ci(deps): bump actions/upload-artifact from 4 to 6

[dependabot]

Bumps actions/upload-artifact from 4 to 6.

Release notes

Sourced from actions/upload-artifact's releases.

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

New Contributors

• @​GhadimiR made their first contribution in actions/upload-artifact#681
• @​nebuk89 made their first contribution in actions/upload-artifact#712
• @​danwkennedy made their first contribution in actions/upload-artifact#727
• @​patrikpolyak made their first contribution in actions/upload-artifact#725

Full Changelog: actions/upload-artifact@v4...v5.0.0

v4.6.2

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in actions/upload-artifact#685

New Contributors

• @​salmanmkc made their first contribution in actions/upload-artifact#685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in actions/upload-artifact#673

... (truncated)

Commits

• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• ddc45ed docs: update README to correct action name for Node.js 24 support
• 615b319 chore: release v6.0.0 for Node.js 24 support
• 017748b Merge pull request #744 from actions/fix-storage-blob
• 38d4c79 chore: rebuild dist
• 7d27270 chore: add missing license cache files for @​actions/core, @​actions/io, and mi...
• 5f643d3 chore: update license files for @​actions/artifact@​5.0.1 dependencies
• 1df1684 chore: update package-lock.json with @​actions/artifact@​5.0.1
• b5b1a91 fix: update @​actions/artifact to ^5.0.0 for Node.js 24 punycode fix
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
vanity	Ready	Preview, Comment	Dec 15, 2025 6:24am

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Dec 17 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: This requires repository secret configuration, not code changes.**

What I found

All four investigators agree on this:

1. What Failed: The claude-code-review.yml workflow failed because it couldn't authenticate with the Anthropic API. The error explicitly says: "Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API."

2. What the PR Actually Changed: The PR only bumps actions/upload-artifact from v4 to v6 in .github/workflows/ci.yml - a completely separate workflow file that handles coverage and build artifacts. This change has nothing to do with API authentication.

3. Why It Failed Now: The claude-code-review.yml workflow is configured to run automatically on all PRs (pull_request: opened, synchronize). When this Dependabot PR was opened, it triggered the Claude review workflow, which then failed because the CLAUDE_CODE_OAUTH_TOKEN secret is either missing or not configured in the repository settings.

4. Historical Context: The git history shows previous fixes for Claude workflow issues (commit a45cd55 fixed bot actor naming), but this is a different issue - a missing secret configuration.

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: Repository secret required**

What I found

Here's what's happening, plain and simple:

1. The PR changes are fine - bumping actions/upload-artifact from v4 to v6 in ci.yml is a routine dependency update. Nothing wrong there.

2. The error comes from a different workflow - the claude-code-review.yml workflow runs on every PR and uses the anthropics/claude-code-action@beta action. That action requires either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN to authenticate.

3. The secret is missing - the workflow is configured to use ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}, but if that secret isn't set in the repo's GitHub settings, it passes an empty string, and the action fails.

The actual error:

### What needs to happen
This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---
*🤖 Generated by [kaylee](https://github.com/misty-step/kaylee) — I tried, Captain!*

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code.** This requires external configuration:

What I found

Well, I've got the full picture now. Let me break this down plain and simple:

Root Cause

The CI failure is NOT from the actions/upload-artifact v4→v6 bump. It's from the claude-code-review.yml workflow that's missing the CLAUDE_CODE_OAUTH_TOKEN secret in the GitHub repository settings.

Fix

UNFIXABLE with code. This requires external configuration:

1. The anthropics/claude-code-action@beta action needs either:

   • CLAUDE_CODE_OAUTH_TOKEN secret, OR
   • ANTHROPIC_API_KEY secret

2. These secrets must be configured in the GitHub repository settings (Settings → Secrets and variables → Actions)

3. The actual PR changes (bumping actions/upload-artifact from v4 to v6) are completely valid and correct. The upload-artifact step didn't even run because the workflow failed earlier during the Claude Code Action authentication step.

The logs show this clearly:

##[error]Action failed with error: Error: Environment variable validation failed:
  - Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.

This error came from the claude-code-review job (you can see === claude-review/system.txt === in the logs), not from the main CI workflow.

What the repo owner needs to do:

1. Go to repository Settings → Secrets and variables → Actions
2. Add CLAUDE_CODE_OAUTH_TOKEN (or ANTHROPIC_API_KEY) with valid credentials
3. Re-run the workflow

The Dependabot PR itself is good to merge once the secret

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.** This is a secrets/configuration issue:

What I found

Now I have the full picture. Let me summarize my findings:

Root Cause

The CI failure is NOT related to the PR changes (bumping actions/upload-artifact from v4 to v6). The error:

##[error]Action failed with error: Error: Environment variable validation failed:
  - Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.

This comes from the claude-code-review.yml workflow, which triggers on pull_request: [opened, synchronize]. This workflow requires secrets.CLAUDE_CODE_OAUTH_TOKEN to be configured in the GitHub repository's secrets, but it's missing.

Fix

UNFIXABLE with code changes. This is a secrets/configuration issue:

1. The claude-code-review.yml workflow (line 38) references ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
2. This secret must be configured in GitHub repository settings (Settings → Secrets and variables → Actions)
3. No code change can fix a missing repository secret

The PR itself (bumping upload-artifact from v4 to v6) is fine - the change is valid and the upload-artifact action usage follows the correct format. The CI failure is from an entirely separate workflow that has nothing to do with this PR.

Summary for user:

Root Cause: Missing CLAUDE_CODE_OAUTH_TOKEN secret in GitHub repository settings. The claude-code-review.yml workflow triggers on all PRs but the required authentication secret isn't configured.

