action-artifact-upload

A modern, secure, and flexible GitHub Action for uploading artifacts with filtering, policy enforcement, and SHA256 integrity validation — built on top of the latest artifact backend.

Features

• Multi-path uploads (files + directories)
• Smart compression
  • Auto zip directories
  • Direct upload for single files
• Include / Exclude filtering (glob-based)
• SHA256 integrity validation
• Policy enforcement
  • enforce → fail pipeline
  • audit → warn and continue
• Retention control
• Resilient + predictable behavior
• Fully compatible with GitHub Artifact v4 backend

Preview

Installation

Use directly from your repository:

- name: Upload Artifact
  uses: your-org/advanced-upload-artifact@v1

Inputs

Input	Required	Default	Description
name	✅	—	Base name for the artifact
path	✅	—	Comma-separated files/directories
artifact-prefix	❌	""	Prefix for artifact naming
retention-days	❌	7	Artifact retention duration
compression	❌	auto	`auto	always	never`
include	❌	""	Glob include patterns
exclude	❌	""	Glob exclude patterns
policy-mode	❌	enforce	`enforce	audit`
fail-on-risk	❌	true	Fail on detected risks

Usage Examples

Basic Upload

- name: Upload build
  uses: your-org/advanced-upload-artifact@v1
  with:
    name: build
    path: dist/

Multi-path Upload

- name: Upload multiple artifacts
  uses: your-org/advanced-upload-artifact@v1
  with:
    name: release
    path: dist/,report.json,logs/

With Filtering

- name: Upload filtered artifacts
  uses: your-org/advanced-upload-artifact@v1
  with:
    name: filtered-build
    path: dist/
    include: "**/*.html,**/*.json"
    exclude: "**/*.log,**/node_modules/**"

Policy Mode (Audit)

- name: Upload with audit mode
  uses: your-org/advanced-upload-artifact@v1
  with:
    name: safe-upload
    path: dist/
    policy-mode: audit
    fail-on-risk: false

With Prefix + Retention

- name: Upload production artifact
  uses: your-org/advanced-upload-artifact@v1
  with:
    name: build
    artifact-prefix: prod-
    path: dist/
    retention-days: 14

Behavior Overview

Scenario	Behavior
Single file	Uploaded directly
Directory	Zipped automatically
Multiple paths	Uploaded as separate artifacts
Missing path	Fail or warn (based on policy)
Empty file	Detected as risk

Policy Engine

Mode	Behavior
enforce	Fails workflow on risk
audit	Logs warning and continues

Security

• SHA256 checksum computed before upload
• No deprecated APIs
• Uses modern GitHub artifact backend
• Removes vulnerable Octokit dependency chain

Development

npm install
npm run build

Build Output

Ensure dist/index.js is committed:

npm run build

Architecture

Input → Filter → Compress → Hash → Upload → Validate

Roadmap

• Multi-file upload (no zip mode)
• Artifact manifest generation
• Artifact signing (cosign-style)
• Upload telemetry

Contributing

PRs are welcome. If it improves performance, security, or developer experience — even better.

License

MIT

Support

• If this helped you, give it a ⭐
• It helps the project grow and reach more builders.