Document that actions/download-artifact@v3 must be used to download provenance (#3067)

jkreileder · laurentsimon · web-flow · commit 909340784f52 · 2024-01-08T23:46:14.000Z
Fixes #3066 --------- Signed-off-by: Jürgen Kreileder <jk@blackdown.de> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
diff --git a/internal/builders/docker/README.md b/internal/builders/docker/README.md
@@ -42,6 +42,8 @@ type that provides the full details on the build process.
   - [The `build` subcommand](#the-build-subcommand)
   - [The `verify` command](#the-verify-command)
 - [Users](#users)
+- [Known Issues](#known-issues)
+  - [Compatibility with `actions/download-artifact`](#compatibility-with-actionsdownload-artifact)
 
 <!-- tocstop -->
 
@@ -403,3 +405,14 @@ The following project currently use the container-based workflow:
 
 We welcome any success stories. Please create a PR to add your project to the
 list, if you are using the container-based workflow.
+
+## Known Issues
+
+### Compatibility with `actions/download-artifact`
+
+To download provenance (e.g., if you don't use `upload-assets`) you have to
+use [`actions/download-artifact@v3`](https://github.com/actions/download-artifact).
+The workflow uses [`actions/upload-artifact@3`](https://github.com/actions/upload-artifact)
+which is
+[not compatible](https://github.com/actions/download-artifact?tab=readme-ov-file#breaking-changes)
+with `actions/download-artifact@v4`.
diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
@@ -46,6 +46,7 @@ project simply generates provenance as a separate step in an existing workflow.
   - [Skip output 'hashes' since it may contain secret](#skip-output-hashes-since-it-may-contain-secret)
   - ['internal error' when using `upload-assets`](#internal-error-when-using-upload-assets)
   - [error updating to TUF remote mirror: tuf: invalid key](#error-updating-to-tuf-remote-mirror-tuf-invalid-key)
+  - [Compatibility with `actions/download-artifact`](#compatibility-with-actionsdownload-artifact)
 
 <!-- tocstop -->
 
@@ -1467,3 +1468,12 @@ using a release tag in order to allow verification by `slsa-verifier`.
 ```yaml
 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
 ```
+
+### Compatibility with `actions/download-artifact`
+
+To download provenance (e.g., if you don't use `upload-assets`) you have to
+use [`actions/download-artifact@v3`](https://github.com/actions/download-artifact).
+The workflow uses [`actions/upload-artifact@3`](https://github.com/actions/upload-artifact)
+which is
+[not compatible](https://github.com/actions/download-artifact?tab=readme-ov-file#breaking-changes)
+with `actions/download-artifact@v4`.
diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md
@@ -22,6 +22,7 @@ This document explains how to use the builder for [Go](https://go.dev/) projects
   - [BuildConfig Format](#buildconfig-format)
 - [Known Issues](#known-issues)
   - [error updating to TUF remote mirror: tuf: invalid key](#error-updating-to-tuf-remote-mirror-tuf-invalid-key)
+  - [Compatibility with `actions/download-artifact`](#compatibility-with-actionsdownload-artifact)
 
 <!-- tocstop -->
 
@@ -421,3 +422,12 @@ release tag in order to allow verification by `slsa-verifier`.
 ```yaml
 uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.9.0
 ```
+
+### Compatibility with `actions/download-artifact`
+
+To download provenance (e.g., if you don't use `upload-assets`) you have to
+use [`actions/download-artifact@v3`](https://github.com/actions/download-artifact).
+The workflow uses [`actions/upload-artifact@3`](https://github.com/actions/upload-artifact)
+which is
+[not compatible](https://github.com/actions/download-artifact?tab=readme-ov-file#breaking-changes)
+with `actions/download-artifact@v4`.
