Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: upload-artifact and download-artifact v4 #3312

2 changes: 1 addition & 1 deletion .github/actions/secure-download-artifact/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ runs:
echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}"

- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ inputs.name }}"
path: "${{ steps.validate-path.outputs.folder_path }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-download-folder/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ runs:
uses: slsa-framework/slsa-github-generator/.github/actions/rng@main

- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ inputs.name }}"
path: "${{ steps.rng.outputs.random }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-upload-artifact/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ runs:
path: "${{ inputs.path }}"

- name: Upload the artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ inputs.name }}"
path: "${{ inputs.path }}"
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/builder_container-based_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ jobs:
allow-private-repository: ${{ inputs.rekor-log-public }}

- name: Upload builder
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
Expand Down Expand Up @@ -462,7 +462,7 @@ jobs:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
# secure upload or verify this against the SLSA layout file.
id: upload-artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.build.outputs.build-outputs-name }}
path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
Expand Down Expand Up @@ -535,7 +535,7 @@ jobs:
- name: Upload unsigned intoto attestations file for pull request
if: ${{ github.event_name == 'pull_request' }}
id: upload-unsigned
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "attestations-${{ needs.rng.outputs.value }}"
Expand All @@ -556,7 +556,7 @@ jobs:
- name: Upload the signed attestations
id: upload-signed
if: ${{ github.event_name != 'pull_request' }}
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
Expand Down Expand Up @@ -584,15 +584,15 @@ jobs:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
# layout files and their checksums to validate the artifacts.
- name: Download artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ needs.build.outputs.build-outputs-name }}"
path: "${{ needs.build.outputs.build-outputs-name }}"

# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
# secure-folder-download action.
- name: Download provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ needs.provenance.outputs.provenance-name }}"
path: "${{ needs.provenance.outputs.provenance-name }}"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/builder_go_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ jobs:
allow-private-repository: ${{ inputs.private-repository }}

- name: Upload builder
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
Expand Down Expand Up @@ -358,7 +358,7 @@ jobs:
--workingDir "$UNTRUSTED_WORKING_DIR"

- name: Upload the signed provenance
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/generator_generic_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ jobs:
- name: Upload the signed provenance
id: upload-prov
continue-on-error: true
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ steps.sign-prov.outputs.provenance-name }}"
path: "${{ steps.sign-prov.outputs.provenance-name }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pre-submit.actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ jobs:
fi

# If index.js was different from expected, upload the expected version as an artifact
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build-container-based.outputs.build-outputs-name }}
path: outputs
Expand All @@ -57,7 +57,7 @@ jobs:
name=$(find outputs/ -type f | head -1)
cp "$name" .
echo "name=$(basename "$name")" >> "$GITHUB_OUTPUT"
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build-container-based.outputs.attestations-download-name }}
- env:
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/pre-submit.e2e.generic.default.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ jobs:
if: ${{ always() }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.provenance-name }}
- env:
Expand Down Expand Up @@ -76,7 +76,7 @@ jobs:
needs: [build-continue-no-error]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build-continue-no-error.outputs.provenance-name }}
- env:
Expand Down Expand Up @@ -106,7 +106,7 @@ jobs:
needs: [build, build-continue-invalid-subjects]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.provenance-name }}
- env:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,10 @@ jobs:
if: ${{ always() }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-provenance-name }}
- env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: SARIF file
path: results.sarif
Expand Down
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
<!-- toc -->

- [Unreleased](#unreleased)
- [Unreleased: Breaking Change: upload-artifact and download-artifact](#unreleased-breaking-change-upload-artifact-and-download-artifact)
- [Unreleased: Gradle Builder](#unreleased-gradle-builder)
- [Unreleased: Go Builder](#unreleased-go-builder)
- [Unreleased: Container Generator](#unreleased-container-generator)
Expand Down Expand Up @@ -99,6 +100,10 @@ duplication."

## Unreleased

### Unreleased: Breaking Change: upload-artifact and download-artifact

- Our workflows now use the new `@v4`s of `actions/upload-artifact` and `actions/download-artifact`, which are incompatiblle with the prior `@v3`. See Our docs on the [generic generator](./internal/builders/generic/README.md#compatibility-with-actionsdownload-artifact) for more information and how to upgrade.

### Unreleased: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
Expand Down
4 changes: 2 additions & 2 deletions SPECIFICATIONS.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,10 +193,10 @@ jobs:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
- name: Release
Expand Down
22 changes: 12 additions & 10 deletions internal/builders/generic/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,12 +193,12 @@
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Download artifact1
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: artifact1

- name: Download artifact2
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: artifact2

Expand Down Expand Up @@ -1485,7 +1485,7 @@
# Do the build to create release_artifact_${{ runner.os }}
- run: ...

- uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: release_artifact_${{ runner.os }}
name: release_artifact_${{ runner.os }}
Expand Down Expand Up @@ -1540,7 +1540,7 @@
# Do the build to create release_artifact_${{ runner.os }}
- run: ...

- uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: release_artifact_${{ runner.os }}
name: release_artifact_${{ runner.os }}
Expand Down Expand Up @@ -1641,9 +1641,11 @@

### Compatibility with `actions/download-artifact`

To download provenance (e.g., if you don't use `upload-assets`) you have to
use [`actions/download-artifact@v3`](https://github.com/actions/download-artifact).
The workflow uses [`actions/upload-artifact@3`](https://github.com/actions/upload-artifact)
which is
[not compatible](https://github.com/actions/download-artifact?tab=readme-ov-file#breaking-changes)
with `actions/download-artifact@v4`.
`slsa-github-generator@v1.9.0` and prior use [`actions/upload-artifact@v3`](https://github.com/actions/upload-artifact) and [`actions/download-artifact@v3`](https://github.com/actions/download-artifact) which are not backwards compatible the `@v4`s used in current versions of `slsa-github-generator`.
The interface remains the same, however. If your own workflows want to download artifacts produced by our workflows, they must begin using `actions/download-artifact@v4`. For your other dependent workflows, you may find that you need to upgrade all of your uses of both of the actions to `@v4` to maintain compatibility.

See more migration guidance
* https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md

Check failure on line 1648 in internal/builders/generic/README.md

View workflow job for this annotation

GitHub Actions / markdownlint

MD032/blanks-around-lists Lists should be surrounded by blank lines [Detail: "", Context: "* https://github.com/actions/u..."]

Check failure on line 1648 in internal/builders/generic/README.md

View workflow job for this annotation

GitHub Actions / markdownlint

MD007/ul-indent Unordered list indentation [Detail: "Expected: 0; Actual: 1", Context: ""]

Check failure on line 1648 in internal/builders/generic/README.md

View workflow job for this annotation

GitHub Actions / markdownlint

MD004/ul-style Unordered list style [Detail: "Expected: dash; Actual: asterisk", Context: ""]
* https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md

Check failure on line 1649 in internal/builders/generic/README.md

View workflow job for this annotation

GitHub Actions / markdownlint

MD007/ul-indent Unordered list indentation [Detail: "Expected: 0; Actual: 1", Context: ""]

Check failure on line 1649 in internal/builders/generic/README.md

View workflow job for this annotation

GitHub Actions / markdownlint

MD004/ul-style Unordered list style [Detail: "Expected: dash; Actual: asterisk", Context: ""]

This is part of our effort to upgrade from the now-deprecated node16 that the `@v3`s used. `@v4s` use node20.
7 changes: 4 additions & 3 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading