GitHub Actions upload-artifact "path traversal not allowed"
upload-artifact resolves paths relative to the workspace and rejects entries that escape it via .. or absolute roots outside the allowed tree. A traversal path is a deterministic validation failure.
What this error means
The upload-artifact step fails validating the provided path because it resolves outside the permitted workspace area.
github-actions
Error: Path traversal is not allowed: "../../etc/secrets"
Provided paths must stay within the workspace.Common causes
Path escapes the workspace
The path input uses .. or an absolute location outside the allowed root.
Wrong working directory assumption
A relative path was written assuming a different cwd than the action uses.
How to fix it
Keep artifact paths inside the workspace
- Copy files you need to upload into a directory under the workspace first.
- Reference paths relative to the workspace root, without ...
- Avoid absolute paths outside the checkout/workspace tree.
.github/workflows/ci.yml
- run: mkdir -p artifacts && cp /tmp/report.json artifacts/
- uses: actions/upload-artifact@v4
with:
name: report
path: artifacts/report.jsonHow to prevent it
- Stage outputs into a workspace-relative directory before uploading.
- Never point artifact paths outside the workspace.
Related guides
GitHub Actions "cannot find artifact across workflow runs"Fix the GitHub Actions download-artifact error when pulling an artifact produced by a different workflow run.
GitHub Pages "Deployment request failed (no artifact)"Fix the github-pages error where the deployment request failed because no github-pages artifact was uploaded…
GitHub Actions cache "size exceeds 10GB limit"Fix the GitHub Actions cache error where a single cache entry exceeds the 10GB per-cache size limit.