Failures when running on GHES due to actions/upload-artifact@v4 not being supported

[rsenden]

Current Behavior

When trying to run the Fortify GitHub Action on GitHub Enterprise Server (GHES), it will fail due to actions/upload-artifact@v4 not being supported on GHES: https://github.com/marketplace/actions/upload-a-build-artifact#v4---whats-new

Expected Behavior

The Fortify GitHub Action should run successfully on both github.com and GHES.

Steps To Reproduce

Just attempt to run the Fortify GitHub Action on GHES

Anything else?

There are currently 4 places where we use actions/upload-artifact@v4:

• fod-export & ssc-export: Always try to upload SARIF file for debugging purposes
• package: Upload package & logs if DO_PACKAGE_DEBUG is set to true

Some potential work-arounds:

• Use actions/upload-artifact@v3 instead for the time being, but this will likely fail on github.com as stated here: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/
• Create an internal/upload-artifact sub-action that automatically selects between v3 and v4 of actions/upload-artifact depending on whether the action is running in GHES (or maybe there's already such an action publicly available?), then use that action for uploading debug artifacts. Main drawback is that GitHub downloads all referenced actions when a job starts, so we'd always be downloading both versions of actions/upload-artifact.
• Don't upload artifacts when running on GHES, however this means losing debugging capabilities.
• Create separate Fortify GitHub Actions for github.com and GHES

[rsenden]

Looks like the first two options are not possible as actions/upload-artifact@v3 fails to download on github.com (tried both @v3 and @<v3 commit SHA>):

So, unless we find a workaround for downloading @v3 on github.com, like cloning the v3 action, it seems like our only options are to either skip the upload/ignore upload errors on GHES, or creating a separate Fortify GitHub Action for GHES.