Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V3 backport: Exclude hidden files by default #604

Merged
merged 3 commits into from
Aug 29, 2024

Conversation

SrRyan
Copy link

@SrRyan SrRyan commented Aug 22, 2024

This is a backport from the latest behavioral change for artifact-upload v4.4.0.

Currently, all files within the search path are uploaded into the artifact. This includes hidden files, which could contain sensitive values that should not be accessible outside of the workflow run. To enhance the default security of this action, this PR excludes hidden files from the path by default. Users who require hidden files have validated that there are no sensitive values in their artifacts can opt-in to uploading hidden files with the include-hidden-files input.

This is part of the following breaking change:

Exclude hidden files by default in Upload Artifact GitHub Actions
From September 2nd, 2024, we will no longer include hidden files and folders as part of the default upload of the v3 and v4 upload-artifact actions. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, ‘include-hidden-files’, to continue to do so.
https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/

@SrRyan SrRyan requested a review from a team as a code owner August 22, 2024 14:48
@SrRyan SrRyan changed the base branch from v3/node20 to v3/node16 August 28, 2024 17:54
@SrRyan SrRyan merged commit 9ee08a3 into v3/node16 Aug 29, 2024
6 checks passed
Copy link

@chromeprivetlimited chromeprivetlimited left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"PayPal.BD" 
Log In
Sign Up
Menu:[email protected]?
Legal Agreements for PayPal Services
Country or Region BANGLADESH

English
Language বাংলা
Policy Updates
View Policy Updates
All User Agreements
User Agreement for PayPal Service
PayPal Buyer Protection Program
PayPal Seller Protection Program
User Agreement Reference Notes
Binding Corporate Rules
Our Use of Cookies, Web Beacons, and Similar Technologies
 Modern Slavery Statement
Privacy Statement for PayPal Services
Key Payment and Service Information
PayPal Digital Gifts Terms and Conditions
PayPal Fundraisers Terms and Conditions
PayPal Acceptable Use Policy
PayPal Mobile Application License Agreement for Consumers
Terms of use for payments without a PayPal account
Product-Specific Agreements
PayPal Credit Agreement and SECCI
PayPal Pay in Terms and Conditions
PayPal.Me Terms and Conditions
PayPal Campaign Fundraising Terms and Conditions
PayPal Cryptocurrency Terms and Conditions (“Cryptocurrency Terms”)
For Merchants and Businesses
Commercial Entity Agreement
PayPal Online Card Payment Services Agreement
PayPal Platform Seller Agreement
Privacy Policy for the Zettle by PayPal service
PayPal Mobile Application License Agreement for Merchants
PayPal Alternative Payment Methods Agreement
General Terms and Conditions for the use of Zettle by PayPal
PayPal Data Protection Addendum for Card Processing Products
PayPal Business Debit Mastercard® Cardholder Agreement
Payment Terms and Conditions for the use of Zettle by PayPal
Additional Information
Infringement Report Policy
These legal agreements and notices provide terms and conditions related to specific PayPal services.

PayPal Logo
Help
Contact 01814672159
Fees
PSR Quotation Tool
Security
Apps
Shop
Enterprise
Business Resource Centre
Money Hub
Modern Slavery Statement
AboutNewsroomJobsDevelopersPartners
© 1999–4024
AccessibilityPrivacyCookiesLegalComplaints
PayPal BD Ltd is authorised and regulated by the Financial Conduct Authority (FCA) as an electronic money institution under the Electronic Money Regulations 2011 for the issuance of electronic money (firm reference number 994790), in relation to its regulated consumer credit activities under the Financial Services and Markets Act 2000 (firm reference number 996405) and for the provision of Cryptocurrency services under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2010 (firm reference number 1000741). Some of PayPal UK Ltd’s products including PayPal Pay in 1 and PayPal Working Capital are not regulated by the FCA. PayPal BD Ltd’s company number is 14741686 and its registered address is Email, BANGLADESH, TW9 1EH."
 https://www.paypal.com/gb/legalhub/home#:~:text=PayPallogo,BANGLADESH

github-merge-queue bot referenced this pull request in AmadeusITGroup/otter Sep 4, 2024
This PR contains the following updates:

| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v3.1.3` -> `v3.2.0` | `v3.2.1` |

---

### Release Notes

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v3.2.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v3.2.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v3.1.3...v3.2.0)

#### Notice: Breaking Changes ⚠️

We will no longer include hidden files and folders by default in the
`upload-artifact` action of this version. This reduces the risk that
credentials are accidentally uploaded into artifacts. Customers who need
to continue to upload these files can use a new option,
`include-hidden-files`, to continue to do so.

See ["Notice of upcoming deprecations and breaking changes in GitHub
Actions
runners"](https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/)
changelog and [this
issue](https://redirect.github.com/actions/upload-artifact/issues/602)
for more details.

