Agreed - we’re working on it.  Thanks!

@teohhanhui wrote:

This seems to have been released. Thanks!

Is it though? I don’t see my actions public at https://github.com/tmux-python/libtmux/actions when logged out. I don’t see an option to do it.

Same goes with pull requests tmux-python/libtmux#245, I only see it when logged in (in this case I’m a member of the org)

This feature was present for a while but was removed for security reasons.

This is a security measure to help minimize the chances of content being scraped and other possible risks.

Could you elaborate on this?

• How is scraping a risk?
• How is this a security issue? People can still scrape other peoples repositories after logging in (potentially with a new / fake account). I don’t see the advantage an attacker could have by doing this without an account.

I fail to see the advantages of returning a 404 error over just displaying it for guests.

However, I do see drawbacks in restricting this:

• Guests can not see CI logs, so the badges can link nowhere useful.
• 404 message is confusing (if accidentally logged out); if anything, it should be 403.
• GitHub Actions doesn’t have artifact download URLs or an API yet, so scraping could be used as a crude workaround temporarily.

What w_ould_ potentially increase security is, if logs were (/ could be) restricted to repository owners or were made public (including GitHub users) with delay.

Also ability to delete logs would be useful (as damage control) in combination with those things.

I can see how making the logs public might cause security concerns.  So how about instead having a public page that shows a summary of the build without showing the logs.  For example, it could just list each job and step name, with either a green checkmark or a red X to indicate whether that job/step passed. 

Bonus points if it has a graph that shows the pass/fail rsults over time.  I’m envisioning something that looks like the Postman Monitors dashboard.

Public logs should be an option, this is just kind of anti-collaborative. Why is this not simply a per project option if there are concerns? If projects can’t manage to keep their CI logs clean fine let them hide them, but my CI only accesses public resources and the entire docker script is in the repo itself, so it couldn’t be more pointless to hide the logs. And it really hurts collaboration when I mention a bug I saw in CI on some external bug tracker, and then I can’t link it. It’s also silly to me that the entirety of the CI setup script and the entire project code is already google “scraped”, but then it’s suddenly a problem when the action logs of building openly available code are public? I don’t get it.