search

hydephp / action

HydePHP GitHub Actions Workflow
https://hydephp.github.io/action
MIT License
3 stars 0 forks source link

Update actions/upload-artifact from v3 to v4 #44

Open sunderee opened 3 months ago

sunderee commented 3 months ago

Issue description

This request comes after a Dependabot notified me to bump actions/download-artifact from v3 to v4.1.7:

Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Example

As per recommendation, I updated my GitHub Actions workflow file:

name: Build and Deploy HydePHP Site to Deployment Branch

on:
  push:
    branches:
      - master

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build HydePHP Site
        uses: hydephp/action@master
        with:
          upload-artifact: true

      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: build
          path: build

      - name: Deploy to deployment branch
        run: |
          git config --global user.name 'GitHub Action'
          git config --global user.email 'action@github.com'
          git checkout --orphan deployment
          git rm -rf .
          mv build/* .
          git add .
          git commit -m "Deploy to deployment branch"
          git push -f origin deployment

What happened

This will cause the Download artifact stage to fail.

Downloading single artifact
Error: Unable to download artifact(s): Artifact not found for name: build
        Please ensure that your artifact is not expired and the artifact was uploaded using a compatible version of toolkit/upload-artifact.
        For more information, visit the GitHub Artifacts FAQ: https://github.com/actions/toolkit/blob/main/packages/artifact/docs/faq.md

Upon inspection of which actions/upload-artifact version is used by this action, I discovered it's using v3 (reference).

Proposed solution

If possible, update all actions that deal with uploading/downloading artifacts to use v4.

sunderee commented 3 months ago

Here's link to documentation on migration from v3 to v4 for both upload- and download-artifact:

  1. actions/download-artifact migration: https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md
  2. actions/upload-artifact migration: https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md

I was unable to find anything about migrating actions/checkout from v3 to v4, probably no breaking changes (but please do not quote me on it).

sunderee commented 3 months ago

Ah, I see you're already aware of that (link). My bad for spamming!