Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] Explicitly requested hidden files should be uploaded without allowing all hidden files #614

Open
nedbat opened this issue Sep 11, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@nedbat
Copy link

nedbat commented Sep 11, 2024

What happened?

Many people were surprised by the change that hidden files are no longer uploaded unless hidden-files: true is set. Even explicitly named files are not uploaded. This is confusing, and encourages people to turn off the safety feature completely.

If I name a hidden file, it should be uploaded regardless of the setting.

To make an analogy: ls ignores hidden files. ls -a shows them all. ls .gitignore shows me the hidden .gitignore file even without the -a flag.

Previous comments:

What did you expect to happen?

Explicitly named hidden files should be uploaded.

How can we reproduce it?

Many examples are in the other issues.

Anything else we need to know?

No response

What version of the action are you using?

v4.4.0

What are your runner environments?

linux, window, macos

Are you on GitHub Enterprise Server? If so, what version?

No response

@nedbat nedbat added the bug Something isn't working label Sep 11, 2024
@WorldSEnder
Copy link

WorldSEnder commented Sep 11, 2024

I agree with the sentiment of the issue, In case it gets decided that the current behaviour is intended (or while discussion about it is on-going), I would suggest that explicitly specified filepaths that end up being ignored should lead to an error or big fat warning telling you about it. There is currently no difference in behaviour between

- uses: actions/upload-artifact@v4
  with:
    name: my-artifact
    path: .my-hidden-file

and not specifying such a path at all, as in,

- uses: actions/upload-artifact@v4
  with:
    name: my-artifact
    path: ""

so in almost every case I can think of, the former is a configuration mistake that should throw up some flags. It currently makes no sense to specify a path with a leading dot without also setting include-hidden-files: true.

@nedbat
Copy link
Author

nedbat commented Oct 9, 2024

I'm disappointed that this hasn't even been discussed on this issue. I love that you are taking security seriously by preventing accidental upload of sensitive data. But it's really disappointing that you are telling us to simply switch it all off, and not discussing more sophisticated approaches.

Can we at least get a response here?

kbattocchi added a commit to py-why/EconML that referenced this issue Oct 9, 2024
A breaking change to the upload-artifact GitHub Action has broken uploading coverage files (not only for us, see actions/upload-artifact#614) and has not been reverted. This change will fix that by enabling hidden files only for those uploads.

Signed-off-by: Keith Battocchi <[email protected]>
kbattocchi added a commit to py-why/EconML that referenced this issue Oct 11, 2024
A breaking change to the upload-artifact GitHub Action has broken uploading coverage files (not only for us, see actions/upload-artifact#614) and has not been reverted. This change will fix that by enabling hidden files only for those uploads.

Signed-off-by: Keith Battocchi <[email protected]>
nedbat added a commit to nedbat/coveragepy that referenced this issue Nov 2, 2024
upload-artifact tries to protect me by refusing to upload hidden files,
even if I explicitly request those files with my `path` setting.  Issue
here: actions/upload-artifact#614

I have to enable hidden file uploads to get it to work with 4.4.
nedbat added a commit to nedbat/coverage-reports that referenced this issue Nov 2, 2024
upload-artifact tries to protect me by refusing to upload hidden files,
even if I explicitly request those files with my `path` setting.  Issue
here: actions/upload-artifact#614

I have to enable hidden file uploads to get it to work with 4.4.

https://htmlpreview.github.io/?https://github.com/nedbat/coverage-reports/blob/main/reports/20241102_ea2263f669/htmlcov/index.html
ea2263f669: master
@John0x
Copy link

John0x commented Nov 9, 2024

Just had a deployment fail on me silently, because not all necessary files were uploaded for the application to run.

Not a cool move guys, to just change the default behaviour in such a drastic way

@make-github-pseudonymous-again

Does it not make perfect sense that include-hidden-files: false is something that does not apply to explicitly listed files. Should apply only to derived paths, such as those generated by globs (*) or recursive directory walks. What are we missing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants