action-baseline icon indicating copy to clipboard operation
action-baseline copied to clipboard
verified publisher icon zaproxy

[Bug]: Persistent "Artifact name is not valid" (400 Bad Request) from GitHub API despite valid name & token

Open Niksinikhilesh045 opened this issue 10 months ago • 3 comments

I am encountering a persistent issue where the zaproxy/action-baseline fails to upload artifacts, receiving a 400 Bad Request from the GitHub Artifacts API with the message "The artifact name [NAME] is not valid." This occurs even when using simplified, alphanumeric artifact names and with github.token correctly configured.

Action Version: zaproxy/[email protected]

Workflow Snippet (relevant part):

- name: Set permissions for ZAP workspace
      run: |
        chmod -R 777 ${{ github.workspace }}

    - name: 🔥 Run ZAP Baseline Scan
      uses: zaproxy/[email protected]
      with:
        target: 'http://localhost:8080'
        fail_action: false
        allow_issue_writing: true
        artifact_name: zapreports # Tried "vuln-scan-results", "zap-scan-results", and "zapreports"
        issue_title: ZAP Scan Baseline Report
        docker_name: ghcr.io/zaproxy/zaproxy:stable
        token: ${{ github.token }}

Observed Behavior:

The ZAP scan runs successfully, and new GitHub issues are created as expected. The action's logs for the artifact upload step explicitly state "Artifact name is valid!" Immediately after this, a 400 Bad Request is received from the GitHub Artifacts API endpoint, with the message Error: Create Artifact Container failed: The artifact name [tried_name] is not valid. This behavior is consistent across multiple runs, even after simplifying the artifact name to zapreports (a purely alphanumeric, short name). Authentication with github.token is confirmed to be correct in the YAML, and other GitHub API interactions (issue creation) work fine. A previous "Permission denied" error for zap.yaml was resolved by adding chmod -R 777 ${{ github.workspace }}. Expected Behavior:

The artifact should be successfully uploaded to the GitHub workflow run.

Logs (relevant section from latest attempt):

Scanning process completed, starting to analyze the results!
[@octokit/request] "GET https://api.github.com/search/issues?q=is%3Aissue+state%3Aopen+repo%3ANiksinikhilesh045%2Fautomated-security-scanning-devsecops+ZAP+Scan+Baseline+Report&sort=updated" is deprecated. It is scheduled to be removed on Thu, 04 Sep 2025 00:00:00 GMT. See https://github.blog/changelog/2025-03-06-github-issues-projects-api-support-for-issues-advanced-search-and-more/
Using github-actions[bot] to serch for issues.
Ongoing open issue has been identified #19
Alerts present in the current report: true
Process completed successfully and a new issue #20 has been created for the ZAP Scan.
Starting artifact upload
For more detailed logs during the artifact upload process, enable step-debugging: https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging
Artifact name is valid!
Create Artifact Container - Error is not retryable
##### Begin Diagnostic HTTP information #####
Status Code: 400
Status Message: Bad Request
Header Information: {
  "content-length": "268",
  "content-type": "application/json; charset=utf-8",
  "date": "Wed, 11 Jun 2025 10:12:25 GMT",
  "server": "Kestrel",
  "cache-control": "no-store,no-cache",
  "pragma": "no-cache",
  "strict-transport-security": "max-age=2592000",
  "x-tfs-processid": "5024a32e-3d91-4798-8654-016ffae7d1af",
  "activityid": "e276a061-9f71-4487-87cb-968c76c37d16",
  "x-tfs-session": "e276a061-9f71-4487-87cb-968c76c37d16",
  "x-vss-e2eid": "e276a061-9f71-4487-87cb-968c76c37d16",
  "x-vss-senderdeploymentid": "0bea2708-580e-d31c-f6de-bbc2333e4650",
  "x-frame-options": "SAMEORIGIN"
}
###### End Diagnostic HTTP information ######
##### Begin Diagnostic HTTP information #####
Status Code: 400
Status Message: Bad Request
Header Information: {
  "content-length": "268",
  "content-type": "application/json; charset=utf-8",
  "date": "Wed, 11 Jun 2025 10:12:25 GMT",
  "server": "Kestrel",
  "cache-control": "no-store,no-cache",
  "pragma": "no-cache",
  "strict-transport-security": "max-age=2592000",
  "x-tfs-processid": "5024a32e-3d91-4798-8654-016ffae7d1af",
  "activityid": "e276a061-9f71-4487-87cb-968c76c37d16",
  "x-tfs-session": "e276a061-9f71-4487-87cb-968c76c37d16",
  "x-vss-e2eid": "e276a061-9f71-4487-87cb-968c76c37d16",
  "x-vss-senderdeploymentid": "0bea2708-580e-d31c-f6de-bbc2333e4650",
  "x-frame-options": "SAMEORIGIN"
}
###### End Diagnostic HTTP information ######
Error: Create Artifact Container failed: The artifact name zapreports is not valid. Request URL https://pipelinesghubeus15.actions.githubusercontent.com/CFIVKztmAaHK7YdaWG7BNLEwiD6N8FVmZo3KvESrAuDJzHlKNp/_apis/pipelines/workflows/[155](https://github.com/Niksinikhilesh045/automated-security-scanning-devsecops/actions/runs/15582048453/job/43879610011#step:7:156)82048453/artifacts?api-version=6.0-preview

