Scorecard supply-chain security for registry-support and library failing

[michael-valdron]

/kind bug

Which area is this bug related to?

/area ci
/area registry
/area library

Bug Summary

Describe the bug:

As of writing the "Scorecard supply-chain security" workflow is failing due to "Missing download info".

To Reproduce:

Open a PR on registry-support or library, check should fail.

Expected behavior

Check should run without "Missing download info" failure, pass or an expected failure to due changes or degraded source.

Any logs, error output, screenshots etc? Provide the devfile that sees this bug, if applicable

Follow log is from a recent PR run:

Current runner version: '2.323.0'
Operating System
Runner Image
Runner Image Provisioner
GITHUB_TOKEN Permissions
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9' (SHA:c85c95e3d7251135ab7dc9ce3241c5835cc595a9)
Download action repository 'ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86' (SHA:e38b1902ae4f44df626f11ba0734b14fb91f8f86)
Error: Missing download info for actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8

Additional context

Any workaround?

Suggestion on how to fix the bug

[michael-valdron]

Setting priority to Major as failures does not block PRs though should be addressed.

[michael-valdron]

/area library

Found this issue under devfile/library#230 as well so I expanded this bug issue scope to include devfile/library as well.

Note: It is possible that this could be effecting all devfile repositories which use the 'Scorecard supply chain security' check.

[michael-valdron]

@thepetk I noticed you updated the affected workflow action for alizer here: devfile/alizer@d138f43

Did you run into this error when you made this upgrade? If so I think we can identify this as being the fix for this issue.