build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 #4674
Conversation
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
Dependencies
dependabot
bot
requested review from
Flash0ver and
jamescrosswell
as code owners
dependabot
bot
added
Dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
|
|
||
| - name: Upload build logs | ||
| if: ${{ always() }} | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | ||
| with: | ||
| name: ${{ matrix.rid }}-build-logs | ||
| path: | |
There was a problem hiding this comment.
Bug: actions/[email protected] requires unique artifact names across jobs. name: ${{ github.sha }} in a matrix job is not unique and will fail if multiple jobs attempt to upload.
Severity: HIGH | Confidence: 0.95
🔍 Detailed Analysis
The actions/[email protected] action requires artifact names to be unique across all jobs in a workflow run. In .github/workflows/build.yml, the "Archive NuGet Packages" step at line 240 uses name: ${{ github.sha }} for its artifact. Since github.sha is constant across matrix iterations, multiple matrix jobs would attempt to upload to the same artifact name if the if: runner.os == 'macOS' condition were not present or changed. This would cause the workflow step to fail, as v5.0.0 errors when attempting to create an artifact with a name already in use.
💡 Suggested Fix
Modify the artifact name at .github/workflows/build.yml:240 to include a unique identifier per matrix job, such as name: ${{ github.sha }}-${{ matrix.rid }}.
🤖 Prompt for AI Agent
Fix this bug. In .github/workflows/build.yml at lines 209-215: The
`actions/[email protected]` action requires artifact names to be unique across all
jobs in a workflow run. In `.github/workflows/build.yml`, the "Archive NuGet Packages"
step at line 240 uses `name: ${{ github.sha }}` for its artifact. Since `github.sha` is
constant across matrix iterations, multiple matrix jobs would attempt to upload to the
same artifact name if the `if: runner.os == 'macOS'` condition were not present or
changed. This would cause the workflow step to fail, as v5.0.0 errors when attempting to
create an artifact with a name already in use.
Did we get this right? 👍 / 👎 to inform future reviews.
jamescrosswell
deleted the
dependabot/github_actions/actions/upload-artifact-5.0.0
branch
Bumps actions/upload-artifact from 4.6.2 to 5.0.0.
Release notes
Sourced from actions/upload-artifact's releases.
Commits
330a01cMerge pull request #734 from actions/danwkennedy/prepare-5.0.003f2824Updategithub.dep.yml905a1ecPreparev5.0.02d9f9cdMerge pull request #725 from patrikpolyak/patch-19687587Merge branch 'main' into patch-12848b2cMerge pull request #727 from danwkennedy/patch-19b51177Spell out the first use of GHEScd231caUpdate GHES guidance to include reference to Node 20 versionde65e23Merge pull request #712 from actions/nebuk89-patch-18747d8cUpdate README.mdDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)