Merge branch 'main' into fix/deprecated-nodejs-usage-in-action

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,20 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@0.0.3

.github/workflows/test.yml

@@ -46,14 +46,19 @@ jobs:
     - name: Test
       run: npm run test
 
-    # Test end-to-end by uploading two artifacts and then downloading them
+    # Test end-to-end by uploading a few artifacts and then downloading them
     - name: Create artifact files
       run: |
         mkdir -p path/to/dir-1
         mkdir -p path/to/dir-2
         mkdir -p path/to/dir-3
+        mkdir -p symlink/
         echo "Lorem ipsum dolor sit amet" > path/to/dir-1/file1.txt
         echo "Hello world from file #2" > path/to/dir-2/file2.txt
+        echo "Hello from a symlinked file" > symlink/original.txt
+        ln -s $(pwd)/symlink/original.txt symlink/abs.txt
+        ln -s original.txt symlink/rel.txt
+      shell: bash
 
     # Upload a single file artifact
     - name: 'Upload artifact #1'
@@ -79,6 +84,14 @@ jobs:
           path/to/dir-[23]/*
           !path/to/dir-3/*.txt
 
+    - name: 'Upload symlinked artifact'
+      uses: ./
+      with:
+        name: 'Symlinked-Artifact-${{ matrix.runs-on }}'
+        path: |
+          symlink/abs.txt
+          symlink/rel.txt
+
     # Download Artifact #1 and verify the correctness of the content
     - name: 'Download artifact #1'
       uses: actions/download-artifact@v4
@@ -141,6 +154,34 @@ jobs:
         }
       shell: pwsh
 
+    - name: 'Download symlinked artifact'
+      uses: actions/download-artifact@v4
+      with:
+        name: 'Symlinked-Artifact-${{ matrix.runs-on }}'
+        path: from/symlink
+
+    - name: 'Verify symlinked artifact'
+      run: |
+        $abs = "from/symlink/abs.txt"
+        if(!(Test-Path -path $abs))
+        {
+            Write-Error "Expected file does not exist"
+        }
+        if(!((Get-Content $abs) -ceq "Hello from a symlinked file"))
+        {
+            Write-Error "File contents of downloaded artifact are incorrect"
+        }
+        $rel = "from/symlink/rel.txt"
+        if(!(Test-Path -path $rel))
+        {
+            Write-Error "Expected file does not exist"
+        }
+        if(!((Get-Content $rel) -ceq "Hello from a symlinked file"))
+        {
+            Write-Error "File contents of downloaded artifact are incorrect"
+        }
+      shell: pwsh
+
     - name: 'Alter file 1 content'
       run: |
         echo "This file has changed" > path/to/dir-1/file1.txt

README.md

@@ -64,6 +64,7 @@ There is also a new sub-action, `actions/upload-artifact/merge`. For more info,
     Due to how Artifacts are created in this new version, it is no longer possible to upload to the same named Artifact multiple times. You must either split the uploads into multiple Artifacts with different names, or only upload once. Otherwise you _will_ encounter an error.
 
 3. Limit of Artifacts for an individual job. Each job in a workflow run now has a limit of 500 artifacts.
+4. With `v4.4` and later, hidden files are excluded by default.
 
 For assistance with breaking changes, see [MIGRATION.md](docs/MIGRATION.md).
 
@@ -107,6 +108,12 @@ For assistance with breaking changes, see [MIGRATION.md](docs/MIGRATION.md).
     # Does not fail if the artifact does not exist.
     # Optional. Default is 'false'
     overwrite:
+
+    # Whether to include hidden files in the provided path in the artifact
+    # The file contents of any hidden files in the path should be validated before
+    # enabled this to avoid uploading sensitive information.
+    # Optional. Default is 'false'
+    include-hidden-files:
 ```
 
 ### Outputs
@@ -410,6 +417,28 @@ jobs:
           overwrite: true
 ```
 
