Compare commits

..

18 Commits

Author SHA1 Message Date
Salman Chishti a6edf8b70d Update environment configuration in releases.yml 2026-03-26 12:27:00 +00:00
Salman Chishti 0df75b91ff Merge pull request #2359 from actions/dependabot/npm_and_yarn/picomatch-2.3.2
chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2
2026-03-26 12:25:19 +00:00
dependabot[bot] 233d556477 chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2
Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-25 22:41:36 +00:00
Bassem Dghaidi 44d43b5490 Merge pull request #2351 from actions/Link-/add-releases-docs
Add docs for the releases workflow
2026-03-16 16:45:42 +01:00
Bassem Dghaidi 76ac4dd95f Update contributing.md 2026-03-16 08:39:20 -07:00
Bassem Dghaidi 632b2cbff6 Add screenshot 2026-03-16 08:33:25 -07:00
Bassem Dghaidi 73bdb59ac2 Explain the new releases workflow 2026-03-16 08:29:53 -07:00
Bassem Dghaidi 22d35395d4 Merge pull request #2350 from actions/Link-/fix-tests-in-releases
Scope tests to the package being published
2026-03-16 15:01:41 +01:00
Bassem Dghaidi ed4fdc98c4 Add input to run isolated tests 2026-03-16 06:50:25 -07:00
Bassem Dghaidi 6211ca9cbd Merge pull request #2349 from actions/Link-/update-release-workflow
Update release workflow to permit shipping from non main branches
2026-03-16 14:29:21 +01:00
Bassem Dghaidi 99dfdab194 Fix the description of npm-tag 2026-03-16 06:14:29 -07:00
Bassem Dghaidi 6ec76cbf3d Update release workflow to permit shipping from non main branches 2026-03-16 06:05:25 -07:00
Salman Chishti 943ff82d3d Merge pull request #2344 from actions/dependabot/npm_and_yarn/packages/artifact/undici-6.24.0
chore(deps): bump undici from 6.23.0 to 6.24.0 in /packages/artifact
2026-03-14 04:35:35 +00:00
dependabot[bot] 06bca4509d chore(deps): bump undici from 6.23.0 to 6.24.0 in /packages/artifact
Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v6.23.0...v6.24.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.24.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-14 04:17:32 +00:00
Daniel Kennedy 21229dc09e Artifact: support downloading artifacts with CJK characters in their name (#2341)
* Artifact: support downloading artifacts with CJK characters in their name

* Fix some linting/PR comments

* One more linting fix
2026-03-11 09:30:15 -04:00
Meredith Lancaster 6fd292ebdd Merge pull request #2337 from actions/dependabot/npm_and_yarn/packages/attest/tar-7.5.10
chore(deps): bump tar from 7.5.7 to 7.5.10 in /packages/attest
2026-03-06 06:54:55 -08:00
dependabot[bot] 89f01c9125 chore(deps): bump tar from 7.5.7 to 7.5.10 in /packages/attest
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.10.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](https://github.com/isaacs/node-tar/compare/v7.5.7...v7.5.10)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-06 13:29:24 +00:00
Zachary Taylor 85466c0f54 Merge pull request #2323 from actions/zaataylor-update-artifact-storage-err-msg
Update artifact storage error message
2026-02-26 14:37:38 -05:00
11 changed files with 275 additions and 29 deletions
+5
View File
@@ -57,3 +57,8 @@ This will ask you some questions about the new package. Start with `0.0.0` as th
```
3. Start developing 😄.
## Releasing Packages
For information on how packages are published to npm, including workflow inputs, dist-tags, and safety guards, see the [release documentation](../docs/release.md).
+42 -13
View File
@@ -1,6 +1,6 @@
name: Publish NPM
run-name: Publish NPM - ${{ github.event.inputs.package }}
run-name: Publish NPM - ${{ inputs.package }} from ${{ inputs.branch }}
on:
workflow_dispatch:
@@ -20,7 +20,21 @@ on:
- http-client
- io
- tool-cache
branch:
type: string
required: false
default: 'main'
description: 'Branch to release from'
npm-tag:
type: string
required: false
default: 'latest'
description: 'npm dist-tag for the release. Use "latest" for main branch releases. For non-main branches, use a non-semver tag like "v1-longlived". Semver values (e.g. "5.0.0") are not valid dist-tags and will be rejected by npm.'
test-all:
type: boolean
required: false
default: false
description: 'Run tests for all packages instead of only the package being published'
jobs:
test:
@@ -28,13 +42,15 @@ jobs:
steps:
- name: setup repo
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
ref: ${{ inputs.branch }}
- name: verify package exists
run: ls packages/${{ github.event.inputs.package }}
- name: Set Node.js 24.x
uses: actions/setup-node@v5
uses: actions/setup-node@v6
with:
node-version: 24.x
@@ -48,14 +64,19 @@ jobs:
run: npm run build
- name: test
run: npm run test
run: |
if [ "${{ inputs.test-all }}" = "true" ]; then
npm run test
else
npm run test -- --testPathPattern="packages/${{ inputs.package }}"
fi
- name: pack
run: npm pack
working-directory: packages/${{ github.event.inputs.package }}
- name: upload artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: ${{ github.event.inputs.package }}
path: packages/${{ github.event.inputs.package }}/*.tgz
@@ -63,36 +84,44 @@ jobs:
publish:
runs-on: ubuntu-slim
needs: test
environment: npm-publish
environment:
name: npm-publish
deployment: false
permissions:
contents: read
id-token: write
steps:
- name: Set Node.js 24.x
uses: actions/setup-node@v5
uses: actions/setup-node@v6
with:
node-version: 24.x
- name: download artifact
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
name: ${{ github.event.inputs.package }}
name: ${{ inputs.package }}
- name: guard against publishing latest from non-main branch
if: inputs.branch != 'main' && inputs.npm-tag == 'latest'
run: |
echo "::error::Publishing with the 'latest' dist-tag from a non-main branch ('${{ inputs.branch }}') is not allowed. Use the package major version as the tag (e.g. v5)."
exit 1
- name: publish
run: npm publish --provenance *.tgz
run: npm publish --provenance --tag "${{ inputs.npm-tag }}" *.tgz
- name: notify slack on failure
if: failure()
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":":pb__failed: Failed to publish a new version of ${{ github.event.inputs.package }}"}' $SLACK_WEBHOOK
curl -X POST -H 'Content-type: application/json' --data '{"text":":pb__failed: Failed to publish a new version of ${{ inputs.package }} from ${{ inputs.branch }} (tag: ${{ inputs.npm-tag }})"}' $SLACK_WEBHOOK
env:
SLACK_WEBHOOK: ${{ secrets.SLACK }}
- name: notify slack on success
if: success()
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":":dance: Successfully published a new version of ${{ github.event.inputs.package }}"}' $SLACK_WEBHOOK
curl -X POST -H 'Content-type: application/json' --data '{"text":":dance: Successfully published a new version of ${{ inputs.package }} from ${{ inputs.branch }} (tag: ${{ inputs.npm-tag }})"}' $SLACK_WEBHOOK
env:
SLACK_WEBHOOK: ${{ secrets.SLACK }}
Binary file not shown.

After

Width:  |  Height:  |  Size: 170 KiB

+82
View File
@@ -0,0 +1,82 @@
# Releasing Packages
Packages are published to npm via the **Publish NPM** workflow ([`.github/workflows/releases.yml`](../.github/workflows/releases.yml)). The workflow is triggered manually through `workflow_dispatch` from the GitHub Actions UI.
## How it works
The workflow has two jobs:
1. **test** — Checks out the specified branch, installs dependencies, bootstraps the monorepo, builds all packages, runs tests, then packs the target package into a `.tgz` archive and uploads it as a workflow artifact.
2. **publish** — Downloads the packed artifact and publishes it to npm with `--provenance` (OIDC-based). Sends a Slack notification on success or failure. Requires the `npm-publish` environment.
## Inputs
| Input | Type | Required | Default | Description |
|---|---|---|---|---|
| `package` | choice | **yes** | — | Which package to release. One of: `artifact`, `attest`, `cache`, `core`, `exec`, `github`, `glob`, `http-client`, `io`, `tool-cache`. |
| `branch` | string | no | `main` | The branch to check out and release from. |
| `npm-tag` | string | no | `latest` | The npm dist-tag to publish under. See [Dist-tags](#dist-tags) below. |
| `test-all` | boolean | no | `false` | When `false`, only tests for the selected package are run. Set to `true` to run the full test suite across all packages. |
## Dist-tags
npm dist-tags control which version users get when they `npm install @actions/<package>` (or `@<tag>`).
> **Important:** npm dist-tags **cannot** be valid semver strings. Values like `5.0.0` or `1.2.3` will be rejected by npm. Use a descriptive name instead.
- **`latest`** — The default tag. This is what users get with a plain `npm install`. Should only be used for releases from `main`.
- **Custom tags** (e.g. `v1-longlived`) — Used for releases from long-lived or experimental branches.
Examples of **valid** dist-tags: `latest`, `next`, `beta`, `v1-longlived`
Examples of **invalid** dist-tags: `5.0.0`, `1.2.3`, `6.0.0-rc.1` (these are semver and will be rejected)
| ![Screenshot showcasing the npm distribution tags](assets/npm-dist-tags.png) |
|---|
| npm distribution tags |
### Safety guard
The workflow **blocks** publishing with the `latest` dist-tag from any branch other than `main`. This prevents accidentally overwriting `latest` with a version from an older or experimental branch. If you're releasing from a non-main branch, use the package's major version as the tag (e.g. `v5`).
