Skip to content

Commit

Permalink
fix: upload-artifact and download-artifact v4 (#3312)
Browse files Browse the repository at this point in the history
# Summary

- Fixes #3068 to use upload-artifact and download-artifact v4
- following up in
slsa-framework/example-package#336

## Testing Process

This change is tested with our existing PR Check workflows that use both
directly and indirectly call upload-artifact and download-artifact.
- One test for `secure-upload-folder` should fail in this PR because it
will use `secure-upload-artifact@main`. There's no workaround to
dynamically use the PR's ref instead of `@main`, but after merging this
PR, the test should start passing.

## Checklist

- [x] Review the contributing [guidelines](./../CONTRIBUTING.md)
- [x] Add a reference to related issues in the PR description.
- [x] Update documentation if applicable.
- [x] Add unit tests if applicable.
- [x] Add changes to the [CHANGELOG](./../CHANGELOG.md) if applicable.

---------

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
  • Loading branch information
ramonpetgrave64 and laurentsimon authored Mar 13, 2024
1 parent e64a212 commit b595e06
Show file tree
Hide file tree
Showing 14 changed files with 41 additions and 33 deletions.
2 changes: 1 addition & 1 deletion .github/actions/secure-download-artifact/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ runs:
echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}"
- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ inputs.name }}"
path: "${{ steps.validate-path.outputs.folder_path }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-download-folder/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ runs:
uses: slsa-framework/slsa-github-generator/.github/actions/rng@main

- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ inputs.name }}"
path: "${{ steps.rng.outputs.random }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-upload-artifact/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ runs:
path: "${{ inputs.path }}"

- name: Upload the artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ inputs.name }}"
path: "${{ inputs.path }}"
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/builder_container-based_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ jobs:
allow-private-repository: ${{ inputs.rekor-log-public }}

- name: Upload builder
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
Expand Down Expand Up @@ -462,7 +462,7 @@ jobs:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
# secure upload or verify this against the SLSA layout file.
id: upload-artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.build.outputs.build-outputs-name }}
path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
Expand Down Expand Up @@ -535,7 +535,7 @@ jobs:
- name: Upload unsigned intoto attestations file for pull request
if: ${{ github.event_name == 'pull_request' }}
id: upload-unsigned
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "attestations-${{ needs.rng.outputs.value }}"
Expand All @@ -556,7 +556,7 @@ jobs:
- name: Upload the signed attestations
id: upload-signed
if: ${{ github.event_name != 'pull_request' }}
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
Expand Down Expand Up @@ -584,15 +584,15 @@ jobs:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
# layout files and their checksums to validate the artifacts.
- name: Download artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ needs.build.outputs.build-outputs-name }}"
path: "${{ needs.build.outputs.build-outputs-name }}"

# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
# secure-folder-download action.
- name: Download provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: "${{ needs.provenance.outputs.provenance-name }}"
path: "${{ needs.provenance.outputs.provenance-name }}"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/builder_go_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ jobs:
allow-private-repository: ${{ inputs.private-repository }}

- name: Upload builder
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
Expand Down Expand Up @@ -358,7 +358,7 @@ jobs:
--workingDir "$UNTRUSTED_WORKING_DIR"
- name: Upload the signed provenance
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/generator_generic_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ jobs:
- name: Upload the signed provenance
id: upload-prov
continue-on-error: true
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "${{ steps.sign-prov.outputs.provenance-name }}"
path: "${{ steps.sign-prov.outputs.provenance-name }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pre-submit.actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ jobs:
fi
# If index.js was different from expected, upload the expected version as an artifact
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/pre-submit.e2e.container-based.default.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build-container-based.outputs.build-outputs-name }}
path: outputs
Expand All @@ -57,7 +57,7 @@ jobs:
name=$(find outputs/ -type f | head -1)
cp "$name" .
echo "name=$(basename "$name")" >> "$GITHUB_OUTPUT"
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build-container-based.outputs.attestations-download-name }}
- env:
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/pre-submit.e2e.generic.default.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ jobs:
if: ${{ always() }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.provenance-name }}
- env:
Expand Down Expand Up @@ -76,7 +76,7 @@ jobs:
needs: [build-continue-no-error]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build-continue-no-error.outputs.provenance-name }}
- env:
Expand Down Expand Up @@ -106,7 +106,7 @@ jobs:
needs: [build, build-continue-invalid-subjects]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.provenance-name }}
- env:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,10 @@ jobs:
if: ${{ always() }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-provenance-name }}
- env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: SARIF file
path: results.sarif
Expand Down
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
<!-- toc -->

