From be4960a255a84ab736a9af1cf7052e012f5a6a7a Mon Sep 17 00:00:00 2001
From: Kynan Ware <47394200+BagToad@users.noreply.github.com>
Date: Wed, 25 Mar 2026 12:31:10 -0600
Subject: [PATCH] test(acceptance): remove run-download-traversal test

GitHub's Artifact API now rejects artifact names like '..' server-side
with a 400 Bad Request, making it impossible to create artifacts with
path traversal names. This means the scenario this test was verifying
(that gh run download catches traversal names) can no longer be
reproduced through normal artifact creation.

The client-side traversal check in gh run download remains in place as a
defense-in-depth measure.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../workflow/run-download-traversal.txtar     | 71 -------------------
 1 file changed, 71 deletions(-)
 delete mode 100644 acceptance/testdata/workflow/run-download-traversal.txtar

diff --git a/acceptance/testdata/workflow/run-download-traversal.txtar b/acceptance/testdata/workflow/run-download-traversal.txtar
deleted file mode 100644
index a8a644752..000000000
--- a/acceptance/testdata/workflow/run-download-traversal.txtar
+++ /dev/null
@@ -1,71 +0,0 @@
-# Set up env
-env REPO=${SCRIPT_NAME}-${RANDOM_STRING}
-
-# Use gh as a credential helper
-exec gh auth setup-git
-
-# Create a repository with a file so it has a default branch
-exec gh repo create ${ORG}/${REPO} --add-readme --private
-
-# Defer repo cleanup
-defer gh repo delete --yes ${ORG}/${REPO}
-
-# Clone the repo
-exec gh repo clone ${ORG}/${REPO}
-
-# commit the workflow file
-cd ${REPO}
-mkdir .github/workflows
-mv ../workflow.yml .github/workflows/workflow.yml
-exec git add .github/workflows/workflow.yml
-exec git commit -m 'Create workflow file'
-exec git push -u origin main
-
-# Sleep because it takes a second for the workflow to register
-sleep 1
-
-# Check the workflow is indeed created
-exec gh workflow list
-stdout 'Test Workflow Name'
-
-# Run the workflow
-exec gh workflow run 'Test Workflow Name'
-
-# It takes some time for a workflow run to register
-sleep 10
-
-# Get the run ID we want to watch
-exec gh run list --json databaseId --jq '.[0].databaseId'
-stdout2env RUN_ID
-
-# Wait for workflow to complete
-exec gh run watch ${RUN_ID} --exit-status
-
-# Download the artifact and see there is an error
-! exec gh run download ${RUN_ID}
-stderr 'would result in path traversal'
-
--- workflow.yml --
-# This is a basic workflow to help you get started with Actions
-
-name: Test Workflow Name
-
-# Controls when the workflow will run
-on:
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
-jobs:
-  # This workflow contains a single job called "build"
-  build:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      - run: echo hello > world.txt
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ..
-          path: world.txt