2_to_D8_widen	0.48
D6_to_D2_trunc	0.48

Market-State Engine (mantis-market-state)

Linux

CPU: AMD EPYC 7763 64-Core Processor | Arch: x86_64 | Compiler: rustc 1.97.0-nightly (17584a181 2026-04-13)

market_state_array_book

Variant	ns/op
best_bid	0.94
apply_delta	1.87

market_state_engine

Variant	ns/op
micro_price	3.13
process_delta_mid_batch	4.06
process_delta_batch_end	19.97
book_imbalance_5	165.45

macOS

CPU: Apple M1 (Virtual) | Arch: arm64 | Compiler: rustc 1.97.0-nightly (17584a181 2026-04-13)

market_state_array_book

Variant	ns/op
best_bid	0.63
apply_delta	0.98

market_state_engine

Variant	ns/op
micro_price	1.92
process_delta_mid_batch	2.52
process_delta_batch_end	22.88
book_imbalance_5	127.52

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflows are updated with newer pinned versions across checkout, artifact upload/download, testing, reporting, and code coverage actions. Each workflow step reference is bumped to newer stable versions while preserving all existing configuration, inputs, and logic.

Changes

Cohort / File(s)	Summary
Checkout Action Upgrades .github/workflows/bench.yml, .github/workflows/ci.yml, .github/workflows/nightly.yml, .github/workflows/verify.yml	actions/checkout bumped from v4 pinned SHA to v6.0.2 across all workflows.
Artifact Management .github/workflows/bench.yml, .github/workflows/ci.yml, .github/workflows/nightly.yml	actions/upload-artifact upgraded (v4→v7.0.1 in bench.yml and nightly.yml); actions/download-artifact updated in bench.yml.
Tool Installation & Testing .github/workflows/ci.yml, .github/workflows/nightly.yml	taiki-e/install-action updated to newer v2 pinned SHA; dorny/test-reporter upgraded to v3.0.0 in ci.yml.
Code Coverage & Comments .github/workflows/bench.yml, .github/workflows/ci.yml	codecov/codecov-action and marocchino/sticky-pull-request-comment (v2.9.1→v3.0.4) upgraded in bench.yml; benchmark-action/github-action-benchmark bumped to v1.22.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Actions hop, versions grow tall,
From v4 to v6, they answer the call,
Artifacts bundled, workflows so clean,
The freshest of CI, you've ever seen! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: updating GitHub Actions dependencies across workflow files with version bumps for 8 different actions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions-818213016a

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/bench.yml (1)

152-152: Minor version discrepancy in PR description.

The code pins marocchino/sticky-pull-request-comment to v3.0.4, but the PR description mentions v3.0.2. This is fine (v3.0.4 is newer), but worth noting for accuracy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bench.yml at line 152, The PR description and the workflow
pin are inconsistent: the workflow uses the action reference
"marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0"
(v3.0.4) while the PR text mentions v3.0.2; decide which version is intended and
make them consistent by either updating the workflow action reference to the
v3.0.2 tag/SHA or updating the PR description to state v3.0.4 so the "uses:
marocchino/sticky-pull-request-comment@0ea0beb66..." line and the PR description
match.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bench.yml:
- Around line 128-134: Update the inline version comments for the two
occurrences of actions/download-artifact (the block that downloads Ubuntu
results and the one that downloads macOS results) to reflect the actual SHA
being used: change the comment text from "# v4" to "# v8.0.1" so the inline
comments match the referenced commit SHA
`3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c` in both places.

---

Nitpick comments:
In @.github/workflows/bench.yml:
- Line 152: The PR description and the workflow pin are inconsistent: the
workflow uses the action reference
"marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0"
(v3.0.4) while the PR text mentions v3.0.2; decide which version is intended and
make them consistent by either updating the workflow action reference to the
v3.0.2 tag/SHA or updating the PR description to state v3.0.4 so the "uses:
marocchino/sticky-pull-request-comment@0ea0beb66..." line and the PR description
match.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea0b202b-a5df-4bcf-b6a7-117a6cdf3092

📥 Commits

Reviewing files that changed from the base of the PR and between 2f1560d and e2ec71e.

📒 Files selected for processing (4)

• .github/workflows/bench.yml
• .github/workflows/ci.yml
• .github/workflows/nightly.yml
• .github/workflows/verify.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the download-artifact SHA corresponds to the expected version
# Check the GitHub API for the tag associated with this commit
curl -s "https://api.github.com/repos/actions/download-artifact/git/commits/3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c" | jq -r '.message // "Not found"'

Repository: Milerius/Mantis

Length of output: 284

---

🌐 Web query:

GitHub actions/download-artifact releases v4 v8 SHA 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c

💡 Result:

The SHA 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c is the Git commit "Add regression tests for CJK characters (#471)" by Daniel Kennedy on 2026-03-11, part of the changes leading to the actions/download-artifact v8.0.1 release. This commit addresses support for CJK (Chinese, Japanese, Korean) characters in artifact names and adds related regression tests. It is one of the final commits before the v8.0.1 tag, released on 2026-03-11. v4 refers to the major version actions/download-artifact@v4 (initial release Dec 2023), with subsequent minor/patch releases up to v4.3.0 (Apr 2025). v8 is the latest major version (v8.0.1 as of Mar 2026), introducing ESM migration, enforced digest checks (default to error on mismatch), support for direct (non-zipped) downloads without auto-unzipping, and Node.js 24 runtime. v8 is not backward-compatible with v3 artifacts and has GHES limitations (use v3 there). Official documentation and usage: https://github.com/actions/download-artifact

Citations:

• 1: https://github.com/actions/download-artifact/releases
• 2: actions/download-artifact@v4...v8
• 3: https://github.com/actions/download-artifact/releases/tag/v8.0.0
• 4: https://github.com/actions/download-artifact/releases/tag/v8.0.1

---

🏁 Script executed:

#!/bin/bash
# Query the actions/download-artifact repository for releases and tags
# Check which version(s) this SHA corresponds to
curl -s "https://api.github.com/repos/actions/download-artifact/releases" | jq -r '.[] | "\(.tag_name): \(.target_commitish)"' | head -20

Repository: Milerius/Mantis

Length of output: 607

---

🏁 Script executed:

#!/bin/bash
# More directly, check if we can get tag info for this specific SHA
curl -s "https://api.github.com/repos/actions/download-artifact/git/refs/tags" | jq -r '.[] | select(.object.sha == "3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c") | .ref'

Repository: Milerius/Mantis

Length of output: 88

---

Update version comment for actions/download-artifact from v4 to v8.0.1.

The SHA 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c corresponds to v8.0.1, not v4. Update the inline comments on lines 128 and 134 from # v4 to # v8.0.1 to match the actual version being used.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bench.yml around lines 128 - 134, Update the inline
version comments for the two occurrences of actions/download-artifact (the block
that downloads Ubuntu results and the one that downloads macOS results) to
reflect the actual SHA being used: change the comment text from "# v4" to "#
v8.0.1" so the inline comments match the referenced commit SHA
`3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c` in both places.