Bump actions/upload-artifact from 3 to 5

[dependabot]

Bumps actions/upload-artifact from 3 to 5.

Release notes

Sourced from actions/upload-artifact's releases.

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

New Contributors

• @​GhadimiR made their first contribution in actions/upload-artifact#681
• @​nebuk89 made their first contribution in actions/upload-artifact#712
• @​danwkennedy made their first contribution in actions/upload-artifact#727
• @​patrikpolyak made their first contribution in actions/upload-artifact#725

Full Changelog: actions/upload-artifact@v4...v5.0.0

v4.6.2

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in actions/upload-artifact#685

New Contributors

• @​salmanmkc made their first contribution in actions/upload-artifact#685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in actions/upload-artifact#673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in actions/upload-artifact#662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in actions/upload-artifact#578
• Add new artifact-digest output by @​bdehamer in actions/upload-artifact#656

New Contributors

• @​hamirmahal made their first contribution in actions/upload-artifact#578

... (truncated)

Commits

• 330a01c Merge pull request #734 from actions/danwkennedy/prepare-5.0.0
• 03f2824 Update github.dep.yml
• 905a1ec Prepare v5.0.0
• 2d9f9cd Merge pull request #725 from patrikpolyak/patch-1
• 9687587 Merge branch 'main' into patch-1
• 2848b2c Merge pull request #727 from danwkennedy/patch-1
• 9b51177 Spell out the first use of GHES
• cd231ca Update GHES guidance to include reference to Node 20 version
• de65e23 Merge pull request #712 from actions/nebuk89-patch-1
• 8747d8c Update README.md
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[matter-code-review]

Important

PR Analysis Skipped

PR analysis skipped for dependabot PRs as per the configuration setting. Run a manually review by commenting /matter review

💡Tips to use MatterAI

Command List

• /matter summary: Generate AI Summary for the PR
• /matter review: Generate AI Reviews for the latest commit in the PR
• /matter review-full: Generate AI Reviews for the complete PR
• /matter release-notes: Generate AI release-notes for the PR
• /matter : Chat with your PR with MatterAI Agent
• /matter remember : Generate AI memories for the PR
• /matter explain: Get an explanation of the PR
• /matter help: Show the list of available commands and documentation
• Need help? Join our Discord server: https://discord.gg/fJU5DvanU3

[matter-code-review]

Summary By MatterAI

🔄 What Changed

Bumped actions/upload-artifact GitHub Action from versions v3 and v4 to v5 across four CI/CD workflow files. This ensures alignment with the latest stable release, improving reliability, security, and feature support.

🔍 Impact of the Change

• ✅ Security: Pulls in patched dependencies and removes known vulnerabilities present in older versions.
• 🚀 Performance: v5 includes optimized upload logic and better retry mechanisms.
• 🧩 Consistency: Standardizes artifact upload version across all workflows.
• ⚠️ Backward Compatibility: No breaking changes expected — v5 maintains interface compatibility.

📁 Total Files Changed

File	ChangeLog
Bump v3→v5 .github/workflows/automation-trigger-test.yml	Upgraded upload-artifact from v3 to v5 for test result publishing
Bump v3→v5 .github/workflows/integration-tests.yml	Updated artifact action version to v5 for integration test results
Bump v4→v5 .github/workflows/release.yml	Upgraded all four artifact uploads from v4 to v5 in release pipeline
Bump v4→v5 .github/workflows/verify.yml	Migrated artifact upload step from v4 to v5 for unit test results

🧪 Test Added/Recommended

Recommended

• Add version pinning audit step in CI to detect outdated actions automatically.
• Include changelog verification in dependency bump PRs to validate upgrade safety.

🔒 Security Vulnerabilities

No active vulnerabilities introduced. Upgrade mitigates known risks in earlier versions (e.g., improper path sanitization in v3).

⏳ Estimated code review effort

LOW (~7 minutes)

Tip

Quality Recommendations

1. Add automated dependency review step to detect outdated GitHub Actions

2. Pin exact action versions or use hash-based references for supply chain security

♫ Tanka Poem

Version climbs high,
V5 stands on v3's shoulders,
Faster, safer, strong.
CI flows smooth tonight,
Artifacts rise with pride. 🚀

Sequence Diagram

sequenceDiagram
    participant WF as Workflow
    participant GA as GitHub Action
    participant S as Storage

    Note over WF: Workflow Execution

    WF->>GA: upload-artifact@v5.start(name='test-results')
    GA->>S: Upload file bundle (path: output.txt)
    S-->>GA: Confirmation (artifact stored)
    GA-->>WF: Success signal

    Note over WF: Artifact retention applied per workflow settings

Loading

[matter-code-review]

Important

PR Review Skipped

PR review skipped as per the configuration setting. Run a manually review by commenting /matter review

💡Tips to use MatterAI

Command List

• /matter summary: Generate AI Summary for the PR
• /matter review: Generate AI Reviews for the latest commit in the PR
• /matter review-full: Generate AI Reviews for the complete PR
• /matter release-notes: Generate AI release-notes for the PR
• /matter : Chat with your PR with MatterAI Agent
• /matter remember : Generate AI memories for the PR
• /matter explain: Get an explanation of the PR
• /matter help: Show the list of available commands and documentation
• Need help? Join our Discord server: https://discord.gg/fJU5DvanU3