From 03da0c3e8503ef84da5d56bb36cdf224842c7a60 Mon Sep 17 00:00:00 2001
From: Leon Mika <lmika@lmika.org>
Date: Sat, 2 May 2026 13:59:49 +1000
Subject: [PATCH] Add optional s3-acl input for canned ACLs on uploads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Lets the workflow set, e.g., public-read on the uploaded object so the
HTTPS URL is actually downloadable without further configuration. Empty
default means no ACL is sent — required for modern AWS buckets with
Object Ownership = "Bucket owner enforced" that reject any ACL.

Validates the value against the AWS canned-ACL list at config time so
typos fail before the upload runs. Wires the input through action.yml,
config, and the orchestrator; adds a unit test that the ACL is forwarded
to PutObjectInput when set and omitted when empty.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md                      |  1 +
 action.yml                     |  2 ++
 cmd/wails-release/main.go      |  2 +-
 internal/config/config.go      | 10 ++++++++++
 internal/upload/upload.go      | 13 +++++++++++--
 internal/upload/upload_test.go | 28 ++++++++++++++++++++++++++++
 6 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 453d50a..2efdd24 100644
--- a/README.md
+++ b/README.md
@@ -61,6 +61,7 @@ jobs:
 | `s3-key` | conditional | — | Object key. Required if `s3-bucket` is set. Supports `{version}` and `{filename}` placeholders. |
 | `s3-endpoint-url` | no | — | Custom endpoint for S3-compatible storage (MinIO, R2, etc.) |
 | `s3-region` | no | `us-east-1` | AWS region |
+| `s3-acl` | no | — | Canned ACL applied to the uploaded object (e.g. `public-read`). Empty = no ACL sent. Modern AWS buckets with Object Ownership = "Bucket owner enforced" reject any ACL — leave this unset for those. |
 
 AWS credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, optionally `AWS_SESSION_TOKEN`) are read from the standard environment, **not** from action inputs.
 
diff --git a/action.yml b/action.yml
index 746fb6e..b966b6c 100644
--- a/action.yml
+++ b/action.yml
@@ -26,6 +26,7 @@ inputs:
   s3-key:           { description: "Object key. Supports {version} and {filename} placeholders.", required: false }
   s3-endpoint-url:  { description: "Custom endpoint for S3-compatible storage (MinIO, R2, etc.)", required: false }
   s3-region:        { description: "AWS region", required: false, default: "us-east-1" }
+  s3-acl:           { description: "Canned ACL applied to the uploaded object (e.g. public-read). Empty = no ACL sent.", required: false }
 
 outputs:
   version:           { description: "Resolved version string", value: "${{ steps.run.outputs.version }}" }
@@ -58,6 +59,7 @@ runs:
         INPUT_S3_KEY:                      ${{ inputs.s3-key }}
         INPUT_S3_ENDPOINT_URL:             ${{ inputs.s3-endpoint-url }}
         INPUT_S3_REGION:                   ${{ inputs.s3-region }}
+        INPUT_S3_ACL:                      ${{ inputs.s3-acl }}
       run: |
         set -euo pipefail
         go install "lmika.dev/${{ github.action_repository }}/cmd/wails-release@${{ github.action_ref }}"
diff --git a/cmd/wails-release/main.go b/cmd/wails-release/main.go
index 073cff3..425378d 100644
--- a/cmd/wails-release/main.go
+++ b/cmd/wails-release/main.go
@@ -169,7 +169,7 @@ func run(ctx context.Context) error {
 		}
 		key := upload.RenderKey(cfg.S3Key, resolvedVersion, artifactName)
 		s3URL, err = upload.Upload(ctx, client, upload.Opts{
-			Bucket: cfg.S3Bucket, Key: key, FilePath: zipPath,
+			Bucket: cfg.S3Bucket, Key: key, FilePath: zipPath, ACL: cfg.S3ACL,
 		})
 		if err != nil {
 			return err
diff --git a/internal/config/config.go b/internal/config/config.go
index b0f0dac..6f40f0e 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -28,6 +28,7 @@ type Config struct {
 	S3Key         string
 	S3EndpointURL string
 	S3Region      string
+	S3ACL         string
 }
 
