Add optional s3-acl input for canned ACLs on uploads

Lets the workflow set, e.g., public-read on the uploaded object so the
HTTPS URL is actually downloadable without further configuration. Empty
default means no ACL is sent — required for modern AWS buckets with
Object Ownership = "Bucket owner enforced" that reject any ACL.

Validates the value against the AWS canned-ACL list at config time so
typos fail before the upload runs. Wires the input through action.yml,
config, and the orchestrator; adds a unit test that the ACL is forwarded
to PutObjectInput when set and omitted when empty.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/config/config.go

@@ -28,6 +28,7 @@ type Config struct {
 	S3Key         string
 	S3EndpointURL string
 	S3Region      string
+	S3ACL         string
 }
 
 // Load reads the action's INPUT_* environment variables.
@@ -51,6 +52,7 @@ func Load(get func(string) string) *Config {
 		S3Key:                     get("INPUT_S3_KEY"),
 		S3EndpointURL:             get("INPUT_S3_ENDPOINT_URL"),
 		S3Region:                  getOr(get, "INPUT_S3_REGION", "us-east-1"),
+		S3ACL:                     get("INPUT_S3_ACL"),
 	}
 	return c
 }
@@ -115,6 +117,14 @@ func (c *Config) Validate() error {
 	if c.S3Bucket != "" && c.S3Key == "" {
 		return fmt.Errorf("s3-bucket is set but s3-key is empty")
 	}
+	if c.S3ACL != "" {
+		switch c.S3ACL {
+		case "private", "public-read", "public-read-write", "authenticated-read",
+			"aws-exec-read", "bucket-owner-read", "bucket-owner-full-control":
+		default:
+			return fmt.Errorf("s3-acl must be one of private, public-read, public-read-write, authenticated-read, aws-exec-read, bucket-owner-read, bucket-owner-full-control (got %q)", c.S3ACL)
+		}
+	}
 	return nil
 }