ci: switch to dawidd6/action-download-artifact for cross-run downloads#6551
Conversation
actions/download-artifact v4+ routes cross-run artifact downloads through Azure Blob Storage, which fails intermittently from self-hosted k8s runners. dawidd6/action-download-artifact uses the GitHub API instead and avoids this issue. Pinned to ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5.
mythical-fred
left a comment
There was a problem hiding this comment.
The diagnosis matches what I've seen elsewhere: post-v4 actions/download-artifact routes cross-run downloads via Azure Blob, which is flaky from self-hosted runners behind certain egress paths. Switching to dawidd6/action-download-artifact (GitHub API path) is a reasonable workaround, and the input rename (run-id → run_id, github-token → github_token) is correct for this action's schema.
One concern worth addressing before merge: the pinned SHA ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 is tag v11, released 2025-06-14. The current release is v21 (2026-04-28) — that's ten majors and ~12 months of fixes behind, including changes to the artifact-download path and node runtime bumps. SHA pinning is good, but pin to a current SHA. Suggest bumping to v21's SHA b6e2e70617bc3265edd6dab6c906732b2f1ae151 (or the latest stable at merge time) and keep the # pinned to vXX comment so future bumps are visible in git blame.
Also: this action requires the actions: read permission on the workflow to call the GitHub artifacts API. Both adapter-tests and the other job in this file already have permissions: actions: read at the top of the workflow — good — but please verify the other workflows that consume the same uploaded artifact don't need updating too (the diff here only touches test-adapters.yml).
Not blocking — the change is small and correct in shape — but the v11 pin should be addressed.
mythical-fred
left a comment
There was a problem hiding this comment.
Pin bump to v21 (b6e2e706…) addresses the stale-SHA note from the prior pass. Action args are now using the v21 underscore form (run_id, github_token), which matches dawidd6/action-download-artifact's input names. LGTM.
actions/download-artifact v4+ routes cross-run artifact downloads through Azure Blob Storage, which fails intermittently from self-hosted k8s runners. dawidd6/action-download-artifact uses the GitHub API instead and avoids this issue. Pinned to ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5.