## Examples
### Standard release from main
Use default inputs — just pick the package:
| Input | Value |
|---|---|
| `package` | `core` |
| `branch` | `main` (default) |
| `npm-tag` | `latest` (default) |
| `test-all` | `false` (default) |
This publishes the version in `packages/core/package.json` on `main` as `@actions/core@latest`.
### Patch release from a long-lived branch
| Input | Value |
|---|---|
| `package` | `artifact` |
| `branch` | `releases/v5` |
| `npm-tag` | `v5` |
| `test-all` | `false` (default) |
This publishes the version in `packages/artifact/package.json` on the `releases/v5` branch under the `v5` dist-tag. The `latest` tag remains untouched.
### Release with full test suite
| Input | Value |
|---|---|
| `package` | `cache` |
| `branch` | `main` (default) |
| `npm-tag` | `latest` (default) |
| `test-all` | `true` |
Same as a standard release, but runs tests for all packages before publishing.
## Prerequisites
- You must have permission to trigger workflows on this repository.
- The `npm-publish` environment must be configured with npm credentials and OIDC.
- The `SLACK` secret must be set for Slack notifications to work.
+3 -3
View File
@@ -13278,9 +13278,9 @@
"license": "ISC"
},
"node_modules/picomatch": {
"version": "2.3.1",
"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
"integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
"integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
"dev": true,
"license": "MIT",
"engines": {
+4
View File
@@ -1,5 +1,9 @@
# @actions/artifact Releases
## 6.2.1
- Support the RFC 5987 `filename*` field in the `content-disposition` header. This allows us to correctly download files and artifacts with Chinese/Japanese/Korean (among other) characters in their name.
## 6.2.0
- Support uploading single un-archived files (not zipped). Direct uploads are only supported for artifacts version 7+ (based on the major version of `actions/upload-artifact`). Callers must pass the `skipArchive` option to `uploadArtifact`. Only single files can be uploaded at a time right now. Default behavior should remain unchanged if `skipArchive = false`. When `skipArchive = true`, the name of the file is used as the name of the artifact for consistency with the downloads: you upload `artifact.txt`, you download `artifact.txt`.
@@ -977,5 +977,125 @@ describe('download-artifact', () => {
)
expect(fs.existsSync(maliciousPath)).toBe(false)
})
it('should correctly handle Content-Disposition with filename* parameter (RFC 5987)', async () => {
const rawFileContent = 'content with rfc5987 encoding'
const expectedFileName = '报告-土-x.txt'
const asciiFileName = '__-_-x.txt'
const mockGetRfc5987File = jest.fn(() => {
const message = new http.IncomingMessage(new net.Socket())
message.statusCode = 200
message.headers['content-type'] = 'text/plain'
// Server sends both: filename with _ fallbacks, filename* with UTF-8 encoding
message.headers['content-disposition'] =
`attachment; filename="${asciiFileName}"; filename*=UTF-8''${encodeURIComponent(expectedFileName)}`
message.push(Buffer.from(rawFileContent, 'utf8'))
message.push(null)
return {
message
}
})
const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
() => {
return {
get: mockGetRfc5987File
}
}
)
await streamExtractExternal(
fixtures.blobStorageUrl,
fixtures.workspaceDir
)
expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
const savedFilePath = path.join(fixtures.workspaceDir, expectedFileName)
expect(fs.existsSync(savedFilePath)).toBe(true)
expect(fs.readFileSync(savedFilePath, 'utf8')).toBe(rawFileContent)
})
it('should handle zip artifacts with Chinese characters in the artifact name', async () => {
// Simulate Azure Blob Storage URL with rscd containing Chinese filename
const chineseArtifactName = 'probe-土-x'
const asciiArtifactName = 'probe-_-x'
const blobUrlWithChineseName = `https://blob-storage.local/artifact.zip?rscd=${encodeURIComponent(`attachment; filename="${asciiArtifactName}.zip"; filename*=UTF-8''${encodeURIComponent(`${chineseArtifactName}.zip`)}`)}&rsct=application%2Fzip&sig=abc123`
const mockGetZip = jest.fn(() => {
const message = new http.IncomingMessage(new net.Socket())
message.statusCode = 200
message.headers['content-type'] = 'application/zip'
message.headers['content-disposition'] =
`attachment; filename="${asciiArtifactName}.zip"; filename*=UTF-8''${encodeURIComponent(`${chineseArtifactName}.zip`)}`