Environment:

Runner: ubuntu-latest
Repository: [Your GitHub Repository URL, e.g., https://github.com/Niksinikhilesh045/automated-security-scanning-devsecops]
Workflow Run ID: 15581218256

Niksinikhilesh045 avatar Jun 11 '25 10:06 Niksinikhilesh045

Use latest version which uses the "new" GitHub APIs to upload the artifacts.

thc202 avatar Jun 11 '25 11:06 thc202

Can you mention the latest version here?

On Wed, Jun 11, 2025, 16:59 thc202 @.***> wrote:

thc202 left a comment (zaproxy/action-baseline#134) https://github.com/zaproxy/action-baseline/issues/134#issuecomment-2962321822

Use latest version which uses the "new" GitHub APIs to upload the artifacts.

— Reply to this email directly, view it on GitHub https://github.com/zaproxy/action-baseline/issues/134#issuecomment-2962321822, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2T3PUFWCH2SMFVAK22QQDT3DAHKJAVCNFSM6AAAAAB7CF3LO2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSNRSGMZDCOBSGI . You are receiving this because you authored the thread.Message ID: @.***>

Niksinikhilesh045 avatar Jun 11 '25 11:06 Niksinikhilesh045

See https://github.com/zaproxy/action-baseline/releases

thc202 avatar Jun 11 '25 11:06 thc202

i'm facing the same issue with the latest version v0.14.0

Scanning process completed, starting to analyze the results!
[@octokit/request] "GET https://api.github.com/search/issues?q=is%3Aissue+state%3Aopen+repo%3Aproject-apps%2Fmyrepo-demo+ZAP+Scan+Baseline+Report&sort=updated" is deprecated. It is scheduled to be removed on Tue, 04 Nov 2025 00:00:00 GMT. 
See https://github.blog/changelog/2025-03-06-github-issues-projects-api-support-for-issues-advanced-search-and-more/
Alerts present in the current report: true

samsul-dot avatar Sep 24 '25 09:09 samsul-dot

That's not the same issue.

thc202 avatar Sep 24 '25 09:09 thc202

That's not the same issue.

I think it's actually the same, the log said the same the action hits the deprecated GitHub API that scheduled to be removed on Tue, 04 Nov 2025. You can read the OP first 2 lines of log.

samsul-dot avatar Sep 25 '25 02:09 samsul-dot

This issue is about:

Persistent "Artifact name is not valid" (400 Bad Request) from GitHub API despite valid name & token

Not the deprecation warning. The warning will be addressed with the common action update, there's nothing to do here.

thc202 avatar Sep 25 '25 06:09 thc202