Build: Bump actions/download-artifact from 3 to 4

[dependabot]

Bumps actions/download-artifact from 3 to 4.

Release notes

Sourced from actions/download-artifact's releases.

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

For more information, see the @​actions/artifact documentation.

New Contributors

• @​bflad made their first contribution in actions/download-artifact#194

Full Changelog: actions/download-artifact@v3...v4.0.0

v3.0.2

• Bump @actions/artifact to v1.1.1 - actions/download-artifact#195
• Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet Migrate dev environment and workflows to node16  actions/toolkit#1278

v3.0.1

• Bump @​actions/core to 1.10.0

Commits

• 7a1cd32 Merge pull request #246 from actions/v4-beta
• 8f32874 licensed cache
• b5ff844 Merge pull request #245 from actions/robherley/v4-documentation
• f07a0f7 Update README.md
• 7226129 update test workflow to use different artifact names for matrix
• ada9446 update docs and bump @​actions/artifact
• 7eafc8b Merge pull request #244 from actions/robherley/bump-toolkit
• 3132d12 consume latest toolkit
• 5be1d38 Merge pull request #243 from actions/robherley/v4-beta-updates
• 465b526 consume latest @​actions/toolkit
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[softins]

@dependabot rebase

[softins]

Not sure why the CI failed on this. It says:

Error: .github#L1
actions/download-artifact@v4 is not allowed to be used in jamulussoftware/jamulus. Actions in this workflow must be: within a repository owned by jamulussoftware or matching the following: actions/cache@*, actions/checkout@*, actions/create-release@*, actions/upload-artifact@*, github/codeql-action/analyze@*, github/codeql-action/init@*, devbotsxyz/**, devbotsxyz/**, maxim-lobanov/**, doozyx/**, actions/download-artifact@v3, BoundfoxStudios/action-xcode-staple@*, lando/notarize-action@*.

Will try rebasing it again once #3168, #3212, #3213 and #3232 have all been approved and merged.

[softins]

There might be more changes needed to support this version. See download-artifact and MIGRATION.md.

[ann0see]

I think that's a security violation. You'll need to allow the new action in this repos settings.

[softins]

@dependabot rebase

[softins]

I think that's a security violation. You'll need to allow the new action in this repos settings.

Ah yes, I found that it was listing actions/download-artifact@v3 as allowed, so I've changed it to actions/download-artifact@*. We could limit it to v4 if we wanted to. I'm not sure why only that action was listed with a specific version, and all the others with *.

[softins]

Well the job ran successfully this time: https://github.com/jamulussoftware/jamulus/actions/runs/8159077748

But the download-artifact action is only used in Create files for .deb repository, which is skipped unless we are building a release. So in order to test the new action, we need to build a test release, or somehow pretend to.

[softins]

But the download-artifact action is only used in Create files for .deb repository, which is skipped unless we are building a release. So in order to test the new action, we need to build a test release, or somehow pretend to.

It looks like it's done when pushing a tag matching the regex r\d+_\d+_\d+\S* to the repo, so I will push the tag r3_10_0test to the PR branch to trigger a release build.

[softins]

The run on the test release tag appears from the run log to have downloaded all the artifacts correctly. So I'm happy to approve.

[ann0see]

Maybe worth pushing a nightly in the near future too.