[bug]Hidden files excluded #610
Comments
|
The PR was closed as off-topic, pointing to the issue which itself was then closed as too heated. Come on Github, allow people to let off steam in comments. If you keep closing things they will post elsewhere where you can't stop them. Original PR: The issue it points to #602: |
|
I believe that SemVer should be a required course in university for CS students. And it is more important than any other course they might take. |
|
Please rollback this change. It broke everything. |
|
I'm not happy that I had to waste three hours on this but the reactions are over the top. The fix is minimal: include-hidden-files: true |
|
Not that I actually read this blog post but two weeks notice seems to be a little short. |
I have a subscription for the GH blog, but somehow this one I did not see. I had whole folder named |
|
It's quite something that GitHub didn't at all mention the reason for making the change in the blog post. This is the reason: the "ArtiPACKED" vulnerability https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens |
Just multiply this by 100 repositories.. Plus if you simply go and apply the parameter it very much defeats the purpose - this change was meant to be introduced so that credentials/sensitive info don't get accidentally exposed. What good does it do now when people are in a rush to just fix their pipelines? |
|
@jakub-lesniak-ikea yes you are totally right here. It's a pure blame shifting strategy. Now one can blame the customer: you enabled that inclusion of hidden files so it's your fault not Github's (without telling the user that hidden files might include GitHub tokens?) |
|
This is a terrible change, with an incredibly short release ramp. This version should have been a 5.0 version |
…ad-artifact#610 and caused by upload-artifact#602
actions/upload-artifact#610 某个版本开始必须明确指定包含隐藏文件,
|
Pushing this change without a major version is an absolute indictment of the practices that are being followed. In my humble opinion, applying SemVer practices is the bare minimum for utilities and tools that are used as widely as this. Not to mention that there's nothing that requires me to update to the 'latest version' like other tools used in development. Nope, updates to this tooling are automatically applied based on the standard/recommended approach for implementation. Not only is this guaranteed to break an incredible number of pipelines across GitHub (it sure broke mine), finding out why requires people to come to the issues register for the action. Considering this is an officially maintained action, the last thing that came to mind is a breaking change being pushed to all pipelines globally without so much as even a special message in the log output to make people aware of this in the event things are breaking. I was lucky, in that I had The justification for this was "security reasons". Understood - security is important, but let's not forget that one of the key tenets of information security is availability - something that has no doubt been impacted for many applications as a result of this. In addition, who knows what other security implications apps deploying without all the right files may have? Just for one completely random example, let's consider a missing .htaccess file. There goes whatever access restrictions were implemented via that mechanism - potentially exposing sensitive areas of a site or app to the public web. The way this has been approached is downright dangerous. People rely on these tools to work in a predictable manner, and when they don't, the only result is chaos. |
|
2 days and it's still a problem, This should of been fixed ASAP... |
|
Can't believe that I have to find out this way after trying for hours to figure out what happened since our deployment process was suddenly broken. How is a breaking change that completely changes behaviour a minor update? Two weeks deprecation warning is insane for a library like this |
|
Whoever decided to deploy this breaking change in a minor release before a holiday weekend should be fired, with cause. |
Go tell that to the people who had an outage and had no clue why |
|
I agree! It took me half a day to figure it out. In our particular use case, it was not an issue because we are still in the development phase, but if an important bug fix delivery had been blocked because of this, it could have been costly. |
|
Can we get an update about the plan for moving forward? Dependabot is pushing me to install 4.4.0, but I don't want to add |
|
This caught us off-guard too. There's a behaviour problem with this option too. It makes sense that hidden files are not considered when recursively globbing directories. However, an exact match of file paths is also not considered. Before, we had (roughly) the following options set on the action:
|
* fix(deps): upgrade devDependencies (minor) * fix(test): upload github.com/actions/upload-artifact/issues/610 * fix(ci-check): move include hidden --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: ariellalgilmore <[email protected]>
