From abf0a467777395e9f795fc161b8fc313f387aafa Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 8 Feb 2023 03:20:11 -0500 Subject: [PATCH] Format note about GitHub Actions "archive in archive" bug --- .github/workflows/contract.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/contract.md b/.github/workflows/contract.md index b9335c94..2556625e 100644 --- a/.github/workflows/contract.md +++ b/.github/workflows/contract.md @@ -49,7 +49,7 @@ This workflow produces the following outputs: 1. Contract Build Artifacts - `contract.test-actions-on.tar.gz` containing the built contract from the `contract/build` folder with `DWITH_TEST_ACTIONS=on`. 1. Contract Test Artifacts - `contract-test.tar.gz` containing the built contract test artifacts from the `contract/tests/build` folder. -Note that, due to actions/upload-artifact [issue 39](https://github.com/actions/upload-artifact/issues/39) which has been open for over _three years_ and counting, the archives attached as artifacts will be zipped by GitHub when you download them such that you get a `*.zip` containing the `*.tar.gz`. There is nothing anyone can do about this except for GitHub. +> 📁 Due to actions/upload-artifact [issue 39](https://github.com/actions/upload-artifact/issues/39) which has been open for over _three years and counting_, the archives attached as artifacts will be zipped by GitHub when you download them such that you get a `*.zip` containing the `*.tar.gz`. There is nothing anyone can do about this except for Microsoft/GitHub. ## GitHub App Integration This workflow uses the [AntelopeIO/github-app-token-action](https://github.com/AntelopeIO/github-app-token-action) GitHub action to assume the role of a GitHub application installed to the AntelopeIO organization to clone the private submodules. It requests a token from the GitHub app, clones everything using this token under the identity of the app, then the token expires. This is advantageous over a persistent API key from a GitHub service account because this does not consume a paid user seat, the "account" associated with the app cannot be logged into in the GitHub web UI, the app is scoped to exactly the permissions it needs to perform the clones for this repo _and nothing more_, and the API key expires very quickly so a bad actor who exfiltrates this key from the CI system should find it is not useful.