+### Uploading Hidden Files
+
+By default, hidden files are ignored by this action to avoid unintentionally uploading sensitive information.
+
+If you need to upload hidden files, you can use the `include-hidden-files` input.
+Any files that contain sensitive information that should not be in the uploaded artifact can be excluded
+using the `path`:
+
+```yaml
+- uses: actions/upload-artifact@v4
+  with:
+    name: my-artifact
+    include-hidden-files: true
+    path: |
+      path/output/
+      !path/output/.production.env
+```
+
+Hidden files are defined as any file beginning with `.` or files within folders beginning with `.`.
+On Windows, files and directories with the hidden attribute are not considered hidden files unless
+they have the `.` prefix.
+
 ## Limitations
 
 ### Number of Artifacts

__tests__/search.test.ts

@@ -61,6 +61,20 @@ const lonelyFilePath = path.join(
   'lonely-file.txt'
 )
 
+const hiddenFile = path.join(root, '.hidden-file.txt')
+const fileInHiddenFolderPath = path.join(
+  root,
+  '.hidden-folder',
+  'folder-in-hidden-folder',
+  'file.txt'
+)
+const fileInHiddenFolderInFolderA = path.join(
+  root,
+  'folder-a',
+  '.hidden-folder-in-folder-a',
+  'file.txt'
+)
+
 describe('Search', () => {
   beforeAll(async () => {
     // mock all output so that there is less noise when running tests
@@ -93,6 +107,14 @@ describe('Search', () => {
       recursive: true
     })
 
+    await fs.mkdir(
+      path.join(root, '.hidden-folder', 'folder-in-hidden-folder'),
+      {recursive: true}
+    )
+    await fs.mkdir(path.join(root, 'folder-a', '.hidden-folder-in-folder-a'), {
+      recursive: true
+    })
+
     await fs.writeFile(searchItem1Path, 'search item1 file')
     await fs.writeFile(searchItem2Path, 'search item2 file')
     await fs.writeFile(searchItem3Path, 'search item3 file')
@@ -110,10 +132,19 @@ describe('Search', () => {
     await fs.writeFile(amazingFileInFolderHPath, 'amazing file')
 
     await fs.writeFile(lonelyFilePath, 'all by itself')
+
+    await fs.writeFile(hiddenFile, 'hidden file')
+    await fs.writeFile(fileInHiddenFolderPath, 'file in hidden directory')
+    await fs.writeFile(fileInHiddenFolderInFolderA, 'file in hidden directory')
     /*
       Directory structure of files that get created:
       root/
+          .hidden-folder/
+              folder-in-hidden-folder/
+                  file.txt
           folder-a/
+              .hidden-folder-in-folder-a/
+                  file.txt
               folder-b/
                   folder-c/
                       search-item1.txt
@@ -136,6 +167,7 @@ describe('Search', () => {
               folder-j/
                   folder-k/
                       lonely-file.txt
+          .hidden-file.txt
           search-item5.txt
     */
   })
@@ -352,4 +384,24 @@ describe('Search', () => {
     )
     expect(searchResult.filesToUpload.includes(lonelyFilePath)).toEqual(true)
   })
+
+  it('Hidden files ignored by default', async () => {
+    const searchPath = path.join(root, '**/*')
+    const searchResult = await findFilesToUpload(searchPath)
+
+    expect(searchResult.filesToUpload).not.toContain(hiddenFile)
+    expect(searchResult.filesToUpload).not.toContain(fileInHiddenFolderPath)
+    expect(searchResult.filesToUpload).not.toContain(
+      fileInHiddenFolderInFolderA
+    )
+  })
+
+  it('Hidden files included', async () => {
+    const searchPath = path.join(root, '**/*')
+    const searchResult = await findFilesToUpload(searchPath, true)
+
+    expect(searchResult.filesToUpload).toContain(hiddenFile)
+    expect(searchResult.filesToUpload).toContain(fileInHiddenFolderPath)
+    expect(searchResult.filesToUpload).toContain(fileInHiddenFolderInFolderA)
+  })
 })

action.yml

@@ -40,6 +40,11 @@ inputs:
       If false, the action will fail if an artifact for the given name already exists.
       Does not fail if the artifact does not exist.
     default: 'false'
+  include-hidden-files:
+    description: >
+      If true, hidden files will be included in the artifact.
+      If false, hidden files will be excluded from the artifact.
+    default: 'false'
 
 outputs:
   artifact-id: