jamulus icon indicating copy to clipboard operation
jamulus copied to clipboard
verified publisher icon jamulussoftware

Build: Bump actions/download-artifact from 3 to 4

Open dependabot[bot] opened this issue 2 years ago • 8 comments

Bumps actions/download-artifact from 3 to 4.

Release notes

Sourced from actions/download-artifact's releases.

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

For more information, see the @​actions/artifact documentation.

New Contributors

Full Changelog: https://github.com/actions/download-artifact/compare/v3...v4.0.0

v3.0.2

  • Bump @actions/artifact to v1.1.1 - actions/download-artifact#195
  • Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet actions/toolkit#1278

v3.0.1

Commits
  • 7a1cd32 Merge pull request #246 from actions/v4-beta
  • 8f32874 licensed cache
  • b5ff844 Merge pull request #245 from actions/robherley/v4-documentation
  • f07a0f7 Update README.md
  • 7226129 update test workflow to use different artifact names for matrix
  • ada9446 update docs and bump @​actions/artifact
  • 7eafc8b Merge pull request #244 from actions/robherley/bump-toolkit
  • 3132d12 consume latest toolkit
  • 5be1d38 Merge pull request #243 from actions/robherley/v4-beta-updates
  • 465b526 consume latest @​actions/toolkit
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot[bot] avatar Dec 18 '23 17:12 dependabot[bot]

@dependabot rebase

softins avatar Mar 04 '24 13:03 softins

Not sure why the CI failed on this. It says:

Error: .github#L1 actions/download-artifact@v4 is not allowed to be used in jamulussoftware/jamulus. Actions in this workflow must be: within a repository owned by jamulussoftware or matching the following: actions/cache@*, actions/checkout@*, actions/create-release@*, actions/upload-artifact@*, github/codeql-action/analyze@*, github/codeql-action/init@*, devbotsxyz/**, devbotsxyz/**, maxim-lobanov/**, doozyx/**, actions/download-artifact@v3, BoundfoxStudios/action-xcode-staple@*, lando/notarize-action@*.

Will try rebasing it again once #3168, #3212, #3213 and #3232 have all been approved and merged.

softins avatar Mar 04 '24 17:03 softins

There might be more changes needed to support this version. See download-artifact and MIGRATION.md.

softins avatar Mar 04 '24 18:03 softins

I think that's a security violation. You'll need to allow the new action in this repos settings.

ann0see avatar Mar 04 '24 19:03 ann0see

@dependabot rebase

softins avatar Mar 05 '24 15:03 softins

I think that's a security violation. You'll need to allow the new action in this repos settings.

Ah yes, I found that it was listing actions/download-artifact@v3 as allowed, so I've changed it to actions/download-artifact@*. We could limit it to v4 if we wanted to. I'm not sure why only that action was listed with a specific version, and all the others with *.

softins avatar Mar 05 '24 15:03 softins

Well the job ran successfully this time: https://github.com/jamulussoftware/jamulus/actions/runs/8159077748

But the download-artifact action is only used in Create files for .deb repository, which is skipped unless we are building a release. So in order to test the new action, we need to build a test release, or somehow pretend to.

softins avatar Mar 05 '24 16:03 softins

But the download-artifact action is only used in Create files for .deb repository, which is skipped unless we are building a release. So in order to test the new action, we need to build a test release, or somehow pretend to.

It looks like it's done when pushing a tag matching the regex r\d+_\d+_\d+\S* to the repo, so I will push the tag r3_10_0test to the PR branch to trigger a release build.

softins avatar Mar 05 '24 16:03 softins

Maybe worth pushing a nightly in the near future too.

ann0see avatar Mar 06 '24 15:03 ann0see