Artifact permissions or encryption

Build artifacts could contain sensitive data. For example a build for production could contain production configuration that should not be visible to every developer. It seems that currently artifacts are visible to all users who can access the repository.

Is there a plan to introduce more fine grained permissions, so that e.g. only repository owners can access them?

Alternatively: Do you plan to provide a way to encrypt/decrypt artifacts, so that one job can upload an encrypted artifact and another job could download and decrypt the artifact?

Some more backgound: While I think the above features would be nice, there are two root causes why I have to use build artifacts in the first place:

  • The workflow re-use options are very limited. It is not possible to re-use steps, only entire jobs. Therefore I need to pass data between jobs (where otherwise I wouldn’t)
  • The approval process is very limited. Instead of requiring approval after a certain step, I can only set an environment that requires approval on the job. Therefore again I have to split up my workflow into two jobs and pass data, where otherwise it would not be necessary.

For now I’m using OpenSSL to encrypt/decrypt. Might be helpful for others:

# encrypt
openssl enc -e -a -aes256 -pbkdf2 -k ${{ secrets.YOUR_KEY }} -in input.txt -out file.txt.enc

#decrypt
openssl enc -d -a -aes256 -pbkdf2 -k ${{ secrets.YOUR_KEY }} -in file.txt.enc -out file.txt

Still think GHA should offer this out of the box.