Merge 86f43ed3c7 into abefc31eaf

Merge pull request #424 from actions/yacaovsnc/update_readme
Update README with artifact extraction details
2025-09-22 11:47:52 +00:00 · 2025-08-26 00:10:06 -07:00 · 2025-08-25 16:23:50 -04:00 · 2025-08-25 14:32:17 -04:00 · 2025-01-21 21:30:55 -05:00
1 changed files with 9 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -34,6 +34,8 @@ Now both methods are consistent:
 - **By name**: `name: my-artifact` → extracted to `path/` (unchanged)
 - **By ID**: `artifact-ids: 12345` → extracted to `path/` (updated - now direct)

+Note: This change also applies to patterns that only match a single artifact.
+
 ## v4 - What's new

 > [!IMPORTANT]
@ -325,3 +327,10 @@ If you must preserve permissions, you can `tar` all of your files together befor
    name: my-artifact
    path: my_files.tar
 ```
+
+# Recommended Permissions
+
+The `actions/download-artifact` workflow relies on an internal authentication pattern and does not use the GITHUB_TOKEN, to reduce risk of over-privileged token, jobs that use `actions/download-artifact` should set permissions to none:
+
+```yaml
+perm
Author	SHA1	Message	Date
Kylie Stradley	d93203d1c2	Merge `86f43ed3c7` into `abefc31eaf`	2025-08-26 00:10:06 -07:00
Yang Cao	abefc31eaf	Merge pull request #424 from actions/yacaovsnc/update_readme Some checks failed Check dist/ / check-dist (push) Failing after 3s Details Code scanning - action / CodeQL-Build (push) Failing after 22s Details Licensed / Check licenses (push) Failing after 1s Details Update README with artifact extraction details	2025-08-25 16:23:50 -04:00
Yang Cao	ac43a6070a	Update README with artifact extraction details Clarified note on artifact extraction and GHES support.	2025-08-25 14:32:17 -04:00
Kylie Stradley	86f43ed3c7	Add Recommended Permissions To reduce risk of over-privileged tokens, we are adding recommended permissions to popular GitHub-owned Actions READMEs	2025-01-21 21:30:55 -05:00