Bump nock from 10.0.6 to 14.0.16

Bumps [nock](https://github.com/nock/nock) from 10.0.6 to 14.0.16. - [Release notes](https://github.com/nock/nock/releases) - [Changelog](https://github.com/nock/nock/blob/main/CHANGELOG.md) - [Commits](https://github.com/nock/nock/compare/v10.0.6...v14.0.16) --- updated-dependencies: - dependency-name: nock dependency-version: 14.0.16 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
chore: bump version to 6.5.0 in package.json and package-lock.json (#762 )
2026-06-30 11:30:24 +03:00 · 2026-06-29 17:33:22 +00:00 · 2026-06-23 12:03:17 -05:00 · 2026-06-22 14:14:01 -05:00
9 changed files with 1191 additions and 1025 deletions
@@ -1,6 +1,6 @@
 ---
 name: "@actions/cache"
-version: 5.0.5
+version: 5.1.0
 type: npm
 summary: Actions cache lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/cache
@@ -1,6 +1,6 @@
 ---
 name: semver
-version: 7.7.3
+version: 7.8.5
 type: npm
 summary: The semantic version parser used by npm.
 homepage:
@@ -1,6 +1,6 @@
 ---
 name: undici
-version: 6.24.1
+version: 6.27.0
 type: npm
 summary: An HTTP/1.1 client, written from scratch for Node.js
 homepage: https://undici.nodejs.org
@@ -0,0 +1,155 @@
+import * as cache from '@actions/cache';
+import * as core from '@actions/core';
+import fs from 'fs';
+
+import {run} from '../src/cache-save';
+import * as cacheUtils from '../src/cache-utils';
+import {State} from '../src/constants';
+
+describe('cache-save', () => {
+  const primaryKey = 'primary-key';
+
+  let primaryKeyValue: string;
+  let matchedKeyValue: string;
+
+  let getBooleanInputSpy: jest.SpyInstance;
+  let getStateSpy: jest.SpyInstance;
+  let infoSpy: jest.SpyInstance;
+  let warningSpy: jest.SpyInstance;
+  let debugSpy: jest.SpyInstance;
+  let setFailedSpy: jest.SpyInstance;
+  let saveCacheSpy: jest.SpyInstance;
+  let getCacheDirectoryPathSpy: jest.SpyInstance;
+  let existsSpy: jest.SpyInstance;
+
+  beforeEach(() => {
+    primaryKeyValue = primaryKey;
+    matchedKeyValue = 'matched-key';
+
+    getBooleanInputSpy = jest.spyOn(core, 'getBooleanInput');
+    getBooleanInputSpy.mockReturnValue(true);
+
+    getStateSpy = jest.spyOn(core, 'getState');
+    getStateSpy.mockImplementation((key: string) => {
+      if (key === State.CachePrimaryKey) {
+        return primaryKeyValue;
+      }
+      if (key === State.CacheMatchedKey) {
+        return matchedKeyValue;
+      }
+      return '';
+    });
+
+    infoSpy = jest.spyOn(core, 'info');
+    infoSpy.mockImplementation(() => undefined);
+
+    warningSpy = jest.spyOn(core, 'warning');
+    warningSpy.mockImplementation(() => undefined);
+
+    debugSpy = jest.spyOn(core, 'debug');
+    debugSpy.mockImplementation(() => undefined);
+
+    setFailedSpy = jest.spyOn(core, 'setFailed');
+    setFailedSpy.mockImplementation(() => undefined);
+
+    saveCacheSpy = jest.spyOn(cache, 'saveCache');
+    saveCacheSpy.mockImplementation(() => Promise.resolve(0));
+
+    getCacheDirectoryPathSpy = jest.spyOn(cacheUtils, 'getCacheDirectoryPath');
+    getCacheDirectoryPathSpy.mockImplementation(() =>
+      Promise.resolve(['cache_directory_path', 'cache_directory_path'])
+    );
+
+    existsSpy = jest.spyOn(fs, 'existsSync');
+    existsSpy.mockImplementation(() => true);
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  it('does not save cache when the cache input is false', async () => {
+    getBooleanInputSpy.mockReturnValue(false);
+
+    await run();
+
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(warningSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('does not save cache when there are no cache folders on the disk', async () => {
+    existsSpy.mockImplementation(() => false);
+
+    await run();
+
+    expect(warningSpy).toHaveBeenCalledWith(
+      'There are no cache folders on the disk'
+    );
