upload-artifact icon indicating copy to clipboard operation
upload-artifact copied to clipboard
verified publisher icon actions

[bug] Explicitly requested hidden files should be uploaded without allowing all hidden files

Open nedbat opened this issue 1 year ago • 4 comments

What happened?

Many people were surprised by the change that hidden files are no longer uploaded unless hidden-files: true is set. Even explicitly named files are not uploaded. This is confusing, and encourages people to turn off the safety feature completely.

If I name a hidden file, it should be uploaded regardless of the setting.

To make an analogy: ls ignores hidden files. ls -a shows them all. ls .gitignore shows me the hidden .gitignore file even without the -a flag.

Previous comments:

  • https://github.com/actions/upload-artifact/issues/602#issuecomment-2325094043 (25 upvotes)
  • https://github.com/actions/upload-artifact/issues/602#issuecomment-2325360581 (6 upvotes)
  • https://github.com/actions/upload-artifact/issues/602#issuecomment-2325375426 (11 upvotes)
  • https://github.com/actions/upload-artifact/issues/610#issuecomment-2341202469 (5 upvotes)

What did you expect to happen?

Explicitly named hidden files should be uploaded.

How can we reproduce it?

Many examples are in the other issues.

Anything else we need to know?

No response

What version of the action are you using?

v4.4.0

What are your runner environments?

linux, window, macos

Are you on GitHub Enterprise Server? If so, what version?

No response

nedbat avatar Sep 11 '24 17:09 nedbat

I agree with the sentiment of the issue, In case it gets decided that the current behaviour is intended (or while discussion about it is on-going), I would suggest that explicitly specified filepaths that end up being ignored should lead to an error or big fat warning telling you about it. There is currently no difference in behaviour between

- uses: actions/upload-artifact@v4
  with:
    name: my-artifact
    path: .my-hidden-file

and not specifying such a path at all, as in,

- uses: actions/upload-artifact@v4
  with:
    name: my-artifact
    path: ""

so in almost every case I can think of, the former is a configuration mistake that should throw up some flags. It currently makes no sense to specify a path with a leading dot without also setting include-hidden-files: true.

WorldSEnder avatar Sep 11 '24 18:09 WorldSEnder

I'm disappointed that this hasn't even been discussed on this issue. I love that you are taking security seriously by preventing accidental upload of sensitive data. But it's really disappointing that you are telling us to simply switch it all off, and not discussing more sophisticated approaches.

Can we at least get a response here?

nedbat avatar Oct 09 '24 09:10 nedbat

Just had a deployment fail on me silently, because not all necessary files were uploaded for the application to run.

Not a cool move guys, to just change the default behaviour in such a drastic way

John0x avatar Nov 09 '24 19:11 John0x

Does it not make perfect sense that include-hidden-files: false is something that does not apply to explicitly listed files. Should apply only to derived paths, such as those generated by globs (*) or recursive directory walks. What are we missing?

make-github-pseudonymous-again avatar Dec 10 '24 14:12 make-github-pseudonymous-again