Exclude hidden files by default by joshmgross · Pull Request #598 · actions/upload-artifact (original) (raw)

This change likely breaks every workflow that uploads the .coverage* files generated by coverage.py. This will have a significant impact in the Python ecosystem.

Did GitHub assess the number of (public) artifact uploads that would be affected by this change? I understand that avoiding upload of .git/config files containing credentials was the goal. Is forbidding the upload of any pathname beginning with . the lowest-impact way to achieve that aim?

Some other possibilities:

1. Don't upload .git directories by default.
2. Don't put credentials in .git/config by default.

The first option seems attractive to me, regardless of security implication, since the .git directory is redundant with the content of the Git repository. I struggle to envision a scenario where I would deliberately upload the .git directory.

The second option minimizes harm.

I must express my sympathy with all those who advocated for less impactful options, but did not prevail. Sadly, the OSS ecosystem must deal with the consequences.