Skip to content

fix(artifacts): support upload-artifact@v7 / download-artifact@v8#6115

Open
royteeuwen wants to merge 1 commit into
nektos:masterfrom
royteeuwen:fix/artifact-v4-upload-artifact-v7-compat
Open

fix(artifacts): support upload-artifact@v7 / download-artifact@v8#6115
royteeuwen wants to merge 1 commit into
nektos:masterfrom
royteeuwen:fix/artifact-v4-upload-artifact-v7-compat

Conversation

@royteeuwen

Copy link
Copy Markdown

Fixes #6114.

The v4 artifact server rejected uploads from actions/upload-artifact@v7 (and the matching download-artifact@v8) for two independent reasons. Both are narrow, backward-compatible relaxations of request parsing.

1. unknown field "mime_type"

parseProtbufBody used a strict protojson.Unmarshal, which fails on any field absent from act's vendored protobuf. upload-artifact@v7 adds a mime_type field, producing Error decode request body: unknown field "mime_type" at CreateArtifact.

Decoding with protojson.UnmarshalOptions{DiscardUnknown: true} ignores fields act doesn't consume and keeps the server forward-compatible with future optional additions.

2. Error unauthorized

verifySignature decoded the sig query parameter with base64.URLEncoding, which requires = padding. The Azure storage SDK used by upload-artifact@v7 for blob upload strips the padding when it re-serializes the signed URL to append comp/blockid, so the strict decode failed silently and the HMAC check rejected the upload.

Decoding with base64.RawURLEncoding after trimming any = accepts both the padded (v4-era) and unpadded (v7+) forms.

Compatibility

Both changes only relax parsing — they never reject anything the previous code accepted, so v4/v5/v6 clients are unaffected. (upload-artifact@v1v3 use a separate, non-protobuf code path that this change does not touch.)

Testing

  • Added TestCreateArtifactV4IgnoresUnknownFields and TestUploadArtifactV4AcceptsUnpaddedSignature.
  • go test ./pkg/artifacts/ passes.
  • Verified end-to-end with real workflows: upload-artifact@v4download-artifact@v4, and upload-artifact@v7download-artifact@v8, both round-trip successfully (including a ~160 MB artifact).

The v4 artifact server rejected requests from newer @actions/upload-artifact
releases for two independent reasons:

1. parseProtbufBody used a strict protojson.Unmarshal, which fails on any
   field absent from act's vendored protobuf. upload-artifact@v7 adds a
   `mime_type` field to the artifact requests, producing
   `Error decode request body: unknown field "mime_type"`. Decoding with
   DiscardUnknown ignores fields act doesn't consume and keeps the server
   forward-compatible with future optional additions.

2. verifySignature decoded the `sig` query parameter with base64.URLEncoding,
   which requires `=` padding. The Azure storage SDK used by upload-artifact@v7
   for blob upload strips the padding when it re-serializes the signed URL to
   append comp/blockid, so the strict decode failed silently and the HMAC check
   rejected the upload with `Error unauthorized`. Decoding with RawURLEncoding
   after trimming any `=` accepts both the padded (v4-era) and unpadded (v7+)
   forms.

Both changes only relax parsing, so older clients are unaffected; verified
end-to-end with v4<->v4 and v7<->v8 upload/download round-trips. Adds
regression tests for both cases.

Signed-off-by: Roy Teeuwen <roy@teeuwen.be>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Artifact server rejects upload-artifact@v7 / download-artifact@v8 (mime_type + sig padding)

1 participant