|
Hidden files are intentionally excluded, that is not a bug. As for the behavior of explicitly referenced hidden files: This - name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: my-artifact
path: |
.my-hidden-fileis the same as - name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: my-artifact
include-hidden-files: false
path: |
.my-hidden-fileAs that's the default value of Lines 43 to 47 in b18b1d3 So that is working as intended, but I'm open to changing the behavior if it's confusing for a majority of users. Feel free to file an issue specific to that request and we can gather more feedback. |
|
@joshmgross can we have a better idea of the plan moving forward with this library to avoid potential future issues? The lack of complete SemVer commitment is leaving our organization nervous to continue to use this action. |
Across the two or three issues about the change in behavior, there are already a number of people asking that explicitly named hidden files be uploaded without having to allow all hidden files. What more feedback do you need? |
|
If a new issue will help, I wrote #614 to discuss it. |
See #602 (comment) Breaking semantic versioning conventions is a rare exception. Breaking changes will always be announced in release notes, and the vast majority of breaking changes will be accompanied with the appropriate major version. If you do not want to take that risk, I'd recommend pinning your workflows to an exact tag or SHA. You can use Dependabot to keep your actions up to date and evaluate the release notes before opting into any changes - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions. |
|
After more than a week I am still amazed by the lack of understanding by the maintainers of this repository that you have failed the community. There's not even a single person that would support what you have done. For the continued lack of commitment to sem ver - you are endangering everyone. You had one responsibility on your part - to upload the files that you were asked to upload. It is not your call to decide what is dangerous, what you are not going to upload - this is simply other people responsibility. Someone gave a great example with
How can we trust your tags if you have broken the commitment already? What's the guarantee that next time you don't decide to introduce breaking changes in patch releases? Semver is well documented and understood. Breaking semver means that you are simply unpredictable - there's no documented alternative. Everyone can understand that people make mistakes. That is expected and does happen. However what happens here is:
|
|
@jakub7722 I agree almost entirely with your comments, just two slight qualifications:
I might be mistaken here, but I thought that (at least until recently) dependabot didn't work with Github actions pinned to anything but major version. If that's been changed or my memory is wrong that'd be great news! |
|
As a followup, Github docs say the following (emphasis mine):
If you want everyone to pin to commit SHAs and discourage using tags, that's fine, but it's not something that Github org as a whole seems to recommend, so you might want to check internally to align your messaging. Also note that dependabot support for pinned SHAs is not great. In this case, it bumped the SHA but didn't mention it in the PR summary. There's no indication of what changed (changelog) for the sha bump in the PR description. Before you recommend users do that and suggesting that dependabot supports that use case, please double check with the dependabot team. I made a test repo to check your claims of dependabot support: corneliusroemer/dependabot-ghactions-test#2 
Further evidence of dependabot struggling: I downgraded and pinned two more actions, to test whether dependabot would make PRs. It didn't. Downgrade commit: Dependabot run on that commit that didn't result in any PRs (it should have, if GHA were fully supported at sub-major-tag-level and sha-level, which is necessary for your suggestion to make sense): https://github.com/corneliusroemer/dependabot-ghactions-test/actions/runs/10830167324 
So to me it seems that the following statement made here by @joshmgross is not correct in its generality and should be struck/qualified:
In particular, when pinning at sub-major-tag, one doesn't seem to get tag updates, unless one is lucky (?). Also, release notes ignore the sha updates. |
|
this is how you lose trust in your customers, and lose users to other products |
|
This cost me around 4 dev-hours over 10 calendar days of broken software... so far. Software that gives the outward appearance of adhering to Semantic Versioning shouldn't ship backwards-incompatible behavior changes without a major version bump, and doing so is a bug. |
|
pinning to a commit SHA, an identifier that is not human readable/friendly, is the biggest joke in software versioning ... we are regressing |
No description provided.
The text was updated successfully, but these errors were encountered: