Release asset not found when triggered from release event

[richbrowne-openfin]

Behaviour

Expected behaviour

When triggered from release event and adding a release asset to the release in a previous step, the action should be able to download the asset and send it to VirusTotal for analysis.

Actual behaviour

The action sees the added file but cannot download it, and fails with a "(85874065): Not Found" error. I can confirm that the file has been added to the release since I can download the file manually from the release page after the workflow has run. Also, this same workflow works when triggered manually (with slight adjustments to account for having to create the release in the workflow), it just seems to fail with this error when triggered by publishing a new release. I've also tried adding a "sleep" step before crazy-max/ghaction-virustotal to account for any delay in the file being available to download but this made no difference.

Configuration

name: Release

on:
  release:
    types: [published]

jobs:
  release:
    name: Update GitHub Release
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v3

      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: 'lts/*'
          registry-url: https://registry.npmjs.org

      - name: Download artifacts
        uses: actions/download-artifact@v3
        with:
          path: artifacts

      - name: Update release
        uses: ncipollo/release-action@v1.11.2
        with:
          allowUpdates: ${{ true }}
          artifacts: 'artifacts/release.zip'
          tag: ${{ env.GITHUB_REF_NAME }}
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload adapter zip file to VirusTotal
        if: '!github.event.release.prerelease'
        id: virustotal-scan
        uses: crazy-max/ghaction-virustotal@v3.2.0
        with:
          files: |
            .zip$
          vt_api_key: ${{ secrets.VIRUSTOTAL_API_KEY }}

Logs

2022-11-24T23:22:16.3312894Z ##[group]Run ncipollo/release-action@v1.11.2
2022-11-24T23:22:16.3313303Z with:
2022-11-24T23:22:16.3313510Z   allowUpdates: true
2022-11-24T23:22:16.3313905Z   artifacts: artifacts/release.zip
2022-11-24T23:22:16.3314232Z   name: v1.4.0-beta.1
2022-11-24T23:22:16.3314459Z   omitPrereleaseDuringUpdate: true
2022-11-24T23:22:16.3314909Z   token: ***
2022-11-24T23:22:16.3315119Z   generateReleaseNotes: false
2022-11-24T23:22:16.3315329Z   omitBody: false
2022-11-24T23:22:16.3315539Z   omitBodyDuringUpdate: false
2022-11-24T23:22:16.3315775Z   omitDraftDuringUpdate: false
2022-11-24T23:22:16.3316075Z   omitName: false
2022-11-24T23:22:16.3316428Z   omitNameDuringUpdate: false
2022-11-24T23:22:16.3316649Z   removeArtifacts: false
2022-11-24T23:22:16.3316864Z   replacesArtifacts: true
2022-11-24T23:22:16.3317086Z   skipIfReleaseExists: false
2022-11-24T23:22:16.3317879Z   updateOnlyUnreleased: false
2022-11-24T23:22:16.3318110Z env:
2022-11-24T23:22:16.3318338Z   NPM_CONFIG_USERCONFIG: C:\actions-runner\_work\_temp\.npmrc
2022-11-24T23:22:16.3318612Z   NODE_AUTH_TOKEN: XXXXX-XXXXX-XXXXX-XXXXX
2022-11-24T23:22:16.3318820Z ##[endgroup]
2022-11-24T23:22:27.9887938Z ##[group]Run crazy-max/ghaction-virustotal@v3.2.0
2022-11-24T23:22:27.9888713Z with:
2022-11-24T23:22:27.9889212Z   files: .zip$
2022-11-24T23:22:27.9890198Z   vt_api_key: ***
2022-11-24T23:22:27.9890741Z   vt_monitor: false
2022-11-24T23:22:27.9891293Z   monitor_path: /
2022-11-24T23:22:27.9891887Z   update_release_body: false
2022-11-24T23:22:27.9892767Z   github_token: ***
2022-11-24T23:22:27.9893296Z   request_rate: 0
2022-11-24T23:22:27.9893989Z env:
2022-11-24T23:22:27.9894685Z   NPM_CONFIG_USERCONFIG: C:\actions-runner\_work\_temp\.npmrc
2022-11-24T23:22:27.9895532Z   NODE_AUTH_TOKEN: XXXXX-XXXXX-XXXXX-XXXXX
2022-11-24T23:22:27.9896175Z ##[endgroup]
2022-11-24T23:22:28.3972094Z Release event detected for refs/tags/v1.4.0-beta.1 in this workflow. Preparing to scan assets...
2022-11-24T23:22:28.7701951Z 1 asset(s) will be sent to VirusTotal for analysis.
2022-11-24T23:22:28.7714764Z ##[group]1 asset(s) will be sent to VirusTotal for analysis.
2022-11-24T23:22:28.8623900Z ##[endgroup]
2022-11-24T23:22:28.8716486Z ##[error]Cannot download release asset release.zip (85874782): Not Found

[nikhilbadyal]

Add a sleep of about 10s or more (experiment required) between actual release event and trigger of this virus total action. I faced the same issue and was fixed by this

[richbrowne-openfin]

@nikhilbadyal thanks for the suggestion, but no matter how long a delay I add it makes no difference. As such I've dumped this action and am scripting the API calls myself.