Security fixes for CVE: https://nvd.nist.gov/vuln/detail/cve-2024-42471 by updating to use actions/download-artifact@v4 and actions/upload-artifact@v4

philipc-mw · Prabhakar Kumar · commit 739b1b12e0d8 · 2024-09-05T10:06:01.000Z
The CVE is in v3 of actions/download-artifact, but is fixed in v4.1.7, see details here: https://vulners.com/github/GHSA-CXWW-7G56-2VH6
diff --git a/.github/workflows/run-unit-tests.yml b/.github/workflows/run-unit-tests.yml
@@ -34,6 +34,7 @@ jobs:
   python_unit_tests:
     env:
       code-cov-py: "3.11"
+      code-cov-os: "ubuntu-latest"
     strategy:
       fail-fast: false
       matrix:
@@ -71,8 +72,8 @@ jobs:
         run: python3 -m pytest --cov --cov-report=xml tests/unit
 
       - name: Persist coverage data to be uploaded if all jobs are successful.
-        if: ${{matrix.python-version == env.code-cov-py }}
-        uses: actions/upload-artifact@v3
+        if: ${{matrix.python-version == env.code-cov-py && matrix.os == env.code-cov-os}}
+        uses: actions/upload-artifact@v4
         with:
           name: coverage_file
           path: ./coverage.xml
@@ -114,7 +115,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Get coverage files from previous job
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: coverage_file
 
@@ -126,4 +127,4 @@ jobs:
           files: ./coverage.xml
           fail_ci_if_error: true
           verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }}
