Bump the github-actions group with 3 updates

[dependabot[bot]]

Bumps the github-actions group with 3 updates: actions/setup-python, actions/upload-artifact and actions/download-artifact.

Updates actions/setup-python from 4.7.1 to 5.0.0

Release notes

Sourced from actions/setup-python's releases.

v5.0.0

What's Changed

In scope of this release, we update node version runtime from node16 to node20 (actions/setup-python#772). Besides, we update dependencies to the latest versions.

Full Changelog: https://github.com/actions/setup-python/compare/v4.8.0...v5.0.0

v4.8.0

What's Changed

In scope of this release we added support for GraalPy (actions/setup-python#694). You can use this snippet to set up GraalPy:

steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4 
  with:
    python-version: 'graalpy-22.3' 
- run: python my_script.py

Besides, the release contains such changes as:

• Trim python version when reading from file by @​FerranPares in actions/setup-python#628
• Use non-deprecated versions in examples by @​jeffwidman in actions/setup-python#724
• Change deprecation comment to past tense by @​jeffwidman in actions/setup-python#723
• Bump @​babel/traverse from 7.9.0 to 7.23.2 by @​dependabot in actions/setup-python#743
• advanced-usage.md: Encourage the use actions/checkout@v4 by @​cclauss in actions/setup-python#729
• Examples now use checkout@v4 by @​simonw in actions/setup-python#738
• Update actions/checkout to v4 by @​dmitry-shibanov in actions/setup-python#761

New Contributors

• @​FerranPares made their first contribution in actions/setup-python#628
• @​timfel made their first contribution in actions/setup-python#694
• @​jeffwidman made their first contribution in actions/setup-python#724

Full Changelog: https://github.com/actions/setup-python/compare/v4...v4.8.0

Commits

• 0a5c615 Update action to node20 (#772)
• 0ae5836 Add example of GraalPy to docs (#773)
• b64ffca update actions/checkout to v4 (#761)
• 8d28961 Examples now use checkout@v4 (#738)
• 7bc6abb advanced-usage.md: Encourage the use actions/checkout@v4 (#729)
• e8111ce Bump @​babel/traverse from 7.9.0 to 7.23.2 (#743)
• a00ea43 add fix for graalpy ci (#741)
• 8635b1c Change deprecation comment to past tense (#723)
• f6cc428 Use non-deprecated versions in examples (#724)
• 5f2af21 Add GraalPy support (#694)
• Additional commits viewable in compare view

Updates actions/upload-artifact from 3.1.3 to 4.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

For more information, see the @​actions/artifact documentation.

New Contributors

• @​vmjoseph made their first contribution in actions/upload-artifact#464

Full Changelog: https://github.com/actions/upload-artifact/compare/v3...v4.0.0

Commits

• c7d193f Merge pull request #466 from actions/v4-beta
• 13131bb licensed cache
• 4a6c273 Merge branch 'main' into v4-beta
• f391bb9 Merge pull request #465 from actions/robherley/v4-documentation
• 9653d03 Apply suggestions from code review
• 875b630 add limitations section
• ecb2146 add compression example
• 5e7604f trim some repeated info
• d6437d0 naming
• 1b56155 s/v4-beta/v4/g
• Additional commits viewable in compare view

Updates actions/download-artifact from 3.0.2 to 4.1.0

Release notes

Sourced from actions/download-artifact's releases.

v4.1.0

What's Changed

• Some cleanup by @​robherley in actions/download-artifact#247
• Fix default for run-id by @​stchr in actions/download-artifact#252
• Support pattern matching to filter artifacts & merge to same directory by @​robherley in actions/download-artifact#259

New Contributors

• @​stchr made their first contribution in actions/download-artifact#252

Full Changelog: https://github.com/actions/download-artifact/compare/v4...v4.1.0

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

For more information, see the @​actions/artifact documentation.

New Contributors

• @​bflad made their first contribution in actions/download-artifact#194

Full Changelog: https://github.com/actions/download-artifact/compare/v3...v4.0.0

Commits

• f44cd7b Merge pull request #259 from actions/robherley/glob-downloads
• 3181fe8 add some migration docs
• aaaac7b licensed cache
• 7c9182f update readme
• b94e701 licensed cache
• 0b55470 add test case for globbed downloads to same directory
• 0b51c2e update prettier/eslint versions
• c4c6db7 support globbing artifact list & merging download directory
• 1bd0606 Merge pull request #252 from stchr/patch-1
• eff4d42 fix default for run-id
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions

[davidism]

@dependabot ignore actions/upload-artifact major version

[dependabot[bot]]

OK, I won't notify you about version 4.x.x of actions/upload-artifact again, unless you unignore it.

[davidism]

@dependabot ignore actions/download-artifact major version

[dependabot[bot]]

OK, I won't notify you about version 4.x.x of actions/download-artifact again, unless you unignore it.

[dependabot[bot]]

Looks like these dependencies are updatable in another way, so this is no longer needed.

[davidism]

We need to ignore upload-artifact and download-artifact v4 until slsa-generator uses v4 instead of v3. Otherwise, the provenance doesn't get downloaded to be included in the release.

[pamelafox]

@davidism Ah, got it, thanks for commenting!

[davidism]

Here's the issue to watch to know when we can upgrade: https://github.com/slsa-framework/slsa-github-generator/issues/3068