#### What's Changed

- V3 backport: Exclude hidden files by default by
[@&#8203;SrRyan](https://redirect.github.com/SrRyan) in
[https://github.com/actions/upload-artifact/pull/604](https://redirect.github.com/actions/upload-artifact/pull/604)

**Full Changelog**:
actions/upload-artifact@v3.1.3...v3.2.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/AmadeusITGroup/otter).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
hogo6002 referenced this pull request in google/osv.dev Sep 5, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/setup-python](https://redirect.github.com/actions/setup-python)
| action | minor | `v5.1.1` -> `v5.2.0` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v3.1.3` -> `v3.2.1` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v2.25.12` -> `v2.26.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.9.0` -> `v1.10.1` |

---

### Release Notes

<details>
<summary>actions/setup-python (actions/setup-python)</summary>

###
[`v5.2.0`](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0)

[Compare
Source](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v3.2.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v3.2.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v3.2.0...v3.2.1)

#### What's Changed

This fixes the `include-hidden-files` input introduced in
https://github.com/actions/upload-artifact/releases/tag/v3.2.0

- Ensure hidden files input is used by
[@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/609](https://redirect.github.com/actions/upload-artifact/pull/609)

**Full Changelog**:
actions/upload-artifact@v3.2.0...v3.2.1

###
[`v3.2.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v3.2.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v3.1.3...v3.2.0)

#### Notice: Breaking Changes ⚠️

We will no longer include hidden files and folders by default in the
`upload-artifact` action of this version. This reduces the risk that
credentials are accidentally uploaded into artifacts. Customers who need
to continue to upload these files can use a new option,
`include-hidden-files`, to continue to do so.

See ["Notice of upcoming deprecations and breaking changes in GitHub
Actions
runners"](https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/)
changelog and [this
issue](https://redirect.github.com/actions/upload-artifact/issues/602)
for more details.

#### What's Changed

- V3 backport: Exclude hidden files by default by
[@&#8203;SrRyan](https://redirect.github.com/SrRyan) in
[https://github.com/actions/upload-artifact/pull/604](https://redirect.github.com/actions/upload-artifact/pull/604)

**Full Changelog**:
actions/upload-artifact@v3.1.3...v3.2.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.26.6`](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6)

###
[`v2.26.5`](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5)

###
[`v2.26.4`](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4)

###
[`v2.26.3`](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3)

###
[`v2.26.2`](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2)

###
[`v2.26.1`](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1)

###
[`v2.26.0`](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0)

###
[`v2.25.15`](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15)

###
[`v2.25.14`](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14)

###
[`v2.25.13`](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
ossf/scorecard-action@v2.3.3...v2.4.0

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.10.1`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.1)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.10.0...v1.10.1)

#### 🚑🔏 Oopsie... We missed a tiny bug in the attestations feature the
other day

The problem was that the distribution file validity check was failing on
any valid distribution being present and ready to be signed. What a
silly mistake! It's now been fixed via
pypa/gh-action-pypi-publish@0ab0b79, though.
So everything's good!

\--
[@&#8203;webknjaz](https://redirect.github.com/webknjaz)[💰](https://redirect.github.com/sponsors/webknjaz)

> \[!IMPORTANT]
> ✨ Despite this minor hiccup, we invite you to still opt into trying
this feature out early. [It can be
enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations)
like this:
>
> ```yml
>   with:
>     attestations: true
> ```
>
> Leave feedback in [the v1.10.0 release
discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255)
or [the
PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236).

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.10.0...v1.10.1

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://redirect.github.com/sponsors/webknjaz)

**🙏 Special Thanks** to
[@&#8203;hugovk](https://redirect.github.com/hugovk)[💰](https://redirect.github.com/sponsors/hugovk)
for [promptly validating the bug
fix](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/256#issuecomment-2325925847),
mere minutes after I pushed it — I even haven't finished writing this
text by then!

###
[`v1.10.0`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.0)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.9.0...v1.10.0)

#### 🔏 Anything fancy, eh?

This time,
[@&#8203;woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw)
implemented support for [PEP 740] attestations functionality in
[#&#8203;236](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/236)
and
[#&#8203;245](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/245).
This is a big deal, as it is a huge step forward to replacing what the
deprecated GPG signatures used to provide in a more meaningful way.

> \[!IMPORTANT]
> ✨ Please, do opt into trying this feature out early. [It can be
enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations)
as follows:
>
> ```yml
>   with:
>     attestations: true
> ```
>
> Leave any feedback on this in [this release
discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255)
or [the
PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236).

🙏 And please, thank William for working on this amazing improvement for
the ecosystem! The overall effort is tracked
@&#[https://github.com/pypi/warehouse/issues/15871](https://redirect.github.com/pypi/warehouse/issues/15871)/15871,
by the way.

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.9.0...v1.10.0

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://redirect.github.com/sponsors/webknjaz)

[PEP 740]: https://peps.python.org/pep-0740/

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants