Public read access to Actions artifacts ?


What are the access rules for Actions, log files and artifacts?

I just noticed that the “Actions” tab disappears from the repo page when I am logged out of GitHub. When I log in, I can see the “Actions” tab on all repositories, including from other users (not sure about how deep I can read since I cannot find someone else’s repo with actual actions).

In my open source project, I produce nightly builds as artifacts and I would like them to be publicly available, even without logging in GitHub. In fact, the main user would be an automated system into which I would prefer to store no authentication token.

Any idea on how to download artifacts without logging in?


Every github users could use Github Actions. You need to sign in to github to see Actions tab.  And we are working on API to download artifacts. It will be availiable in about two weeks.   mscoutermarsh said that here: . 

Thanks. Will the artifacts API allow public access? Will it allow downloading the artifacts for the latest run of a given workflow without “logging in”, ie. without providing an authentication token?

I asked the developers of artifact API , they said that the security permissions around the API will be the same as the rest of GitHub. 

If you want unauthenticated downloads for binaries I would suggest you use GitHub releases. There are actions that make it easy to create releases and add artifacts to releaes.

Thanks for the feedback.

But artifacts can be typically used for nightly builds. Releases and nightly builds are very different in nature.

  • Releases are stable, published from time to time, typically a few months between two releases. The developer will typically verify them. Users may want to retrieve them long after they are released.
  • Nightly builds are unsupported snapshots, an opportunity to use the latest fixes or features by advanced users. Producing them must be automated and GitHub Actions is the perfect mechanism for this. Their retention time should be small, maybe not more than a few days so that only the latest 5 or 10 nightly builds are available. They should be automatically purged to avoid polluting servers with zillions of megabytes of obsolete builds.

Delivering nightly builds through the release mechanism is consequently a very bad idea, a source of confusion and errors for users, a useless consumption of disk resources for GitHub.


I am really sorry for ignoring your real scenario and leading you to a wrong way. 

I found that you can get the artifact url at the left bottom cornner when you hover on the artifacts, but I didn’t find any other ways to get the artifact url. 

Then use curl command to download it . 

curl -L --output {file location c:/**/}

It didn’t ask me for credential. Please look at my example: 

Thanks for the feedback on getting an artifact from URL without authentication.

So, if I summarize, there are some inconsistencies regarding actions and authentication:

  • Without authentication, on a desktop system:
    • “Actions” tab not present
    • Explicit URL to “Actions” tab (adding explicit “/actions”) not working -> 404 not found
    • Explicit URL of artifact working (either you protect access to actions or you don’t but relying on the secrecy of a URL is the most stupid thing to do and is often the source of many data leaks).
  • With authentication, on an iOS or Android (discussed elsewhere)
    • “Actions” tab not present
    • Explicit URL (adding explicit “/actions”) working 

Let’s hope this will be cleaned up in the next future. GitHub Actions are great, very great, they just need fixing a few initial issues.

Specifically, I see no valid security reason to forbid unauthenticated access to Actions (read only of course). Anyone can create a GitHub account and get access to any “Actions” of any repository.

Worse, not providing read-only unauthenticated access to “Actions” creates security weaknesses. When some external automated system wants to get the artifacts of some repo (URL are not initially known), it must authenticate, meaning we must store an authentication token on the automated system. Storing a secret somewhere always creates a risk of leak.  So, there must be a valid security reason to store that secret. In this case, there is no such valid reason.

Github team decided to make the Actions tab, actions logs only visible to GitHub logged in users to minimize the ability for log scraping. And they don’t have any plan to show actions tab for anon users.  

Sorry for any inconvenience. 

What do you mean by “log scraping”?

I assume that, even for logged in users, modifying the Actions through the API is only allowed for users with read/write rights on the repo. If reading (read-only) actions results and artifacts is allowed for any logged in user, what is the security reason for not allowing reading them publicly?

I would also like an option to make artifacts publicly available.



Github Actions now show actions tab to anonymous, but restrict them to allow download artifacts and see logs. 

When use API to download artifacts, you need to provide credential. 

Do you know why downloading artifacts is not available for anonymous? This is the only thing blocking me migrating from AppVeyor to GitHub Actions.

1 Like

The security team are concerned about information leaks , so now only github logged in users could access to public repo Artifacts and logs . If you still want to know the security reason in detail, I would suggest you to contact GitHub Support  or you could ask for artifacts public access feature in the Feedback form for GitHub Actions.  

Information leaks? Really? How exactly is there a risk of information leaks when EVERY GITHUB USER can already download those artifacts?

without logging people can see the codes, release zip and the action log, now you tell me download the action artifact is not safe?