Limitations capturing Artifacts inside "project" directory

Description

I was attempting to using the artifact capability to capture some generates images from a build to only be presented with messages such as:

Uploading artifacts...
WARNING: processPath: artifact path is not a subpath of project directory: /builds/my-example/output/result.txt
ERROR: No files to upload
...

I was somewhat under the assumption that any artifacts under the $CI_BUILDS_DIR path could be captured, although looking at the documentation, it does state:

All paths to files and directories are relative to the repository where the job was created.

From what I can tell, this means only artifacts can be guaranteed to be captured from under the $GIT_CLONE_PATH path (which may or may not be matching to $CI_BUILDS_DIR).

I have simplified an example CI script I use to demonstration my issue:

image: alpine:latest

variables:
  # my repository holds an extension implementation that can be
  # tested using ci scripts -- place it in a subfolder of the
  # working context since we need it beside the example tool
  # that can run the extension
  EXTENSION_DIR: $CI_BUILDS_DIR/my-extension

  # define another folder which will hold the example tool we
  # will acquire before testing
  EXAMPLE_TOOL_DIR: $CI_BUILDS_DIR/my-example

  # indicate where to clone our extension source into
  GIT_CLONE_PATH: $CI_BUILDS_DIR/my-extension

default:
  before_script:
    # here we will clone the tool into the target directory
    #
    # emulate clone call:
    # git clone --depth 1 git.example.com/example.git $EXAMPLE_TOOL_DIR
    - mkdir -p $EXAMPLE_TOOL_DIR && touch $EXAMPLE_TOOL_DIR/utility

Build:
  script:
    # perform a build test by moving into the example tool's
    # directory to prepare the invoke of the tool
    - cd $EXAMPLE_TOOL_DIR

    # next, we will run this utility, which will generate
    # an output with some result content
    #
    # emulate utility run:
    # ./utility EXTENSION=$EXTENSION_DIR
    - mkdir -p output && touch output/result.txt

  artifacts:
    # we want to save the results as an artifact
    paths:
     - $EXAMPLE_TOOL_DIR/output/result.txt
    when: always

The problem with this setup is since the utility I am using generates outputs outside $GIT_CLONE_PATH, I cannot capture the results due to the path restrictions set by the runner. The only workaround I have in this scenario is to copy resources into (or in a sub-folder) under $GIT_CLONE_PATH after a build (or configure the utility to generate the output in a same sub-folder under the clone path). The workarounds are less than ideal.

While I assume there may be some desired use case to prevent capturing results outside the clone path, I feel that this may not always be the case for all users.

Proposal

Two proposals off hand would be to:

Remove the logic restricting relative/absolute paths for captured artifacts; or,
Provide an option that allows users to override any restrictions. For example, a proposed strict-paths option:

  artifacts:
    paths:
     - ...
    strict-paths: false
    when: always

Links to related issues and merge requests / references

#29281 (closed)
#29582 (closed)
Demonstration: https://gitlab.com/jdknight/ci-artifact-check

Edited Feb 15, 2024 by James Knight