upload-artifact keeps files 90 days by default (set retention-days)
Every actions/upload-artifact without a retention-days keeps its files for the repository default — up to 90 days. Build outputs, test logs, wheels, coverage reports: uploaded on every run, retained for a quarter of a year, billed as storage the whole time. Most artifacts are consumed within minutes by the next job or a release step, then sit for 89 more days doing nothing.
The default nobody chose
Public-repo storage is free until it isn't (private repos bill GitHub Actions storage directly, and Free-tier private repos have a hard cap). But even where the dollars are zero, the default is worth overriding: 90 days of every CI run's artifacts is how a repo ends up with gigabytes of identical zips nobody will ever download, and how a private repo hits its storage cap mid-release.
A real example
Pillow's wheel-building workflow uploads built distributions across a large macOS/Linux/Windows matrix — and at the time of writing, sets no retention-days anywhere in the file, so every wheel from every twice-weekly scheduled run keeps for the full default. Contrast sharp, which uploads comparable build artifacts with retention-days: 1 — consumed by the release job, gone tomorrow.
The one line
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7Size it to the artifact's real lifetime: 1 day for pass-between-jobs artifacts consumed in the same pipeline; 7 days covers "a human might want to download this after the weekend"; 30+ only for genuine release archives — and those usually belong on a Release, not in Actions storage.
Two adjacent knobs
- Repo-wide default: Settings → Actions → Artifact and log retention. Set it once (e.g. 14 days) and the per-step line becomes the exception, not the rule.
- Logs are separate: retention-days on the upload step governs the artifact; workflow logs follow the repo setting only.
Find every unguarded upload
GitSpider's scan flags workflows that upload artifacts without a retention policy, alongside the other quiet defaults (timeouts, concurrency) that cost you without failing anything.
These hide across however many workflow files you have, which is exactly why nobody sits down and fixes them. Point GitSpider at your repo and it flags which patterns apply, with the fix for each.
Scan your repo free