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('does not save cache when the primary key was not generated', async () => {
+    primaryKeyValue = '';
+
+    await run();
+
+    expect(infoSpy).toHaveBeenCalledWith(
+      'Primary key was not generated. Please check the log messages above for more errors or information'
+    );
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('does not save cache when a cache hit occurred on the primary key', async () => {
+    matchedKeyValue = primaryKey;
+
+    await run();
+
+    expect(infoSpy).toHaveBeenCalledWith(
+      `Cache hit occurred on the primary key ${primaryKey}, not saving cache.`
+    );
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('saves cache when the primary key differs from the matched key', async () => {
+    await run();
+
+    expect(saveCacheSpy).toHaveBeenCalled();
+    expect(infoSpy).toHaveBeenCalledWith(
+      `Cache saved with the key: ${primaryKey}`
+    );
+    expect(warningSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('save with -1 cacheId , should not fail workflow', async () => {
+    saveCacheSpy.mockImplementation(() => Promise.resolve(-1));
+
+    await run();
+
+    expect(saveCacheSpy).toHaveBeenCalled();
+    expect(debugSpy).toHaveBeenCalledWith(
+      `Cache was not saved for the key: ${primaryKey}`
+    );
+    expect(infoSpy).not.toHaveBeenCalledWith(
+      `Cache saved with the key: ${primaryKey}`
+    );
+    expect(warningSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('saves with error from toolkit, should not fail workflow', async () => {
+    saveCacheSpy.mockImplementation(() =>
+      Promise.reject(new Error('Unable to reach the service'))
+    );
+
+    await run();
+
+    expect(saveCacheSpy).toHaveBeenCalled();
+    expect(warningSpy).toHaveBeenCalledWith('Unable to reach the service');
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+});
@@ -49,7 +49,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
    });
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.FinalizeCacheError = exports.ReserveCacheError = exports.ValidationError = void 0;
+exports.FinalizeCacheError = exports.CacheWriteDeniedError = exports.CACHE_WRITE_DENIED_PREFIX = exports.ReserveCacheError = exports.ValidationError = void 0;
 exports.isFeatureAvailable = isFeatureAvailable;
 exports.restoreCache = restoreCache;
 exports.saveCache = saveCache;
@@ -77,6 +77,26 @@ class ReserveCacheError extends Error {
    }
 }
 exports.ReserveCacheError = ReserveCacheError;
+/**
+ * Stable prefix used by the cache receiver to signal that the token has
+ * no writable scopes (read-only cache policy). Consumers can match on
+ * this prefix to distinguish policy denials from ordinary contention.
+ */
+exports.CACHE_WRITE_DENIED_PREFIX = 'cache write denied:';
+/**
+ * Extends ReserveCacheError for source-compatibility: existing
+ * `instanceof ReserveCacheError` checks and `typedError.name ===
+ * ReserveCacheError.name` paths keep working, while consumers that want to
+ * distinguish a policy denial can check for CacheWriteDeniedError.name.
+ */
+class CacheWriteDeniedError extends ReserveCacheError {
+    constructor(message) {
+        super(message);
+        this.name = 'CacheWriteDeniedError';
+        Object.setPrototypeOf(this, CacheWriteDeniedError.prototype);
+    }
+}
+exports.CacheWriteDeniedError = CacheWriteDeniedError;
 class FinalizeCacheError extends Error {
    constructor(message) {
        super(message);
@@ -387,7 +407,11 @@ function saveCacheV1(paths_1, key_1, options_1) {
                throw new Error((_d = (_c = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _c === void 0 ? void 0 : _c.message) !== null && _d !== void 0 ? _d : `Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the data cap limit, not saving cache.`);
