Merge pull request #127 from heavymachinery/pin-sha

Pin `actions/upload-artifact` to SHA

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      non-breaking-changes:
+        update-types: [minor, patch]

.github/workflows/draft-release.yml

@@ -8,7 +8,7 @@ jobs:
   draft-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: release-drafter/release-drafter@v5
+      - uses: actions/checkout@v4
+      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,20 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@0.0.3

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - name: Update the ${{ env.TAG_NAME }} tag
         id: update-major-tag
-        uses: actions/publish-action@v0.2.1
+        uses: actions/publish-action@v0.3.0
         with:
           source-tag: ${{ env.TAG_NAME }}
           slack-webhook: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/test-hosted-runners.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Generate files
       run: mkdir artifact && mkdir artifact2 && cd artifact && ../script/new-artifact.sh
@@ -31,20 +31,27 @@ jobs:
     - name: Upload Pages artifact
       uses: ./
       with:
+        name: pages-artifact-${{ matrix.os }}
         path: artifact
 
     - name: Download artifact
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
-          name: github-pages
+          name: pages-artifact-${{ matrix.os }}
           path: artifact2
 
     - name: Extract artifact
       run: tar -xf artifact2/artifact.tar -C artifact2 && rm artifact2/artifact.tar
       shell: bash
 
+    - name: Check for absence of hidden files
+      run: if [ $(find artifact2 -regex ".*/\..*" | wc -l) != 0 ]; then echo "Hidden files found"; exit 1; fi
+      shell: bash
+
     - name: Compare files
-      run: diff -qr artifact artifact2
+      run: |
+        rm artifact/.hidden
+        diff -qr artifact artifact2
       shell: bash
 
     - name: Check for absence of symlinks

README.md

@@ -2,31 +2,77 @@
 
 A composite Action for packaging and uploading artifact that can be deployed to [GitHub Pages][pages].
 
-# Scope
+## Usage
 
-⚠️ Official support for building Pages with Actions is in public beta at the moment.
+See [action.yml](action.yml) for the various `inputs` this action supports (or [below](#inputs-📥)).
 
-# Usage
+If you breakdown your workflow in two jobs (`build` and `deploy`), we recommend this action to be used in your `build` job:
 
-See [action.yml](action.yml)
+```yaml
+jobs:
+  # Build job
+  build:
+    # Specify runner +  build & upload the static files as an artifact
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build static files
+        id: build
+        run: |
+          # <Not provided for brevity>
+          # At a minimum this step should build the static files of your site
+          # <Not provided for brevity>
 
-<!-- TODO: document custom workflow -->
+      - name: Upload static files as artifact
+        id: deployment
+        uses: actions/upload-pages-artifact@v3 # or specific "vX.X.X" version tag for this action
+        with:
+          path: build_outputs_folder/
 
-# Artifact validation
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
+```
 
-While using this action is optional, we highly recommend it since it takes care of producing (mostly) valid artifacts.
+### Inputs 📥
 
-A Pages artifact must:
+| Input            | Required? | Default        | Description                                        |
+| ---------------- | --------- | -------------- | -------------------------------------------------- |
+| `name`           | `false`   | `github-pages` | Artifact name                                      |
+| `path`           | `true`    | `_site/`       | Path of the directory containing the static assets |
+| `retention-days` | `false`   | `1`            | Duration after which artifact will expire in days  |
 
-- Be called `github-pages`
+### Outputs 📤
+
+| Output        | Description                              |
+| ------------- | ---------------------------------------- |
+| `artifact_id` | The ID of the artifact that was uploaded |
+
+## Artifact validation
+
+While choosing to use this action as part of your approach to deploying to GitHub Pages is technically optional, we highly recommend it since it takes care of producing (mostly) valid artifacts.
+
+However, if you _**do not**_ choose to use this action but still want to deploy to Pages using an Actions workflow, then you must upload an Actions artifact that meets the following criteria:
+
+- Be named `github-pages`
 - Be a single [`gzip` archive][gzip] containing a single [`tar` file][tar]
 
 The [`tar` file][tar] must:
 
-- be under 10GB in size
+- be under 10GB in size (we recommend under 1 GB!)
+  - :warning: The GitHub Pages [officially supported maximum size limit is 1GB][pages-usage-limits], so the subsequent deployment of larger tarballs are not guaranteed to succeed &mdash; often because they are more prone to exceeding the maximum deployment timeout of 10 minutes.
+  - ⛔ However, there is also an _unofficial_ absolute maximum size limit of 10GB, which Pages will not even _attempt_ to deploy.
 - not contain any symbolic or hard links
+- contain only files and directories
 
