Update actions/upload-artifact action to v4.4.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/upload-artifact	action	patch	v4.4.0 -> v4.4.3

---

Release Notes

actions/upload-artifact (actions/upload-artifact)

v4.4.3

Compare Source

What's Changed

• Undo indirect dependency updates from #​627 by @​joshmgross in https://github.com/actions/upload-artifact/pull/632

Full Changelog: actions/upload-artifact@v4.4.2...v4.4.3

v4.4.2

Compare Source

What's Changed

• Bump @actions/artifact to 2.1.11 by @​robherley in https://github.com/actions/upload-artifact/pull/627
  • Includes fix for relative symlinks not resolving properly

Full Changelog: actions/upload-artifact@v4.4.1...v4.4.2

v4.4.1

Compare Source

What's Changed

• Add a section about hidden files by @​joshmgross in https://github.com/actions/upload-artifact/pull/607
• Add workflow file for publishing releases to immutable action package by @​Jcambass in https://github.com/actions/upload-artifact/pull/621
• Update @​actions/artifact to latest version, includes symlink and timeout fixes by @​robherley in https://github.com/actions/upload-artifact/pull/625

New Contributors

• @​Jcambass made their first contribution in https://github.com/actions/upload-artifact/pull/621

Full Changelog: actions/upload-artifact@v4.4.0...v4.4.1

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

[puLL-Merge] - actions/[email protected]

Description

This PR updates the upload-artifact action, focusing on improving its functionality and security. The changes include updating dependencies, enhancing error handling, and adding support for symlinked files.

Changes

Changes

1. .github/workflows/publish-immutable-actions.yml:

   • Added a new workflow for publishing immutable action versions.

2. .github/workflows/test.yml:

   • Enhanced the end-to-end test to include symlinked files.
   • Added a new test case for uploading and verifying symlinked artifacts.

3. README.md:

   • Added a new section on uploading hidden files, explaining how to include them and exclude sensitive information.

4. dist/merge/index.js and dist/upload/index.js:

   • Updated to reflect changes in the underlying @actions/artifact library.
   • Improved error handling for malformed zip entries.
   • Added support for symlinked files.
   • Enhanced the upload progress monitoring mechanism.

5. package.json:

   • Updated version to 4.4.3.
   • Updated dependencies:
     • @actions/artifact to ^2.1.11
     • @actions/core to ^1.11.1

Possible Issues

The changes to the zip entry path sanitization might potentially affect existing workflows that rely on specific path structures. Users should test their workflows to ensure compatibility.

Security Hotspots

1. The change in zip entry path sanitization (entry.path.replace(/(?<=^|[/\\]+)[.][.]+(?=[/\\]+|$)/g, ".")) improves security by preventing path traversal attacks more effectively. However, it's crucial to ensure this change doesn't introduce any unintended side effects in edge cases.

2. The new feature for uploading hidden files could potentially lead to the accidental inclusion of sensitive data. While the README provides guidance on excluding sensitive files, users should be cautious when using this feature.

[mrose17]

Looks good on desktop. dev1, dev2, and dev3.