upload-artifacts action がどうやって upload しているのか調べる

ACTIONS_RESULTS_URL はググってもヒットしない。

どんな値がセットされているのか、デバッグしてみたものの、環境変数がセットされていない

これらは internal API である。

Those environmental variables are only available to GitHub Actions runners, whether it be runner hosted by GitHub or self-hosted one.

these variables are for internal APIs.

Shunsuke Suzuki

難しい。問い合わせたほうが良さそう

Support ticket も作った。

Shunsuke Suzuki

サポートとのやり取り

自分

Hi, I have a question about Artifacts.

In my understanding, artifacts uploaded by the workflow run A with upload-artifact can't be tampered by outside of the workflow run A.
Is this correct?

Are there any references about it?

I expect artifacts as a temporal secure storage, but I'd like to confirm my understanding is correct.

サポート

Hi Shunsuke,

Thank you for writing in!

I can confirm that your understanding is correct. Artifacts are stored in a secure location which is only accessible to the workflow run that uploaded them.

You can find out more about storing artifacts in our documentation here: https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts

I hope this helps.

自分

Thank you for your answer!
Sounds good.

Artifacts are stored in a secure location which is only accessible to the workflow run that uploaded them.

I'm interested in how this is achieved.
upload-artifact action uploads artifacts by API, then how does the API authenticate and authorize the caller?
How does the API prevent malicious users from tampering artifacts?

サポート

I'm afraid that since these questions are not related to an issue with your account, they fall beyond the scope of our support team's work, and the assistance we can provide is to refer you to our documentation or recommend that these questions be directed to the GitHub Community Discussions repository where our community discusses topic such as Actions and Packages.

Here are some resources from our documentation:

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts
https://github.com/actions/upload-artifact
https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api?apiVersion=2022-11-28

I can provide guidance in the following scenarios:

If you believe your account has been incorrectly restricted
If you encounter an unexpected error when executing one of your Actions, for example: a unique ID
If you encounter a situation where existing behavior contradicts expected, but not always documented, behavior
If these questions are related to an issue within an Enterprise account you're a member of, I can go ahead and transfer this ticket to that team for further assistance.

自分

I see.
Thank you for your support!
I'll close this ticket.

Shunsuke Suzuki

改竄は出来ないという回答をサポートからもらった。
ただ詳細に関しては教えてもらえなかった。
Enterprise plan で実際に問題が起こっていたらサポートしてもらえるらしい。