lazka
commented
6 months ago In theory https://github.com/actions/toolkit/tree/main/packages/artifact#v2---whats-new would allow us to upload packages for the job without write permissions, and other jobs could iterate all other active jobs in addition to the assets. From what I see we would need to shell out to JS though to upload artifacts though, as the API isn't publicly documented.
This would be a large change. To avoid package builds gaining write permissions to the GH assets we currently clean out the env, so they can't get to the token easily (https://github.com/msys2/msys2-autobuild/blob/1ed7c15c97e98fa8399105d9ee3253beb121a183/msys2_autobuild/build.py#L97-L108). But that's not bullet proof.
Ideally we would separate the third party code into an environment that doesn't have write permissions.