build(deps): bump actions/download-artifact from 3 to 4

[dependabot]

Bumps actions/download-artifact from 3 to 4.

Release notes

Sourced from actions/download-artifact's releases.

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows.

For more information, please see:

1. The changelog post.
2. The README.
3. The migration documentation.
4. As well as the underlying npm package, @​actions/artifact documentation.

New Contributors

• @​bflad made their first contribution in actions/download-artifact#194

Full Changelog: actions/download-artifact@v3...v4.0.0

v3.0.2

• Bump @actions/artifact to v1.1.1 - actions/download-artifact#195
• Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet Migrate dev environment and workflows to node16  actions/toolkit#1278

v3.0.1

• Bump @​actions/core to 1.10.0

Commits

• c850b93 Merge pull request #307 from bethanyj28/main
• 6fd111f update @​actions/artifact
• 87c5514 Merge pull request #303 from bethanyj28/main
• 47f9ce6 update @​actions/artifact
• 127824d Merge pull request #299 from bethanyj28/main
• 6dd49bf licensed only artifact
• f71c0e3 Revert "licensed"
• 7c63dfd licensed
• 67d37cd Update toolkit
• 3487549 Update release-new-action-version.yml (#292)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[k8s-ci-robot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.95%. Comparing base (8edfd48) to head (60749b1).

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17743      +/-   ##
==========================================
- Coverage   69.07%   68.95%   -0.12%     
==========================================
  Files         415      415              
  Lines       34986    34986              
==========================================
- Hits        24166    24126      -40     
- Misses       9436     9468      +32     
- Partials     1384     1392       +8     

Flag	Coverage Δ
all	68.95% <ø> (-0.12%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ivanvc]

This dependency bump (along with #17744) has a breaking change. Reference to:

• https://github.com/actions/upload-artifact?tab=readme-ov-file#v4---whats-new
• https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md#overwriting-an-artifact

I think we need to set overwrite: true in the upload artifact for this to work how it was working before. As the documentation says, artifacts are now immutable.

[ivanvc]

@jmhbnz, from what I've seen, dependencies out of the go.mod scope are also out of the scope for the weekly dependency management. Is it okay if I take this GitHub action dependency update? (or maybe @ahrtr, as I see you thumbed-up my comment).

[jmhbnz]

@jmhbnz, from what I've seen, dependencies out of the go.mod scope are also out of the scope for the weekly dependency management. Is it okay if I take this GitHub action dependency update? (or maybe @ahrtr, as I see you thumbed-up my comment).

This is a good catch on the breaking change @ivanvc. Agree let's not merge these dependabot pr's and raise one pr manually that bumps both upload and download actions at the same time updating config as required.

Please feel free to raise the pr or open an issue for it @ivanvc 🙏🏻

Will mark the two dependabot pr's as request changes so we don't merge in the interim.

[ivanvc]

@jmhbnz, after reading the documentation and testing it on my fork, I can confirm that we don't need to make any changes.

My only suggestion is to use the same format to reference the image with the commit SHA as we do with other action references.

actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4

Edit: We may want to update both in the same commit, as the documentation says neither is backward compatible.

[dependabot]

Looks like actions/download-artifact is up-to-date now, so this is no longer needed.