- [Unreleased](#unreleased)
- [Unreleased: Breaking Change: upload-artifact and download-artifact](#unreleased-breaking-change-upload-artifact-and-download-artifact)
- [Unreleased: Breaking Change: attestation-name Workflow Input and Output](#unreleased-breaking-change-attestation-name-workflow-input-and-output)
- [Unreleased: Gradle Builder](#unreleased-gradle-builder)
- [Unreleased: Go Builder](#unreleased-go-builder)
Expand Down Expand Up @@ -100,6 +101,10 @@ duplication."

## Unreleased

### Unreleased: Breaking Change: upload-artifact and download-artifact

- Our workflows now use the new `@v4`s of `actions/upload-artifact` and `actions/download-artifact`, which are incompatiblle with the prior `@v3`. See Our docs on the [generic generator](./internal/builders/generic/README.md#compatibility-with-actionsdownload-artifact) for more information and how to upgrade.

### Unreleased: Breaking Change: attestation-name Workflow Input and Output

- `attestation-name` as a workflow input to `.github/workflows/generator_generic_slsa3.yml` is now removed. Use `provenance-name` instead.
Expand Down
4 changes: 2 additions & 2 deletions SPECIFICATIONS.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,10 +193,10 @@ jobs:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
- name: Release
Expand Down
23 changes: 13 additions & 10 deletions internal/builders/generic/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,12 +193,12 @@ jobs:
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Download artifact1
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: artifact1
- name: Download artifact2
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: artifact2
Expand Down Expand Up @@ -1483,7 +1483,7 @@ jobs:
# Do the build to create release_artifact_${{ runner.os }}
- run: ...
- uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: release_artifact_${{ runner.os }}
name: release_artifact_${{ runner.os }}
Expand Down Expand Up @@ -1538,7 +1538,7 @@ jobs:
# Do the build to create release_artifact_${{ runner.os }}
- run: ...
- uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: release_artifact_${{ runner.os }}
name: release_artifact_${{ runner.os }}
Expand Down Expand Up @@ -1639,9 +1639,12 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_s

### Compatibility with `actions/download-artifact`

To download provenance (e.g., if you don't use `upload-assets`) you have to
use [`actions/download-artifact@v3`](https://github.com/actions/download-artifact).
The workflow uses [`actions/upload-artifact@3`](https://github.com/actions/upload-artifact)
which is
[not compatible](https://github.com/actions/download-artifact?tab=readme-ov-file#breaking-changes)
with `actions/download-artifact@v4`.
`[email protected]` and prior use [`actions/upload-artifact@v3`](https://github.com/actions/upload-artifact) and [`actions/download-artifact@v3`](https://github.com/actions/download-artifact) which are not backwards compatible the `@v4`s used in current versions of `slsa-github-generator`.
The interface remains the same, however. If your own workflows want to download artifacts produced by our workflows, they must begin using `actions/download-artifact@v4`. For your other dependent workflows, you may find that you need to upgrade all of your uses of both of the actions to `@v4` to maintain compatibility.

See more migration guidance

- https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md
- https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md

This is part of our effort to upgrade from the now-deprecated node16 that the `@v3`s used. `@v4s` use node20.

0 comments on commit b595e06

Please sign in to comment.