Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pilot Lvl 1
Message 1 of 11

Public read access to Actions artifacts ?

Hi,

 

What are the access rules for Actions, log files and artifacts?

 

I just noticed that the "Actions" tab disappears from the repo page when I am logged out of GitHub. When I log in, I can see the "Actions" tab on all repositories, including from other users (not sure about how deep I can read since I cannot find someone else's repo with actual actions).

 

In my open source project, I produce nightly builds as artifacts and I would like them to be publicly available, even without logging in GitHub. In fact, the main user would be an automated system into which I would prefer to store no authentication token.

 

Any idea on how to download artifacts without logging in?

 

 

10 Replies
Highlighted
GitHub Partner
Message 2 of 11

Re: Public read access to Actions artifacts ?

Every github users could use Github Actions. You need to sign in to github to see Actions tab.  And we are working on API to download artifacts. It will be availiable in about two weeks.  mscoutermarsh said that here: https://github.community/t5/GitHub-Actions/API-to-download-artifact/m-p/42313/highlight/true#M4943 . 

Highlighted
Pilot Lvl 1
Message 3 of 11

Re: Public read access to Actions artifacts ?

Thanks. Will the artifacts API allow public access? Will it allow downloading the artifacts for the latest run of a given workflow without "logging in", ie. without providing an authentication token?

Highlighted
GitHub Partner
Message 4 of 11

Re: Public read access to Actions artifacts ?

I asked the developers of artifact API , they said that the security permissions around the API will be the same as the rest of GitHub. 

If you want unauthenticated downloads for binaries I would suggest you use GitHub releases. There are actions that make it easy to create releases and add artifacts to releaes.

Pilot Lvl 1
Message 5 of 11

Re: Public read access to Actions artifacts ?

Thanks for the feedback.

 

But artifacts can be typically used for nightly builds. Releases and nightly builds are very different in nature.

 

  • Releases are stable, published from time to time, typically a few months between two releases. The developer will typically verify them. Users may want to retrieve them long after they are released.
  • Nightly builds are unsupported snapshots, an opportunity to use the latest fixes or features by advanced users. Producing them must be automated and GitHub Actions is the perfect mechanism for this. Their retention time should be small, maybe not more than a few days so that only the latest 5 or 10 nightly builds are available. They should be automatically purged to avoid polluting servers with zillions of megabytes of obsolete builds.

 

Delivering nightly builds through the release mechanism is consequently a very bad idea, a source of confusion and errors for users, a useless consumption of disk resources for GitHub.

Highlighted
GitHub Partner
Message 6 of 11

Re: Public read access to Actions artifacts ?

I am really sorry for ignoring your real scenario and leading you to a wrong way. 

I found that you can get the artifact url at the left bottom cornner when you hover on the artifacts, but I didn't find any other ways to get the artifact url. 

artifact.png

Then use curl command to download it . 

curl -L https://github.com/zhuOrg/yan-jing-zhu/suites/405821759/artifacts/1177853 --output {file location c:/**/drop1.zip}

It didn't ask me for credential. Please look at my example: 

curl download.png

Highlighted
Pilot Lvl 1
Message 7 of 11

Re: Public read access to Actions artifacts ?

Thanks for the feedback on getting an artifact from URL without authentication.

 

So, if I summarize, there are some inconsistencies regarding actions and authentication:

 

  • Without authentication, on a desktop system:
    • "Actions" tab not present
    • Explicit URL to "Actions" tab (adding explicit "/actions") not working -> 404 not found
    • Explicit URL of artifact working (either you protect access to actions or you don't but relying on the secrecy of a URL is the most stupid thing to do and is often the source of many data leaks).
  • With authentication, on an iOS or Android (discussed elsewhere)
    • "Actions" tab not present
    • Explicit URL (adding explicit "/actions") working 

 

Let's hope this will be cleaned up in the next future. GitHub Actions are great, very great, they just need fixing a few initial issues.

 

Specifically, I see no valid security reason to forbid unauthenticated access to Actions (read only of course). Anyone can create a GitHub account and get access to any "Actions" of any repository.

 

Worse, not providing read-only unauthenticated access to "Actions" creates security weaknesses. When some external automated system wants to get the artifacts of some repo (URL are not initially known), it must authenticate, meaning we must store an authentication token on the automated system. Storing a secret somewhere always creates a risk of leak.  So, there must be a valid security reason to store that secret. In this case, there is no such valid reason.

Highlighted
GitHub Partner
Message 8 of 11

Re: Public read access to Actions artifacts ?

Github team decided to make the Actions tab, actions logs only visible to GitHub logged in users to minimize the ability for log scraping. And they don't have any plan to show actions tab for anon users.  

Sorry for any inconvenience. 

Highlighted
Pilot Lvl 1
Message 9 of 11

Re: Public read access to Actions artifacts ?

What do you mean by "log scraping"?

 

I assume that, even for logged in users, modifying the Actions through the API is only allowed for users with read/write rights on the repo. If reading (read-only) actions results and artifacts is allowed for any logged in user, what is the security reason for not allowing reading them publicly?

Highlighted
Ground Controller Lvl 1
Message 10 of 11

Re: Public read access to Actions artifacts ?

I would also like an option to make artifacts publicly available.