message.push(fs.readFileSync(fixtures.exampleArtifact.path))
message.push(null)
return {
message
}
})
const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
() => {
return {
get: mockGetZip
}
}
)
await streamExtractExternal(blobUrlWithChineseName, fixtures.workspaceDir)
expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
// Zip should be extracted normally regardless of Chinese artifact name
await expectExtractedArchive(fixtures.workspaceDir)
})
it.each([
['土', '_'], // U+571F - known to cause 400 errors
['日', '_'], // U+65E5 - reported to work fine
['中文测试', '____'], // multiple Chinese characters
['文件-2026年', '__-2026_'], // mixed Chinese and numbers
['データ', '___'], // Japanese katakana
['테스트', '___'] // Korean characters
])(
'should prefer filename* over filename for non-ASCII character %s (%s)',
async (chars, asciiReplacement) => {
const rawFileContent = `content for ${chars}`
const expectedFileName = `artifact-${chars}.txt`
const asciiFileName = `artifact-${asciiReplacement}.txt`
const mockGetFile = jest.fn(() => {
const message = new http.IncomingMessage(new net.Socket())
message.statusCode = 200
message.headers['content-type'] = 'text/plain'
// Server sends filename with _ replacing non-ASCII, filename* with proper encoding
message.headers['content-disposition'] =
`attachment; filename="${asciiFileName}"; filename*=UTF-8''${encodeURIComponent(expectedFileName)}`
message.push(Buffer.from(rawFileContent, 'utf8'))
message.push(null)
return {
message
}
})
const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
() => {
return {
get: mockGetFile
}
}
)
await streamExtractExternal(
fixtures.blobStorageUrl,
fixtures.workspaceDir
)
expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
const savedFilePath = path.join(fixtures.workspaceDir, expectedFileName)
expect(fs.existsSync(savedFilePath)).toBe(true)
expect(fs.readFileSync(savedFilePath, 'utf8')).toBe(rawFileContent)
}
)
})
})
+5 -5
View File
@@ -1,12 +1,12 @@
{
"name": "@actions/artifact",
"version": "6.2.0",
"version": "6.2.1",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "@actions/artifact",
"version": "6.2.0",
"version": "6.2.1",
"license": "MIT",
"dependencies": {
"@actions/core": "^3.0.0",
@@ -1812,9 +1812,9 @@
"license": "MIT"
},
"node_modules/undici": {
"version": "6.23.0",
"resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
"integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
"version": "6.24.0",
"resolved": "https://registry.npmjs.org/undici/-/undici-6.24.0.tgz",
"integrity": "sha512-lVLNosgqo5EkGqh5XUDhGfsMSoO8K0BAN0TyJLvwNRSl4xWGZlCVYsAIpa/OpA3TvmnM01GWcoKmc3ZWo5wKKA==",
"license": "MIT",
"engines": {
"node": ">=18.17"
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "@actions/artifact",
"version": "6.2.0",
"version": "6.2.1",
"preview": true,
"description": "Actions artifact lib",
"keywords": [
@@ -93,16 +93,22 @@ export async function streamExtractExternal(
urlEndsWithZip
// Extract filename from Content-Disposition header
// Prefer filename* (RFC 5987) which supports UTF-8 encoded filenames,
// fall back to filename which may contain ASCII-only replacements
const contentDisposition =
response.message.headers['content-disposition'] || ''
let fileName = 'artifact'
const filenameMatch = contentDisposition.match(
/filename\*?=['"]?(?:UTF-\d['"]*)?([^;\r\n"']*)['"]?/i
const filenameStar = contentDisposition.match(
/filename\*\s*=\s*UTF-8''([^;\r\n]*)/i
)
if (filenameMatch && filenameMatch[1]) {
const filenamePlain = contentDisposition.match(
/(?<!\*)filename\s*=\s*['"]?([^;\r\n"']*)['"]?/i
)
const rawName = filenameStar?.[1] || filenamePlain?.[1]
if (rawName) {
// Sanitize fileName to prevent path traversal attacks
// Use path.basename to extract only the filename component
fileName = path.basename(decodeURIComponent(filenameMatch[1].trim()))
fileName = path.basename(decodeURIComponent(rawName.trim()))
}
core.debug(
+3 -3
View File
@@ -1529,9 +1529,9 @@
}
},
"node_modules/tar": {
"version": "7.5.7",
"resolved": "https://registry.npmjs.org/tar/-/tar-7.5.7.tgz",
"integrity": "sha512-fov56fJiRuThVFXD6o6/Q354S7pnWMJIVlDBYijsTNx6jKSE4pvrDTs6lUnmGvNyfJwFQQwWy3owKz1ucIhveQ==",
"version": "7.5.10",
"resolved": "https://registry.npmjs.org/tar/-/tar-7.5.10.tgz",
"integrity": "sha512-8mOPs1//5q/rlkNSPcCegA6hiHJYDmSLEI8aMH/CdSQJNWztHC9WHNam5zdQlfpTwB9Xp7IBEsHfV5LKMJGVAw==",
"license": "BlueOak-1.0.0",
"dependencies": {
"@isaacs/fs-minipass": "^4.0.0",