Merge pull request #127 from heavymachinery/pin-sha

Pin `actions/upload-artifact` to SHA

.github/workflows/draft-release.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,20 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@0.0.3

.github/workflows/test-hosted-runners.yml

@@ -44,8 +44,14 @@ jobs:
       run: tar -xf artifact2/artifact.tar -C artifact2 && rm artifact2/artifact.tar
       shell: bash
 
+    - name: Check for absence of hidden files
+      run: if [ $(find artifact2 -regex ".*/\..*" | wc -l) != 0 ]; then echo "Hidden files found"; exit 1; fi
+      shell: bash
+
     - name: Compare files
-      run: diff -qr artifact artifact2
+      run: |
+        rm artifact/.hidden
+        diff -qr artifact artifact2
       shell: bash
 
     - name: Check for absence of symlinks

README.md

@@ -2,69 +2,75 @@
 
 A composite Action for packaging and uploading artifact that can be deployed to [GitHub Pages][pages].
 
-## Scope
-
-⚠️ Official support for building Pages with Actions is in public beta at the moment.
-
 ## Usage
 
-See [action.yml](action.yml)
+See [action.yml](action.yml) for the various `inputs` this action supports (or [below](#inputs-📥)).
 
-<!-- TODO: document custom workflow -->
+If you breakdown your workflow in two jobs (`build` and `deploy`), we recommend this action to be used in your `build` job:
+
+```yaml
+jobs:
+  # Build job
+  build:
+    # Specify runner +  build & upload the static files as an artifact
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build static files
+        id: build
+        run: |
+          # <Not provided for brevity>
+          # At a minimum this step should build the static files of your site
+          # <Not provided for brevity>
+
+      - name: Upload static files as artifact
+        id: deployment
+        uses: actions/upload-pages-artifact@v3 # or specific "vX.X.X" version tag for this action
+        with:
+          path: build_outputs_folder/
+
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
+```
+
+### Inputs 📥
+
+| Input            | Required? | Default        | Description                                        |
+| ---------------- | --------- | -------------- | -------------------------------------------------- |
+| `name`           | `false`   | `github-pages` | Artifact name                                      |
+| `path`           | `true`    | `_site/`       | Path of the directory containing the static assets |
+| `retention-days` | `false`   | `1`            | Duration after which artifact will expire in days  |
+
+### Outputs 📤
+
+| Output        | Description                              |
+| ------------- | ---------------------------------------- |
+| `artifact_id` | The ID of the artifact that was uploaded |
 
 ## Artifact validation
 
-While using this action is optional, we highly recommend it since it takes care of producing (mostly) valid artifacts.
+While choosing to use this action as part of your approach to deploying to GitHub Pages is technically optional, we highly recommend it since it takes care of producing (mostly) valid artifacts.
 
-A Pages artifact must:
+However, if you _**do not**_ choose to use this action but still want to deploy to Pages using an Actions workflow, then you must upload an Actions artifact that meets the following criteria:
 
-- Be called `github-pages`
+- Be named `github-pages`
 - Be a single [`gzip` archive][gzip] containing a single [`tar` file][tar]
 
 The [`tar` file][tar] must:
 
-- be under 10GB in size
+- be under 10GB in size (we recommend under 1 GB!)
+  - :warning: The GitHub Pages [officially supported maximum size limit is 1GB][pages-usage-limits], so the subsequent deployment of larger tarballs are not guaranteed to succeed &mdash; often because they are more prone to exceeding the maximum deployment timeout of 10 minutes.
+  - ⛔ However, there is also an _unofficial_ absolute maximum size limit of 10GB, which Pages will not even _attempt_ to deploy.
 - not contain any symbolic or hard links
-- contain only files and directories that all meet the expected minimum [file permissions](#file-permissions)
-
-### File permissions
-
-When using this action, ensure that your files have appropriate file permissions.
-At a minimum, GitHub Pages expects:
-- files to have read permission for the current user and the "Others" user role (e.g. `0744`, `0644`, `0444`)
-- directories to have read and execute permissions for the current user and the "Others" user role (e.g. `0755`, `0555`)
-
-Failure to supply adequate permissions will result in a `deployment_perms_error` when attempting to deploy your artifacts to GitHub Pages.
-
-#### Example permissions fix for Linux
-
-```yaml
-steps:
-# ...
-  - name: Fix permissions
-    run: |
-      chmod -c -R +rX "_site/" | while read line; do
-        echo "::warning title=Invalid file permissions automatically fixed::$line"
-      done
-  - name: Upload Pages artifact
-    uses: actions/upload-pages-artifact@v3
-# ...
-```
-
-#### Example permissions fix for Mac
-
-```yaml
-steps:
-# ...
-  - name: Fix permissions
-    run: |
-      chmod -v -R +rX "_site/" | while read line; do
-        echo "::warning title=Invalid file permissions automatically fixed::$line"
-      done
-  - name: Upload Pages artifact
-    uses: actions/upload-pages-artifact@v3
-# ...
-```
+- contain only files and directories
 
 ## Release instructions
 
@@ -74,7 +80,7 @@ In order to release a new version of this Action:
 
 2. Publish the draft release from the `main` branch with semantic version as the tag name, _with_ the checkbox to publish to the GitHub Marketplace checked. :ballot_box_with_check:
 
-3. After publishing the release, the [`release` workflow][release] will automatically run to create/update the corresponding the major version tag such as `v0`.
+3. After publishing the release, the [`release` workflow][release] will automatically run to create/update the corresponding major version tag such as `v0`.
 
    ⚠️ Environment approval is required. Check the [Release workflow run list][release-workflow-runs].
 
@@ -90,3 +96,4 @@ The scripts and documentation in this project are released under the [MIT Licens
 [release-workflow-runs]: https://github.com/actions/upload-pages-artifact/actions/workflows/release.yml
 [gzip]: https://en.wikipedia.org/wiki/Gzip
 [tar]: https://en.wikipedia.org/wiki/Tar_(computing)
+[pages-usage-limits]: https://docs.github.com/en/pages/getting-started-with-github-pages/about-github-pages#usage-limits

action.yml

@@ -32,6 +32,7 @@ runs:
           -cvf "$RUNNER_TEMP/artifact.tar" \
           --exclude=.git \
           --exclude=.github \
+          --exclude=".[^/]*" \
           .
         echo ::endgroup::
       env:
@@ -49,6 +50,7 @@ runs:
           -cvf "$RUNNER_TEMP/artifact.tar" \
           --exclude=.git \
           --exclude=.github \
+          --exclude=".[^/]*" \
           .
         echo ::endgroup::
       env:
@@ -66,6 +68,7 @@ runs:
           -cvf "$RUNNER_TEMP\artifact.tar" \
           --exclude=.git \
           --exclude=.github \
+          --exclude=".[^/]*" \
           --force-local \
           "."
         echo ::endgroup::
@@ -74,7 +77,7 @@ runs:
 
     - name: Upload artifact
       id: upload-artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ inputs.name }}
         path: ${{ runner.temp }}/artifact.tar

script/new-artifact.sh

@@ -8,3 +8,6 @@ echo 'world' > subdir/world.txt
 # Add some symlinks (which we should dereference properly when archiving)
 ln -s subdir subdir-link
 ln -s hello.txt bonjour.txt
+
+# Create some hidden files
+echo 'foo' > .hidden