Fix: This cannot be fixed with code changes. The r

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: This CI failure requires configuring GitHub repository secrets (CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY), which cannot be done through code changes. The PR changes to bump actions/upload-artifact from v4 to v6 are correct and unrelated to this failure.

What I found

Now I have a complete picture. The CI failure is clear:

Root Cause

The CI failure is NOT related to the PR changes (bumping actions/upload-artifact from v4 to v6). The error comes from the claude-code-review.yml workflow which requires a CLAUDE_CODE_OAUTH_TOKEN secret that is either missing or not properly configured in the repository settings.

The actual error:

##[error]Action failed with error: Error: Environment variable validation failed:
  - Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.

Fix

This is NOT fixable with code changes. The issue is:

1. The claude-code-review.yml workflow uses anthropics/claude-code-action@beta
2. It requires secrets.CLAUDE_CODE_OAUTH_TOKEN to be set in GitHub repository settings
3. The secret is either missing or empty

The PR itself (bumping actions/upload-artifact from v4 to v6) is perfectly valid and doesn't cause this failure. The ci.yml workflow changes are fine - it's just updating the GitHub Action version for uploading artifacts.

What needs to happen

The repository owner needs to:

1. Configure the CLAUDE_CODE_OAUTH_TOKEN secret in GitHub repository settings (Settings → Secrets and variables → Actions → New repository secret), OR
2. Configure an ANTHROPIC_API_KEY secret instead

This cannot be fixed by editing code files - it requires access to GitHub repository settings to add the secret.

---

UNFIXABLE: This CI failure require

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.** The repository owner needs to add the CLAUDE_CODE_OAUTH_TOKEN secret in GitHub repository settings (Settings → Secrets and variables → Actions → New repository secret).

What I found

Now I have confirmed the issue. Looking at the CI logs and workflow files:

1. The claude-code-review.yml workflow (line 38) references ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - this secret is not configured in the repository.

2. The error in CI logs: Environment variable validation failed: Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API

3. The PR changes (bumping actions/upload-artifact from v4 to v6 in ci.yml) are completely valid and unrelated to the failure.

The CI failure is occurring in the Claude Code Review workflow which is triggered on pull_request: [opened, synchronize], NOT in the main CI workflow. The main CI workflow (ci.yml) would work fine - it's the separate Claude Code Review workflow that's failing due to missing credentials.

---

Root Cause

Missing CLAUDE_CODE_OAUTH_TOKEN GitHub secret - the Claude Code Review workflow cannot authenticate with Anthropic's API.

Fix

UNFIXABLE with code changes. The repository owner needs to add the CLAUDE_CODE_OAUTH_TOKEN secret in GitHub repository settings (Settings → Secrets and variables → Actions → New repository secret).

The PR changes themselves (bumping actions/upload-artifact from v4 to v6) are correct and don't need any modifications. The actual CI tests (lint, typecheck, tests, build) would pass - it's only the Claude Code integration that's failing due to missing credentials that must be configured externally.

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.** This requires the repository owner to add the CLAUDE_CODE_OAUTH_TOKEN secret to the GitHub repository settings:

What I found

Now I have a clear picture. Let me summarize:

Root Cause

The CI failure is NOT related to the PR's upload-artifact v4→v6 bump. The failure is in a separate workflow (claude-code-review.yml) which requires the CLAUDE_CODE_OAUTH_TOKEN secret to be configured in the repository. This secret is missing or not accessible.

Fix

UNFIXABLE with code changes. This requires the repository owner to add the CLAUDE_CODE_OAUTH_TOKEN secret to the GitHub repository settings:

• Go to Repository Settings → Secrets and variables → Actions
• Add a secret named CLAUDE_CODE_OAUTH_TOKEN with a valid Claude Code OAuth token

The actual PR changes (bumping actions/upload-artifact from v4 to v6) are perfectly valid and compatible - the name and path parameters used are stable across versions.

---

Summary for the user:

The CI failure you're seeing is not caused by this PR's changes. The PR correctly bumps actions/upload-artifact from v4 to v6, which is a safe dependency update.

The actual failure is in the Claude Code Review workflow (claude-code-review.yml) which runs automatically on all PRs. It requires the CLAUDE_CODE_OAUTH_TOKEN secret to be configured in the repository, but this secret is missing.

To fix this:

1. The repository owner needs to add the CLAUDE_CODE_OAUTH_TOKEN secret in GitHub repository settings (Settings → Secrets and variables → Actions → New repository secret)
2. Alternatively, if Claude Code Review isn't needed, the wo

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.**

What I found

Alright, I got the full picture now. Let me give you the straight diagnosis.

Root Cause

The CI failure is NOT related to the PR changes (bumping actions/upload-artifact from v4 to v6). The error is from the claude-code-review.yml workflow which requires a CLAUDE_CODE_OAUTH_TOKEN secret that's either missing or not configured in the repository.

The actual error from the logs:

##[error]Action failed with error: Error: Environment variable validation failed:
  - Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.

Fix

This is UNFIXABLE with code changes.

The failure is a repository configuration issue - the CLAUDE_CODE_OAUTH_TOKEN GitHub secret needs to be set in the repository settings (Settings → Secrets and variables → Actions). This is not something that can be fixed by editing files in the PR.

The PR itself (bumping actions/upload-artifact from v4 to v6) is perfectly valid. The workflow file changes look correct:

• Line 110: uses: actions/upload-artifact@v6 ✅
• Line 140: uses: actions/upload-artifact@v6 ✅

The version bump is compatible with the existing configuration (name, path, retention-days parameters all work in v6).

What the repo owner needs to do:

1. Go to repository Settings → Secrets and variables → Actions
2. Add a secret named CLAUDE_CODE_OAUTH_TOKEN with a valid OAuth token from Anthropic

Or alternatively, if they want to use the Anthropic API directly:

1. Add a secret

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!