At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: "action-zip" # montudor/action-zip
# GITHUB_TOKEN not used

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

As in the Issue #19, the problem reappears but the difference is the version of checkout (V3)

WIth .yml file instructions like:

    steps:
      - uses: actions/checkout@v3

      - name: Create Archive
        uses: montudor/action-zip@v1
        with:
          args: zip -qq -r archive.zip directory/* -x "directory/test.bat"

I keep receiving the following error:

zip error: Nothing to do! (texture-pack.zip)

I want to create a zip file from few files in a folder but not all of them that I can use the directory command

I have a project dir like so:

└── lambda
    └── lambda_handler.py

WIth .yml file instructions like:

 steps:
      - name: zip
        uses: montudor/[email protected]
        with:
          args:   zip -qq -r bundle.zip lambda

I keep receiving the following error:

zip error: Nothing to do! (try: zip -qq -r bundle.zip . -i lambda/)

I have also tried with zip -qq -r bundle.zip . -i lambda/ but it would just result in an empty zip.

Hello @montudor ,

I am currently using your github action to zip my file, but unfortunately I am facing this issue :

Here is my workflow :

`on: workflow_dispatch 
  #schedule:
  # - cron: '0 7 * * 5' # every Friday at 7:00 AM
jobs:
  run_manual : # run my test
    runs-on: ubuntu-latest
    steps:
      - name: run the Testim s tests with Testim s gitHub action
        #id: tests_ok_ko
        uses: instinctstudios/[email protected]
        continue-on-error: true
        with:
      token: ${{ secrets.TESTIM_TOKEN }} 
      project: ${{ secrets.PROJECT_ID }} 
      grid: Testim-Grid
      suite: to_test_github_integration

  
            
        - name: upload the artifact generated by Testim itself
          uses: actions/upload-artifact@v3
          with:
            name: test_report
            path: /home/runner/work/launch_testim_tests/launch_testim_tests/testim-report.xml
            if-no-files-found: warn
        
        #- name: Find the file
          #run: find / -type f -name testim-report.xml -print
          #run: pwd
  
       
          
        
        - name: parse the file
          run: cat /home/runner/work/launch_testim_tests/launch_testim_tests/testim-report.xml | grep -i -C 1 "<failure" | tee final-report.xml
  
        - name: Zip file
          uses: montudor/action-zip@v1
          with:
            args: zip -qq -r testim-report.zip . -i /home/runner/work/launch_testim_tests/launch_testim_tests/testim-report.xml
  
        #- name: Find the file
        # run: find ${{ github.workspace }} -name 'testim-report.zip' -print
  
        - name: upload the artifact generated by Testim itself
          uses: actions/upload-artifact@v3
          with:
            name: test_report
            path: /home/runner/work/launch_testim_tests/launch_testim_tests/testim-report.zip
            if-no-files-found: warn
        
        - name: Download the zip file 
          uses: actions/download-artifact@v3
          with:
            name: /home/runner/work/launch_testim_tests/launch_testim_tests/testim-report.zip
  `

Regards.

Why README example has double q in zip -qq command? Is it a typo?

• Was trying to run this action on a macOS runner. It's not possible to use a Linux runner at the moment as required scripts are only available a mac.

The title says it all. Currently, this action unfortunately does not support Windows builds. Supporting Windows build would be a desired feature for me.

Thank you for your work!

Ubuntu 22.04

When set output directory contains tilde key ~ or $HOME used in a GitHub actions workflow file, it does not properly resolve to intended directories.

Example:

    - name: Unzip
      run: unzip "this_is_my_zip.zip" -d ~/

Expected destination: /home/<user>
Actual destination: ~

This does not properly resolve to the home directory, but instead literally resolved to a folder with a tilde key in its name (./~/), or $HOME if used instead.

Directly running the unzip program instead, the path is properly resolved.

    - name: Unzip
      run: unzip "this_is_my_zip*.zip" -d ~

Hi !

I'm trying to local test my workflow using ACT but I'm encountering an issue.

Seems that action-zip lacks an action.yaml file, and ACT does not like that.

It is also a GH best practice to include one for describing what is included in your actions

I could create a MR with an action file.

https://github.com/dotherightthing/wpdtrt-anchorlinks/actions/runs/107231135

##[warning]Unexpected input 'args', valid inputs are ['']
Run montudor/[email protected]
  with:
    args: zip -qq -r ./release.zip ./release

A warning is issued but the step does complete.

Workflow: https://github.com/dotherightthing/wpdtrt-npm-scripts/blob/master/config/.github/workflows/build-release-tagged.yml

Description

I'm running this action on ubuntu-latest where I am sharing a zipped directory between jobs by using upload and download artefact. After downloading the zipfile, the zipfile itself has 'runner docker' as owning user + owning user group settings.

After unzipping the zipfile, all files have 'root root' as owning user + owning user group. That means the runner cannot execute the files. I tried resetting the rights with chown, but I get an Operation not permitted error back.

I also checked the file rights before being zipped and all files where runner docker before zipping. The zipfile is also created with 'root root'.

Preferred solution

Zip and unzip the file with the rights of the runner process, and not with root root.

can this action exlude some folder for example .git or .github ?

Thank you

So far I have tried:

-r -j and the following items (. , ./, ./, , **.,., current folder name/) none of them work. Please help.

Support for the HCL syntax in GitHub Actions will be deprecated on September 30, 2019.
If you participated in the limited public beta and created workflows with the HCL syntax GitHub Actions, you will need to upgrade to the new limited public beta that uses YAML syntax. When your repository is eligible to upgrade, you'll see an invitation in your repository. You must accept the invitation before you can use the new limited public beta.
Any workflows that you created with the HCL syntax will need to be updated to the new YAML syntax. To automatically convert your workflows and actions, see "Migrating GitHub Actions from HCL syntax to YAML syntax."

Since support for HCL syntax is getting deprecated, the example in the README should be updated to reflect the YAML syntax.

The "Zipping a folder from a different work dir" example, in the README.md doesn't make use of the zip tool inside the container, and uses the zip tool that may or may not be installed in the job container image. The default github container has a zip tool installed, but use of other containers (for build tools etc) mean that may be missing.

Eg:

    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/dotnet/sdk:7.0-jammy