-# Release instructions
+## Release instructions
 
 In order to release a new version of this Action:
 
@@ -34,19 +80,20 @@ In order to release a new version of this Action:
 
 2. Publish the draft release from the `main` branch with semantic version as the tag name, _with_ the checkbox to publish to the GitHub Marketplace checked. :ballot_box_with_check:
 
-3. After publishing the release, the [`release` workflow][release] will automatically run to create/update the corresponding the major version tag such as `v0`.
+3. After publishing the release, the [`release` workflow][release] will automatically run to create/update the corresponding major version tag such as `v0`.
 
    ⚠️ Environment approval is required. Check the [Release workflow run list][release-workflow-runs].
 
-# License
+## License
 
 The scripts and documentation in this project are released under the [MIT License](LICENSE).
 
 <!-- references -->
 [pages]: https://pages.github.com
-[release-list]: /releases
+[release-list]: https://github.com/actions/upload-pages-artifact/releases
 [draft-release]: .github/workflows/draft-release.yml
 [release]: .github/workflows/release.yml
-[release-workflow-runs]: /actions/workflows/release.yml
+[release-workflow-runs]: https://github.com/actions/upload-pages-artifact/actions/workflows/release.yml
 [gzip]: https://en.wikipedia.org/wiki/Gzip
 [tar]: https://en.wikipedia.org/wiki/Tar_(computing)
+[pages-usage-limits]: https://docs.github.com/en/pages/getting-started-with-github-pages/about-github-pages#usage-limits

action.yml

@@ -14,6 +14,10 @@ inputs:
     description: "Duration after which artifact will expire in days."
     required: false
     default: "1"
+outputs:
+  artifact_id:
+    description: "The ID of the artifact that was uploaded."
+    value: ${{ steps.upload-artifact.outputs.artifact-id }}
 runs:
   using: composite
   steps:
@@ -21,16 +25,16 @@ runs:
       shell: sh
       if: runner.os == 'Linux'
       run: |
-        chmod -c -R +rX "$INPUT_PATH" | while read line; do
-          echo "::warning title=Invalid file permissions automatically fixed::$line"
-        done
+        echo ::group::Archive artifact
         tar \
           --dereference --hard-dereference \
           --directory "$INPUT_PATH" \
           -cvf "$RUNNER_TEMP/artifact.tar" \
           --exclude=.git \
           --exclude=.github \
+          --exclude=".[^/]*" \
           .
+        echo ::endgroup::
       env:
         INPUT_PATH: ${{ inputs.path }}
 
@@ -39,16 +43,16 @@ runs:
       shell: sh
       if: runner.os == 'macOS'
       run: |
-        chmod -v -R +rX "$INPUT_PATH" | while read line; do
-          echo "::warning title=Invalid file permissions automatically fixed::$line"
-        done
+        echo ::group::Archive artifact
         gtar \
           --dereference --hard-dereference \
           --directory "$INPUT_PATH" \
           -cvf "$RUNNER_TEMP/artifact.tar" \
           --exclude=.git \
           --exclude=.github \
+          --exclude=".[^/]*" \
           .
+        echo ::endgroup::
       env:
         INPUT_PATH: ${{ inputs.path }}
 
@@ -57,20 +61,25 @@ runs:
       shell: bash
       if: runner.os == 'Windows'
       run: |
+        echo ::group::Archive artifact
         tar \
           --dereference --hard-dereference \
           --directory "$INPUT_PATH" \
           -cvf "$RUNNER_TEMP\artifact.tar" \
           --exclude=.git \
           --exclude=.github \
+          --exclude=".[^/]*" \
           --force-local \
           "."
+        echo ::endgroup::
       env:
         INPUT_PATH: ${{ inputs.path }}
 
     - name: Upload artifact
-      uses: actions/upload-artifact@main
+      id: upload-artifact
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ inputs.name }}
         path: ${{ runner.temp }}/artifact.tar
         retention-days: ${{ inputs.retention-days }}
+        if-no-files-found: error

script/new-artifact.sh

@@ -8,3 +8,6 @@ echo 'world' > subdir/world.txt
 # Add some symlinks (which we should dereference properly when archiving)
 ln -s subdir subdir-link
 ln -s hello.txt bonjour.txt
+
+# Create some hidden files
+echo 'foo' > .hidden