feat(storage): add secured=false option for public artifact access#1436
Open
dan-kirberger wants to merge 1 commit intogo-vela:mainfrom
Open
feat(storage): add secured=false option for public artifact access#1436dan-kirberger wants to merge 1 commit intogo-vela:mainfrom
dan-kirberger wants to merge 1 commit intogo-vela:mainfrom
Conversation
Adds a `secured: false` field to the artifacts block in .vela.yml pipelines that routes artifact objects under a `public/` prefix in MinIO, enabling direct (non-presigned) GET URLs for unauthenticated artifact downloads. Uploads remain worker-authenticated. Includes `--storage-public-policy` flag to optionally auto-configure bucket policy for anonymous GET on public/*. Co-authored-by: Dayton <31824+SVDEA001@users.noreply.git.target.com>
dan-kirberger
commented
Apr 10, 2026
|
|
||
| // applyPublicPolicy sets an anonymous read-only policy on the public/* prefix of the bucket, | ||
| // allowing unauthenticated GET requests for objects stored under that prefix. | ||
| func (c *Client) applyPublicPolicy(ctx context.Context) error { |
Author
There was a problem hiding this comment.
maybe this doesn't make sense here? better applied separately as some administrative setup?
Author
|
there'd be similar PRs in worker + sdk i assume |
ecrupper
reviewed
Apr 13, 2026
| // to a pipeline Artifact type. | ||
| func (a *Artifacts) ToPipeline() *pipeline.Artifacts { | ||
| // default secured to true when not explicitly set | ||
| secured := true |
Contributor
There was a problem hiding this comment.
It may be easier for implementation/styling if the YAML is inverted here. Something like insecure or public, where the default of false is the more secure option.
Author
There was a problem hiding this comment.
er, yeah that makes way more sense - thanks! does the general "ask" here sound reasonable? i kinda flailed at a random robo-generated solution here. definitely not tied to anything.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
slopped together idea for go-vela/community#1086
Why
Adds first-class support for publicly-accessible build artifacts. Teams often need to share artifact URLs (e.g. test reports, binaries) without requiring presigned URL expiry or authentication. Previously there was no way to opt individual artifacts out of presigned-URL access.
What changed
secured: falsefield on theartifactsblock in.vela.yml. When set, uploaded objects are stored under apublic/{org}/{repo}/{build}/prefix in MinIO and returned with a direct (non-presigned) GET URL. Defaults totrue(presigned, existing behaviour).DirectObjectURLmethod added to theStorageinterface and MinIO implementation to construct direct URLs from{endpoint}/{bucket}/{key}.ListObjectsnow iterates both the standard andpublic/prefixes and returns direct URLs for public objects.--storage-public-policy/VELA_STORAGE_PUBLIC_POLICYserver flag that, when enabled, automatically applies an anonymous-GET bucket policy scoped to thepublic/*prefix on startup.?secured=falsequery parameter support added to the storage API upload handler.go test ./...passes clean.