            }
            else {
-                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache. More details: ${(_e = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _e === void 0 ? void 0 : _e.message}`);
+                const detailMessage = (_e = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _e === void 0 ? void 0 : _e.message;
+                if (detailMessage === null || detailMessage === void 0 ? void 0 : detailMessage.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
+                    throw new CacheWriteDeniedError(`Unable to reserve cache with key ${key}. More details: ${detailMessage}`);
+                }
+                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache. More details: ${detailMessage}`);
            }
            core.debug(`Saving Cache (ID: ${cacheId})`);
            yield cacheHttpClient.saveCache(cacheId, archivePath, '', options);
@@ -397,6 +421,9 @@ function saveCacheV1(paths_1, key_1, options_1) {
            if (typedError.name === ValidationError.name) {
                throw error;
            }
+            else if (typedError.name === CacheWriteDeniedError.name) {
+                core.warning(`Failed to save: ${typedError.message}`);
+            }
            else if (typedError.name === ReserveCacheError.name) {
                core.info(`Failed to save: ${typedError.message}`);
            }
@@ -435,6 +462,7 @@ function saveCacheV1(paths_1, key_1, options_1) {
 */
 function saveCacheV2(paths_1, key_1, options_1) {
    return __awaiter(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
+        var _a;
        // Override UploadOptions to force the use of Azure
        // ...options goes first because we want to override the default values
        // set in UploadOptions with these specific figures
@@ -470,7 +498,11 @@ function saveCacheV2(paths_1, key_1, options_1) {
            try {
                const response = yield twirpClient.CreateCacheEntry(request);
                if (!response.ok) {
-                    if (response.message) {
+                    // Skip the redundant inner warning when the receiver signalled a
+                    // policy denial: the outer catch arm below will log a single
+                    // customer-facing warning.
+                    if (response.message &&
+                        !response.message.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
                        core.warning(`Cache reservation failed: ${response.message}`);
                    }
                    throw new Error(response.message || 'Response was not ok');
@@ -479,6 +511,10 @@ function saveCacheV2(paths_1, key_1, options_1) {
            }
            catch (error) {
                core.debug(`Failed to reserve cache: ${error}`);
+                const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : '';
+                if (errorMessage.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
+                    throw new CacheWriteDeniedError(`Unable to reserve cache with key ${key}. More details: ${errorMessage}`);
+                }
                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`);
            }
            core.debug(`Attempting to upload cache located at: ${archivePath}`);
@@ -503,6 +539,9 @@ function saveCacheV2(paths_1, key_1, options_1) {
            if (typedError.name === ValidationError.name) {
                throw error;
            }
+            else if (typedError.name === CacheWriteDeniedError.name) {
+                core.warning(`Failed to save: ${typedError.message}`);
+            }
            else if (typedError.name === ReserveCacheError.name) {
                core.info(`Failed to save: ${typedError.message}`);
            }
@@ -22910,8 +22949,6 @@ function defaultFactory (origin, opts) {

 class Agent extends DispatcherBase {
  constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) {
-    super()
-
    if (typeof factory !== 'function') {
      throw new InvalidArgumentError('factory must be a function.')
    }
@@ -22924,6 +22961,8 @@ class Agent extends DispatcherBase {
      throw new InvalidArgumentError('maxRedirections must be a positive number')
    }

+    super(options)
+
    if (connect && typeof connect !== 'function') {
      connect = { ...connect }
    }
@@ -23297,6 +23336,9 @@ const EMPTY_BUF = Buffer.alloc(0)
 const FastBuffer = Buffer[Symbol.species]
 const addListener = util.addListener
 const removeAllListeners = util.removeAllListeners
+const kIdleSocketValidation = Symbol('kIdleSocketValidation')
+const kIdleSocketValidationTimeout = Symbol('kIdleSocketValidationTimeout')
+const kSocketUsed = Symbol('kSocketUsed')

 let extractBody

@@ -23519,29 +23561,71 @@ class Parser {

      const offset = llhttp.llhttp_get_error_pos(this.ptr) - currentBufferPtr

-      if (ret === constants.ERROR.PAUSED_UPGRADE) {
-        this.onUpgrade(data.slice(offset))
-      } else if (ret === constants.ERROR.PAUSED) {
-        this.paused = true
-        socket.unshift(data.slice(offset))
-      } else if (ret !== constants.ERROR.OK) {
-        const ptr = llhttp.llhttp_get_error_reason(this.ptr)
-        let message = ''
-        /* istanbul ignore else: difficult to make a test case for */
-        if (ptr) {
-          const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0)
-          message =
-            'Response does not match the HTTP/1.1 protocol (' +
-            Buffer.from(llhttp.memory.buffer, ptr, len).toString() +
-            ')'
+      if (ret !== constants.ERROR.OK) {
+        const body = data.subarray(offset)
+
+        if (ret === constants.ERROR.PAUSED_UPGRADE) {
+          this.onUpgrade(body)
+        } else if (ret === constants.ERROR.PAUSED) {
+          this.paused = true
+          socket.unshift(body)
+        } else {
+          throw this.createError(ret, body)
        }
-        throw new HTTPParserError(message, constants.ERROR[ret], data.slice(offset))
      }
    } catch (err) {
      util.destroy(socket, err)
    }
  }

+  finish () {
+    assert(currentParser === null)
+    assert(this.ptr != null)
+    assert(!this.paused)
+
+    const { llhttp } = this
+
+    let ret
+
+    try {
+      currentParser = this
+      ret = llhttp.llhttp_finish(this.ptr)
+    } finally {
+      currentParser = null
+    }
+
+    if (ret === constants.ERROR.OK) {
+      return null
+    }
+
+    if (ret === constants.ERROR.PAUSED || ret === constants.ERROR.PAUSED_UPGRADE) {
+      this.paused = true
+      return null
+    }
+
+    return this.createError(ret, EMPTY_BUF)
+  }
+
+  createError (ret, data) {
+    const { llhttp, contentLength, bytesRead } = this
+
+    if (contentLength && bytesRead !== parseInt(contentLength, 10)) {
+      return new ResponseContentLengthMismatchError()
+    }
+
+    const ptr = llhttp.llhttp_get_error_reason(this.ptr)
+    let message = ''
+    if (ptr) {
+      const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0)
+      message =
+        'Response does not match the HTTP/1.1 protocol (' +
+        Buffer.from(llhttp.memory.buffer, ptr, len).toString() +
+        ')'
+    }
+
+    return new HTTPParserError(message, constants.ERROR[ret], data)
+  }
+
  destroy () {
    assert(this.ptr != null)
    assert(currentParser == null)
@@ -23569,6 +23653,11 @@ class Parser {
      return -1
    }

+    if (client[kRunning] === 0) {
+      util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket)))
+      return -1
+    }
+
    const request = client[kQueue][client[kRunningIdx]]
    if (!request) {
      return -1
@@ -23672,6 +23761,11 @@ class Parser {
      return -1
    }

+    if (client[kRunning] === 0) {
+      util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket)))
+      return -1
+    }
+
    const request = client[kQueue][client[kRunningIdx]]

    /* istanbul ignore next: difficult to make a test case for */
@@ -23845,6 +23939,7 @@ class Parser {
    request.onComplete(headers)

    client[kQueue][client[kRunningIdx]++] = null
+    socket[kSocketUsed] = true

    if (socket[kWriting]) {
      assert(client[kRunning] === 0)
@@ -23903,6 +23998,9 @@ async function connectH1 (client, socket) {
  socket[kWriting] = false
  socket[kReset] = false
  socket[kBlocking] = false
+  socket[kIdleSocketValidation] = 0
+  socket[kIdleSocketValidationTimeout] = null
+  socket[kSocketUsed] = false
  socket[kParser] = new Parser(client, socket, llhttpInstance)

  addListener(socket, 'error', function (err) {
@@ -23913,8 +24011,11 @@ async function connectH1 (client, socket) {
    // On Mac OS, we get an ECONNRESET even if there is a full body to be forwarded
    // to the user.
    if (err.code === 'ECONNRESET' && parser.statusCode && !parser.shouldKeepAlive) {
-      // We treat all incoming data so for as a valid response.
-      parser.onMessageComplete()
+      const parserErr = parser.finish()
+      if (parserErr) {
+        this[kError] = parserErr
+        this[kClient][kOnError](parserErr)
+      }
      return
    }

