Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update actions/upload-artifact from v3 to v4 #44

Open
sunderee opened this issue Sep 4, 2024 · 2 comments
Open

Update actions/upload-artifact from v3 to v4 #44

sunderee opened this issue Sep 4, 2024 · 2 comments

Comments

@sunderee
Copy link

sunderee commented Sep 4, 2024

Issue description

This request comes after a Dependabot notified me to bump actions/download-artifact from v3 to v4.1.7:

Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Example

As per recommendation, I updated my GitHub Actions workflow file:

name: Build and Deploy HydePHP Site to Deployment Branch

on:
  push:
    branches:
      - master

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build HydePHP Site
        uses: hydephp/action@master
        with:
          upload-artifact: true

      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: build
          path: build

      - name: Deploy to deployment branch
        run: |
          git config --global user.name 'GitHub Action'
          git config --global user.email '[email protected]'
          git checkout --orphan deployment
          git rm -rf .
          mv build/* .
          git add .
          git commit -m "Deploy to deployment branch"
          git push -f origin deployment

What happened

This will cause the Download artifact stage to fail.

Downloading single artifact
Error: Unable to download artifact(s): Artifact not found for name: build
        Please ensure that your artifact is not expired and the artifact was uploaded using a compatible version of toolkit/upload-artifact.
        For more information, visit the GitHub Artifacts FAQ: https://github.com/actions/toolkit/blob/main/packages/artifact/docs/faq.md

Upon inspection of which actions/upload-artifact version is used by this action, I discovered it's using v3 (reference).

Proposed solution

If possible, update all actions that deal with uploading/downloading artifacts to use v4.
@sunderee
Copy link
Author

sunderee commented Sep 4, 2024

Here's link to documentation on migration from v3 to v4 for both upload- and download-artifact:

  1. actions/download-artifact migration: https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md
  2. actions/upload-artifact migration: https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md

I was unable to find anything about migrating actions/checkout from v3 to v4, probably no breaking changes (but please do not quote me on it).

@sunderee
Copy link
Author

sunderee commented Sep 4, 2024

Ah, I see you're already aware of that (link). My bad for spamming!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sunderee