Artifact uploaded without retention limit
=========================================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``world_writable_artifact``
   * - Category
     - security
   * - Severity
     - medium

Job uploads artifacts without an explicit retention-days setting. GitHub Actions artifacts are publicly readable for 90 days by default; limiting the retention window reduces the exposure of potentially sensitive build outputs.

Detection
---------

``static_analysis`` — Checks field presence or value in the workflow YAML.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: actions/upload-artifact@v4
           with:
             name: release-binary
             path: dist/app

**Compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: actions/upload-artifact@v4
           with:
             name: release-binary
             path: dist/app
             retention-days: 3

**Fix**: Set retention-days on every actions/upload-artifact step to limit the window during which build outputs are publicly accessible. Use the shortest duration sufficient for downstream consumption.