@@ -23933,8 +24034,10 @@ async function connectH1 (client, socket) {
    const parser = this[kParser]

    if (parser.statusCode && !parser.shouldKeepAlive) {
-      // We treat all incoming data so far as a valid response.
-      parser.onMessageComplete()
+      const parserErr = parser.finish()
+      if (parserErr) {
+        util.destroy(this, parserErr)
+      }
      return
    }

@@ -23944,10 +24047,11 @@ async function connectH1 (client, socket) {
    const client = this[kClient]
    const parser = this[kParser]

+    clearIdleSocketValidation(this)
+
    if (parser) {
      if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) {
-        // We treat all incoming data so far as a valid response.
-        parser.onMessageComplete()
+        this[kError] = parser.finish() || this[kError]
      }

      this[kParser].destroy()
@@ -24010,7 +24114,7 @@ async function connectH1 (client, socket) {
      return socket.destroyed
    },
    busy (request) {
-      if (socket[kWriting] || socket[kReset] || socket[kBlocking]) {
+      if (socket[kWriting] || socket[kReset] || socket[kBlocking] || socket[kIdleSocketValidation] === 1) {
        return true
      }

@@ -24048,6 +24152,31 @@ async function connectH1 (client, socket) {
  }
 }

+function clearIdleSocketValidation (socket) {
+  if (socket[kIdleSocketValidationTimeout]) {
+    clearTimeout(socket[kIdleSocketValidationTimeout])
+    socket[kIdleSocketValidationTimeout] = null
+  }
+
+  socket[kIdleSocketValidation] = 0
+}
+
+function scheduleIdleSocketValidation (client, socket) {
+  socket[kIdleSocketValidation] = 1
+  socket[kIdleSocketValidationTimeout] = setTimeout(() => {
+    socket[kIdleSocketValidationTimeout] = null
+    socket[kIdleSocketValidation] = 2
+
+    if (client[kSocket] === socket && !socket.destroyed) {
+      client[kResume]()
+    }
+  }, 0)
+  socket[kIdleSocketValidationTimeout].unref?.()
+}
+
+/**
+ * @param {import('./client.js')} client
+ */
 function resumeH1 (client) {
  const socket = client[kSocket]

@@ -24062,6 +24191,32 @@ function resumeH1 (client) {
      socket[kNoRef] = false
    }

+    if (client[kRunning] === 0 && client[kPending] > 0 && socket[kSocketUsed]) {
+      if (socket[kIdleSocketValidation] === 0) {
+        scheduleIdleSocketValidation(client, socket)
+        socket[kParser].readMore()
+        if (socket.destroyed) {
+          return
+        }
+        return
+      }
+
+      if (socket[kIdleSocketValidation] === 1) {
+        socket[kParser].readMore()
+        if (socket.destroyed) {
+          return
+        }
+        return
+      }
+    }
+
+    if (client[kRunning] === 0) {
+      socket[kParser].readMore()
+      if (socket.destroyed) {
+        return
+      }
+    }
+
    if (client[kSize] === 0) {
      if (socket[kParser].timeoutType !== TIMEOUT_KEEP_ALIVE) {
        socket[kParser].setTimeout(client[kKeepAliveTimeoutValue], TIMEOUT_KEEP_ALIVE)
@@ -24155,6 +24310,7 @@ function writeH1 (client, request) {
  }

  const socket = client[kSocket]
+  clearIdleSocketValidation(socket)

  const abort = (err) => {
    if (request.aborted || request.completed) {
@@ -25476,9 +25632,10 @@ class Client extends DispatcherBase {
    autoSelectFamilyAttemptTimeout,
    // h2
    maxConcurrentStreams,
-    allowH2
+    allowH2,
+    webSocket
  } = {}) {
-    super()
+    super({ webSocket })

