Skip to content
Latchkey

GitHub Actions upload-artifact "path traversal not allowed"

upload-artifact resolves paths relative to the workspace and rejects entries that escape it via .. or absolute roots outside the allowed tree. A traversal path is a deterministic validation failure.

What this error means

The upload-artifact step fails validating the provided path because it resolves outside the permitted workspace area.

github-actions
Error: Path traversal is not allowed: "../../etc/secrets"
Provided paths must stay within the workspace.

Common causes

Path escapes the workspace

The path input uses .. or an absolute location outside the allowed root.

Wrong working directory assumption

A relative path was written assuming a different cwd than the action uses.

How to fix it

Keep artifact paths inside the workspace

  1. Copy files you need to upload into a directory under the workspace first.
  2. Reference paths relative to the workspace root, without ...
  3. Avoid absolute paths outside the checkout/workspace tree.
.github/workflows/ci.yml
- run: mkdir -p artifacts && cp /tmp/report.json artifacts/
- uses: actions/upload-artifact@v4
  with:
    name: report
    path: artifacts/report.json

How to prevent it

  • Stage outputs into a workspace-relative directory before uploading.
  • Never point artifact paths outside the workspace.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →