Any public repository is accessible by default and visitors don't need to log in.
If you'll be publishing a link to your own repository's artifacts, please install the GitHub App anyway, so that downloads for your repositories don't share the global API rate limit. The throttling will likely become very bad over time.
GitHub has no direct way to directly link to the latest build from GitHub actions of a given repository.
Even if you do have a link to an artifact, using it requires the visitor to be logged into the GitHub website.
The discussion originates at actions/upload-artifact "Artifact download URL only work for registered users".
So, this service is a solution to this omission.
Because GitHub doesn't provide any permanent and public links to an artifact, this service redirects to time-limited links that GitHub can give to the application -- only on behalf of an authenticated user that has access to the repository. So, whenever someone downloads an artifact from a repository that you had added, this service uses a token that is associated with your installation of the GitHub App.
This GitHub App requests these permissions:
- Actions: Workflows, workflow runs and artifacts.
- Access: Read-only
- Metadata [mandatory]: Search repositories, list collaborators, and access repository metadata.
- Access: Read-only
Interestingly, the prompt that GitHub presents to you when authenticating to the service says something quite a bit scarier:
nightly.link by Oleh Prypin would like permission to:
- Verify your GitHub identity ($username)
- Know which resources you can access
- Act on your behalf
In reality, this blurb is completely generic and will be shown for any GitHub App authorization regardless of its permissions. This is discussed here.
Furthermore, the permissions that the app asks for are granted even if it's just "installed", without being "authorized".
Verifying your identity is needed so that only you can view links to private repositories and your organizations. Other things, well, the service is not even asking for.
An exhaustive list of what this service stores:
- Full repository names that you gave access to.
- Client-side: nothing.
The server of the main instance also keeps access logs and application logs for up to 3 months.
This page will be updated if this changes.
No paid features are currently planned.
This service is developed and run by Oleh Prypin.
It has no affiliation with my employer. No affiliation with GitHub either.
Open an issue at https://github.com/oprypin/nightly.link/issues
The source code is available in a Git repository at https://github.com/oprypin/nightly.link
Copyright (C) 2020 Oleh Prypin
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.
- 5 days ago
- November 24, 2020
GNU Affero General Public License v3.0
Mon, 19 Apr 2021 11:31:52 GMT