 // Load reads the action's INPUT_* environment variables.
@@ -51,6 +52,7 @@ func Load(get func(string) string) *Config {
 		S3Key:                     get("INPUT_S3_KEY"),
 		S3EndpointURL:             get("INPUT_S3_ENDPOINT_URL"),
 		S3Region:                  getOr(get, "INPUT_S3_REGION", "us-east-1"),
+		S3ACL:                     get("INPUT_S3_ACL"),
 	}
 	return c
 }
@@ -115,6 +117,14 @@ func (c *Config) Validate() error {
 	if c.S3Bucket != "" && c.S3Key == "" {
 		return fmt.Errorf("s3-bucket is set but s3-key is empty")
 	}
+	if c.S3ACL != "" {
+		switch c.S3ACL {
+		case "private", "public-read", "public-read-write", "authenticated-read",
+			"aws-exec-read", "bucket-owner-read", "bucket-owner-full-control":
+		default:
+			return fmt.Errorf("s3-acl must be one of private, public-read, public-read-write, authenticated-read, aws-exec-read, bucket-owner-read, bucket-owner-full-control (got %q)", c.S3ACL)
+		}
+	}
 	return nil
 }
 
diff --git a/internal/upload/upload.go b/internal/upload/upload.go
index a880f33..0bef957 100644
--- a/internal/upload/upload.go
+++ b/internal/upload/upload.go
@@ -9,6 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsconfig "github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 )
 
 // PutObjectAPI is the subset of *s3.Client used here. Tests inject a fake.
@@ -21,6 +22,10 @@ type Opts struct {
 	Bucket   string
 	Key      string
 	FilePath string
+	// ACL, if set, is applied to the uploaded object as a canned ACL
+	// (e.g. "public-read"). Empty means no ACL is sent — required for
+	// buckets with Object Ownership = "Bucket owner enforced".
+	ACL string
 }
 
 // RenderKey substitutes {version} and {filename} placeholders.
@@ -37,11 +42,15 @@ func Upload(ctx context.Context, c PutObjectAPI, o Opts) (string, error) {
 	}
 	defer f.Close()
 
-	if _, err := c.PutObject(ctx, &s3.PutObjectInput{
+	in := &s3.PutObjectInput{
 		Bucket: aws.String(o.Bucket),
 		Key:    aws.String(o.Key),
 		Body:   f,
-	}); err != nil {
+	}
+	if o.ACL != "" {
+		in.ACL = types.ObjectCannedACL(o.ACL)
+	}
+	if _, err := c.PutObject(ctx, in); err != nil {
 		return "", fmt.Errorf("s3 put: %w", err)
 	}
 	return fmt.Sprintf("s3://%s/%s", o.Bucket, o.Key), nil
diff --git a/internal/upload/upload_test.go b/internal/upload/upload_test.go
index 4a25304..228bff8 100644
--- a/internal/upload/upload_test.go
+++ b/internal/upload/upload_test.go
@@ -104,6 +104,34 @@ func TestUpload_CallsPutObjectWithCorrectInputs(t *testing.T) {
 	}
 }
 
+func TestUpload_ForwardsACLWhenSet(t *testing.T) {
+	tmp := writeTempFile(t, "hello")
+	c := &fakePut{}
+
+	if _, err := upload.Upload(context.Background(), c, upload.Opts{
+		Bucket: "b", Key: "k", FilePath: tmp, ACL: "public-read",
+	}); err != nil {
+		t.Fatalf("unexpected: %v", err)
+	}
+	if string(c.calls[0].ACL) != "public-read" {
+		t.Fatalf("ACL got %q want public-read", c.calls[0].ACL)
+	}
+}
+
+func TestUpload_OmitsACLWhenEmpty(t *testing.T) {
+	tmp := writeTempFile(t, "hello")
+	c := &fakePut{}
+
+	if _, err := upload.Upload(context.Background(), c, upload.Opts{
+		Bucket: "b", Key: "k", FilePath: tmp,
+	}); err != nil {
+		t.Fatalf("unexpected: %v", err)
+	}
+	if c.calls[0].ACL != "" {
+		t.Fatalf("ACL got %q want empty (no ACL sent)", c.calls[0].ACL)
+	}
+}
+
 func TestUpload_FailsWhenFileMissing(t *testing.T) {
 	_, err := upload.Upload(context.Background(), &fakePut{}, upload.Opts{
 		Bucket:   "b",