[deps]: Update @actions/artifact to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@actions/artifact (source)	5.0.1 → 6.2.0

---

Release Notes

actions/toolkit (@​actions/artifact)

v6.2.0

• Support uploading single un-archived files (not zipped). Direct uploads are only supported for artifacts version 7+ (based on the major version of actions/upload-artifact). Callers must pass the skipArchive option to uploadArtifact. Only single files can be uploaded at a time right now. Default behavior should remain unchanged if skipArchive = false. When skipArchive = true, the name of the file is used as the name of the artifact for consistency with the downloads: you upload artifact.txt, you download artifact.txt.

v6.1.0

• Support downloading non-zip artifacts. Zipped artifacts will be decompressed automatically (with an optional override). Un-zipped artifacts will be downloaded as-is.

v6.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()

v5.0.3

• Bump @actions/http-client to 3.0.2

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bitwarden-bot]

Internal tracking:

• ID: PM-32292
• Link: https://bitwarden.atlassian.net/browse/PM-32292

[pixman20]

@claude review this

[claude]

Claude finished @pixman20's task in 6m 45s —— View job

---

I'll analyze this and get back to you.

[github-actions]

Checkmarx One – Scan Summary & Details – 8de7b3b4-8a1f-4e4a-b94e-6dd8e424ce41

Great job! No new security vulnerabilities introduced in this pull request

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[claude]

Review Summary

PR: [deps]: Update @actions/artifact to v6
Type: Dependency update (major version bump)
Risk: High - This is a major version bump with breaking changes that cannot be merged as-is.

---

Findings

1. CRITICAL: Committed node_modules not updated

The download-artifacts/node_modules/ directory is committed to the repository (5,087 tracked files) and is used directly at runtime by the GitHub Action (runs.using: node20). This PR only updates package.json and package-lock.json but does not update node_modules/. As a result, this dependency bump has no actual runtime effect -- the action would still execute with @actions/artifact v2.0.0.

After updating package.json, npm install must be run and the resulting node_modules/ changes must be committed.

2. CRITICAL: ESM/CJS incompatibility will break the action

The @actions/artifact v6.0.0 release notes (included in this PR description) state:

Breaking change: Package is now ESM-only. CommonJS consumers must use dynamic import() instead of require()

However, download-artifacts/main.js uses CommonJS require() at the module level:

// download-artifacts/main.js, line 3
const artifact = require('@actions/artifact')

After running npm install to update node_modules, Node.js will throw ERR_REQUIRE_ESM when the action starts, crashing the entire action before any code executes. The main.js file must be migrated to use ESM import syntax (with "type": "module" in package.json) or use dynamic import().

3. IMPORTANT: API breaking changes in artifact.create()

download-artifacts/main.js line 10 calls artifact.create():

const artifactClient = artifact.create()

This factory method does not exist in the v6 DefaultArtifactClient API. The v6 package exports a pre-instantiated client as the default export. The downloadAction function (lines 9-20) and its downloadArtifact(name, path, downloadOptions) call signature also differ from the v6 API, which uses downloadArtifact(artifactId, options). While this code path is only used as a fallback, it needs to be updated.

---

Recommendation

This major version bump requires code changes to download-artifacts/main.js beyond a simple dependency update:

1. Convert main.js to ESM (or use dynamic import() for the artifact package)
2. Update the downloadAction function to use the v6 API
3. Run npm install and commit the updated node_modules/
4. Verify all test workflows pass with the updated code

This likely cannot be handled by Renovate alone and needs manual developer intervention.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[pixman20]

This needs additional work beyond the Renovate updates:
https://bitwarden.atlassian.net/browse/BRE-1713