diff --git a/.github/actions/download-artifact/action.yml b/.github/actions/download-artifact/action.yml index ef938ddb684..1f1347e4220 100644 --- a/.github/actions/download-artifact/action.yml +++ b/.github/actions/download-artifact/action.yml @@ -38,7 +38,7 @@ runs: using: composite steps: - name: Download artifacts - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ inputs.name }} path: ${{ inputs.path }} diff --git a/.github/actions/seal-restore/action.yml b/.github/actions/seal-restore/action.yml index beadad90cbc..1107414b640 100644 --- a/.github/actions/seal-restore/action.yml +++ b/.github/actions/seal-restore/action.yml @@ -43,7 +43,7 @@ runs: shell: bash - name: Download artifacts - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ inputs.artifact_name }} path: . diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d457186ced5..1fca9c67940 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -206,7 +206,7 @@ jobs: # NOTE: provenance fails if we use action pinning... it's a Github limitation # because SLSA needs to trace & attest it came from a given branch; pinning doesn't expose that information # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: ${{ needs.build.outputs.attestation_hashes }} upload-assets: false # we upload its attestation in create_tag job, otherwise it creates a new release