chore(deps): bump @actions/artifact from 2.1.11 to 5.0.3

[dependabot]

Bumps @actions/artifact from 2.1.11 to 5.0.3.

Changelog

Sourced from @​actions/artifact's changelog.

5.0.3

• Bump @actions/http-client to 3.0.2

5.0.1

• Fix Node.js 24 punycode deprecation warning by updating @azure/storage-blob from ^12.15.0 to ^12.29.1 #2211
• Removed direct @azure/core-http dependency (now uses @azure/core-rest-pipeline via storage-blob)

5.0.0

• Dependency updates for Node.js 24 runtime support
• Update @actions/core to v2
• Update @actions/http-client to v3

4.0.0

• Add support for Node 24 #2110
• Fix: artifact pagination bugs and configurable artifact count limits #2165
• Fix: reject the promise on timeout #2124
• Update dependency versions

2.3.3

• Dependency updates #2049

2.3.2

• Added masking for Shared Access Signature (SAS) artifact URLs #1982
• Change hash to digest for consistent terminology across runner logs #1991

2.3.1

• Fix comment typo on expectedHash. #1986

2.3.0

• Allow ArtifactClient to perform digest comparisons, if supplied. #1975

2.2.2

• Default concurrency to 5 for uploading artifacts #1962

2.2.1

• Add ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY and ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS environment variables #1928

2.2.0

• Return artifact digest on upload #1896

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​actions/artifact since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[Lms24]

should be safe

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	8,713	-	8,864	-2%
GET With Sentry	1,596	18%	1,737	-8%
GET With Sentry (error only)	6,010	69%	6,110	-2%
POST Baseline	1,174	-	1,217	-4%
POST With Sentry	573	49%	590	-3%
POST With Sentry (error only)	1,050	89%	1,058	-1%
MYSQL Baseline	3,265	-	3,328	-2%
MYSQL With Sentry	460	14%	501	-8%
MYSQL With Sentry (error only)	2,694	83%	2,708	-1%

View base workflow run

[sentry]

Bug: The uploadArtifact function is called with a string for the third parameter, but the updated @actions/artifact@v5 API expects an options object.
_{Severity: MEDIUM}

Suggested Fix

Update the calls to uploadArtifact in size-limit-gh-action/index.mjs and node-overhead-gh-action/index.mjs. The third argument, __dirname, should be removed as the new API version does not require a root directory path in the same way. The call should be await artifactClient.uploadArtifact(ARTIFACT_NAME, files);.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: dev-packages/size-limit-gh-action/package.json#L17

Potential issue: The `uploadArtifact` function from `@actions/artifact@v5` is being
called with an incompatible signature. The code passes `__dirname`, a string, as the
third argument. However, version 5 of the API expects this argument to be an options
object. This mismatch will likely cause a runtime error when the GitHub Actions workflow
attempts to execute the artifact upload step, preventing artifacts from being saved.

[JPeer264]

Negative: https://github.com/actions/toolkit/blob/a2986ee5119862b6b4ca3c77c5e4b7d5775a89b7/packages/artifact/src/internal/client.ts#L116

[JPeer264]

I renamed it to "chore" as only dev-packages are involved