Skip to content

Comments

Build: Bump actions/download-artifact from 3 to 4#3211

Merged
ann0see merged 1 commit intomainfrom
dependabot/github_actions/actions/download-artifact-4
Mar 6, 2024
Merged

Build: Bump actions/download-artifact from 3 to 4#3211
ann0see merged 1 commit intomainfrom
dependabot/github_actions/actions/download-artifact-4

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 18, 2023
edited
Loading

Bumps actions/download-artifact from 3 to 4.

Release notes

Sourced from actions/download-artifact's releases.

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

For more information, see the @​actions/artifact documentation.

New Contributors

Full Changelog: actions/download-artifact@v3...v4.0.0

v3.0.2

v3.0.1

Commits
  • 7a1cd32 Merge pull request #246 from actions/v4-beta
  • 8f32874 licensed cache
  • b5ff844 Merge pull request #245 from actions/robherley/v4-documentation
  • f07a0f7 Update README.md
  • 7226129 update test workflow to use different artifact names for matrix
  • ada9446 update docs and bump @​actions/artifact
  • 7eafc8b Merge pull request #244 from actions/robherley/bump-toolkit
  • 3132d12 consume latest toolkit
  • 5be1d38 Merge pull request #243 from actions/robherley/v4-beta-updates
  • 465b526 consume latest @​actions/toolkit
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 18, 2023
@ann0see ann0see added this to the Release 3.11.0 milestone Feb 2, 2024
@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/download-artifact-4 branch from 62c97b7 to d34db2a Compare February 2, 2024 21:46
@softins
Copy link
Member

softins commented Mar 4, 2024

@dependabot rebase

@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/download-artifact-4 branch from d34db2a to d469bf0 Compare March 4, 2024 13:46
@softins
Copy link
Member

softins commented Mar 4, 2024

Not sure why the CI failed on this. It says:

Error: .github#L1
actions/download-artifact@v4 is not allowed to be used in jamulussoftware/jamulus. Actions in this workflow must be: within a repository owned by jamulussoftware or matching the following: actions/cache@*, actions/checkout@*, actions/create-release@*, actions/upload-artifact@*, github/codeql-action/analyze@*, github/codeql-action/init@*, devbotsxyz/**, devbotsxyz/**, maxim-lobanov/**, doozyx/**, actions/download-artifact@v3, BoundfoxStudios/action-xcode-staple@*, lando/notarize-action@*.

Will try rebasing it again once #3168, #3212, #3213 and #3232 have all been approved and merged.

@softins
Copy link
Member

softins commented Mar 4, 2024

There might be more changes needed to support this version. See download-artifact and MIGRATION.md.

@ann0see
Copy link
Member

ann0see commented Mar 4, 2024

I think that's a security violation. You'll need to allow the new action in this repos settings.

@softins
Copy link
Member

softins commented Mar 5, 2024

@dependabot rebase

@dependabot
Build: Bump actions/download-artifact from 3 to 4
46138de 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v3...v4)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/download-artifact-4 branch from d469bf0 to 46138de Compare March 5, 2024 15:40
@softins
Copy link
Member

softins commented Mar 5, 2024

I think that's a security violation. You'll need to allow the new action in this repos settings.

Ah yes, I found that it was listing actions/download-artifact@v3 as allowed, so I've changed it to actions/download-artifact@*. We could limit it to v4 if we wanted to. I'm not sure why only that action was listed with a specific version, and all the others with *.

@softins
Copy link
Member

softins commented Mar 5, 2024

Well the job ran successfully this time: https://github.com/jamulussoftware/jamulus/actions/runs/8159077748

But the download-artifact action is only used in Create files for .deb repository, which is skipped unless we are building a release. So in order to test the new action, we need to build a test release, or somehow pretend to.

@softins
Copy link
Member

softins commented Mar 5, 2024
edited
Loading

But the download-artifact action is only used in Create files for .deb repository, which is skipped unless we are building a release. So in order to test the new action, we need to build a test release, or somehow pretend to.

It looks like it's done when pushing a tag matching the regex r\d+_\d+_\d+\S* to the repo, so I will push the tag r3_10_0test to the PR branch to trigger a release build.

softins
softins approved these changes Mar 5, 2024
View reviewed changes
Copy link
Member

@softins softins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The run on the test release tag appears from the run log to have downloaded all the artifacts correctly. So I'm happy to approve.

@softins softins requested a review from ann0see March 6, 2024 11:51
@ann0see ann0see merged commit 2c19b5e into main Mar 6, 2024
@dependabot dependabot bot deleted the dependabot/github_actions/actions/download-artifact-4 branch March 6, 2024 15:22
@ann0see
Copy link
Member

ann0see commented Mar 6, 2024

Maybe worth pushing a nightly in the near future too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@softins softins softins approved these changes

@ann0see ann0see ann0see approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

Tracking
Status: Done

Milestone

Release 3.11.0

Development

Successfully merging this pull request may close these issues.

2 participants

@softins @ann0see