@@ -66,13 +66,13 @@ jobs:
6666 # Store the hash in a file, which is uploaded as a workflow artifact.
6767 sha256sum $ARTIFACTS | base64 -w0 > artifacts-sha256
6868name : Upload build artifacts
69- uses : actions/upload-artifact@v3
69+ uses : actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
7070 with :
7171 name : gradle-build-outputs
7272 path : build/repo/${{ steps.publish.outputs.group }}/*/${{ steps.publish.outputs.version }}/*
7373 retention-days : 5
7474 - name : Upload artifacts-sha256
75- uses : actions/upload-artifact@v3
75+ uses : actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
7676 with :
7777 name : artifacts-sha256
7878 path : artifacts-sha256
@@ -115,7 +115,7 @@ jobs:
115115 artifacts-sha256 : ${{ steps.set-hash.outputs.artifacts-sha256 }}
116116 steps :
117117 - name : Download artifacts-sha256
118- uses : actions/download-artifact@v3
118+ uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
119119 with :
120120 name : artifacts-sha256
121121 # The SLSA provenance generator expects the hash digest of artifacts to be passed as a job
@@ -148,6 +148,8 @@ jobs:
148148 - name : Checkout repository
149149 uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
150150 - name : Download artifacts
151+ # Important: update actions/download-artifact to v4 only when generator_generic_slsa3.yml is also compatible.
152+ # See https://github.com/slsa-framework/slsa-github-generator/issues/3068
151153 uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
152154 with :
153155 name : gradle-build-outputs
0 commit comments