[bug] default upload-artifact does not provide any way to prevent accidental uploading of leaked artifacts #708
Description
What happened?
Because this action does both archival and uploading in a single step and without being able to call an intermediate command, it is prone to end-up uploading leaked secrets (usually from logs).
What did you expect to happen?
I would expect to be able to scan the content of the archive before it is uploaded and prevent its upload if the scanning reports an issue.
How can we reproduce it?
No need.
Anything else we need to know?
As secret scanning is an important feature by itself, it would likely be better if this action would just provide the ability to run an extra (external) command for scanning the produced archive before the file is uploaded, so the maintenance of the scanning tool would be extern to this tool.
Still, it is key to be part of the upload action, as archive-scan-upload would a single action without leaving any chance of mistakes.
If users would add their on scanning before archival, it will mean that it would too easy to miss keeping the archival paths in sync and fail to perform a secured upload.
What version of the action are you using?
main
What are your runner environments?
linux
Are you on GitHub Enterprise Server? If so, what version?
No response