Sensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.

Only store information that is meant to be publicly available in a GitHub Actions artifact.

The following example uses actions/checkout to checkout code which stores the GITHUB_TOKEN in the `.git/config` file and then stores the contents of the `.git` repository into the artifact:

The issue has been fixed below, where the actions/upload-artifact uses a version (v4+) which does not include hidden files or directories into the artifact.