Skip to content

Support direct file uploads#764

Merged
danwkennedy merged 12 commits intomainfrom
danwkennedy/direct-uploads
Feb 25, 2026
Merged

Support direct file uploads#764
danwkennedy merged 12 commits intomainfrom
danwkennedy/direct-uploads

Conversation

@danwkennedy
Copy link
Contributor

@danwkennedy danwkennedy commented Feb 25, 2026
edited
Loading

Description

This adds support for uploading a file directly without zipping it.

Callers will need to opt into this change by setting the new archive flag to false (to maintain backwards compatibility, the flag defaults to true right now). Only a single file can be uploaded right now. If the action detects multiple files, it will error.

Breaking changes

  • We're supporting a new API version, version 7 so we're bumping the version of this client to match versions.

Copilot AI review requested due to automatic review settings February 25, 2026 19:10
@danwkennedy danwkennedy requested a review from a team as a code owner February 25, 2026 19:10
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds support for direct file uploads without archiving by introducing a new archive input parameter. When set to false, users can upload a single file directly without creating a zip archive. The implementation upgrades the @actions/artifact package from v6.1.0 to v6.2.0 to leverage the new skipArchive option.

Changes:

  • Added new archive boolean input (defaults to true for backward compatibility)
  • Implemented validation to ensure only a single file can be uploaded when archive is false
  • Updated package dependency to @actions/artifact v6.2.0 to support the skipArchive option

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/upload/upload-inputs.ts Added archive boolean field to UploadInputs interface with documentation
src/upload/constants.ts Added Archive constant to the Inputs enum
src/upload/input-helper.ts Added input retrieval for the archive parameter and included it in the returned inputs object
src/upload/upload-artifact.ts Added validation for single-file requirement when archive is false and sets skipArchive option accordingly
action.yml Added archive input parameter with description and default value of 'true', updated name and path descriptions
package.json Updated @actions/artifact dependency from ^6.1.0 to ^6.2.0
package-lock.json Updated lockfile to reflect the new artifact package version
dist/upload/index.js Compiled distribution file reflecting all source changes
tests/upload.test.ts Added Archive input to mock inputs default configuration
Comments suppressed due to low confidence (1)

src/upload/upload-artifact.ts:79

  • When archive is set to false, the compression-level option becomes irrelevant since no compression occurs. However, there's no validation or warning to inform users that setting compression-level has no effect when archive is false. Consider adding validation to either ignore or warn users about this incompatible configuration.
    if (typeof inputs.compressionLevel !== 'undefined') {
      options.compressionLevel = inputs.compressionLevel
    }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 25, 2026
View reviewed changes
.github/workflows/test.yml Fixed
Comment on lines 390 to 428
needs: [build, merge]
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Setup Node 24
uses: actions/setup-node@v4
with:
node-version: 24.x
cache: 'npm'

- name: Install dependencies
run: npm ci

- name: Delete test artifacts
uses: actions/github-script@v7
with:
script: |
const artifactClient = require('@actions/artifact');
const artifact = artifactClient.default || artifactClient;

const {artifacts} = await artifact.listArtifacts({latest: true});
const keep = ['report.html'];

for (const a of artifacts) {
if (keep.includes(a.name)) {
console.log(`Keeping artifact '${a.name}'`);
continue;
}
try {
await artifact.deleteArtifact(a.name);
console.log(`Deleted artifact '${a.name}'`);
} catch (err) {
console.log(`Could not delete artifact '${a.name}': ${err.message}`);
}
}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

In general, the fix is to add an explicit permissions: block that grants only the minimum scopes needed to run this workflow. This can be done at the workflow (top) level to apply to all jobs, or specifically on the cleanup job if different jobs need different scopes. Since the highlighted issue is on the cleanup job, and we want the smallest change without affecting other jobs’ current behavior, we will add a permissions: block only to the cleanup job.

The cleanup job reads and deletes artifacts via the @actions/artifact client. Artifact operations are governed by the actions permission, not contents. There is no need for contents: write, issues, pull-requests, etc. A minimal and appropriate configuration is:

    permissions:
      actions: write
      contents: read

actions: write allows managing artifacts created by workflows; contents: read is a safe baseline and recommended as a default read-only scope. We will insert this directly under runs-on: ubuntu-latest in the cleanup job, around line 392, in .github/workflows/test.yml. No imports or additional methods are required because this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -389,6 +389,9 @@
     name: Cleanup Artifacts
     needs: [build, merge]
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
 
     steps:
     - name: Checkout
EOF
@@ -389,6 +389,9 @@
name: Cleanup Artifacts
needs: [build, merge]
runs-on: ubuntu-latest
permissions:
actions: write
contents: read

steps:
- name: Checkout
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Copy link
Contributor Author

@danwkennedy danwkennedy Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set the permissions block.

@danwkennedy danwkennedy merged commit bbbca2d into main Feb 25, 2026
12 checks passed
@dpy013 dpy013 mentioned this pull request Feb 25, 2026
Closed
@mrbusche mrbusche mentioned this pull request Feb 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@yacaovsnc yacaovsnc yacaovsnc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danwkennedy @yacaovsnc