    if (keepAlive !== undefined) {
      throw new InvalidArgumentError('unsupported keepAlive, use pipelining=0 instead')
@@ -26011,15 +26168,24 @@ const { kDestroy, kClose, kClosed, kDestroyed, kDispatch, kInterceptors } = __nc
 const kOnDestroyed = Symbol('onDestroyed')
 const kOnClosed = Symbol('onClosed')
 const kInterceptedDispatch = Symbol('Intercepted Dispatch')
+const kWebSocketOptions = Symbol('webSocketOptions')

 class DispatcherBase extends Dispatcher {
-  constructor () {
+  constructor (opts) {
    super()

    this[kDestroyed] = false
    this[kOnDestroyed] = null
    this[kClosed] = false
    this[kOnClosed] = []
+    this[kWebSocketOptions] = opts?.webSocket ?? {}
+  }
+
+  get webSocketOptions () {
+    return {
+      maxFragments: this[kWebSocketOptions].maxFragments ?? 131072,
+      maxPayloadSize: this[kWebSocketOptions].maxPayloadSize ?? 128 * 1024 * 1024
+    }
  }

  get destroyed () {
@@ -26583,8 +26749,8 @@ const kRemoveClient = Symbol('remove client')
 const kStats = Symbol('stats')

 class PoolBase extends DispatcherBase {
-  constructor () {
-    super()
+  constructor (opts) {
+    super(opts)

    this[kQueue] = new FixedQueue()
    this[kClients] = []
@@ -26844,8 +27010,6 @@ class Pool extends PoolBase {
    allowH2,
    ...options
  } = {}) {
-    super()
-
    if (connections != null && (!Number.isFinite(connections) || connections < 0)) {
      throw new InvalidArgumentError('invalid connections')
    }
@@ -26870,6 +27034,8 @@ class Pool extends PoolBase {
      })
    }

+    super(options)
+
    this[kInterceptors] = options.interceptors?.Pool && Array.isArray(options.interceptors.Pool)
      ? options.interceptors.Pool
      : []
@@ -31954,32 +32120,25 @@ function parseUnparsedAttributes (unparsedAttributes, cookieAttributeList = {})
    // If the attribute-name case-insensitively matches the string
    // "SameSite", the user agent MUST process the cookie-av as follows:

-    // 1. Let enforcement be "Default".
-    let enforcement = 'Default'
-
    const attributeValueLowercase = attributeValue.toLowerCase()
-    // 2. If cookie-av's attribute-value is a case-insensitive match for
-    //    "None", set enforcement to "None".
-    if (attributeValueLowercase.includes('none')) {
-      enforcement = 'None'
-    }

-    // 3. If cookie-av's attribute-value is a case-insensitive match for
-    //    "Strict", set enforcement to "Strict".
-    if (attributeValueLowercase.includes('strict')) {
-      enforcement = 'Strict'
+    // 1. If cookie-av's attribute-value is a case-insensitive match for
+    //    "None", append an attribute to the cookie-attribute-list with an
+    //    attribute-name of "SameSite" and an attribute-value of "None".
+    if (attributeValueLowercase === 'none') {
+      cookieAttributeList.sameSite = 'None'
+    } else if (attributeValueLowercase === 'strict') {
+      // 2. If cookie-av's attribute-value is a case-insensitive match for
+      //    "Strict", append an attribute to the cookie-attribute-list with
+      //    an attribute-name of "SameSite" and an attribute-value of
+      //    "Strict".
+      cookieAttributeList.sameSite = 'Strict'
+    } else if (attributeValueLowercase === 'lax') {
+      // 3. If cookie-av's attribute-value is a case-insensitive match for
+      //    "Lax", append an attribute to the cookie-attribute-list with an
+      //    attribute-name of "SameSite" and an attribute-value of "Lax".
+      cookieAttributeList.sameSite = 'Lax'
    }
-
-    // 4. If cookie-av's attribute-value is a case-insensitive match for
-    //    "Lax", set enforcement to "Lax".
-    if (attributeValueLowercase.includes('lax')) {
-      enforcement = 'Lax'
-    }
-
-    // 5. Append an attribute to the cookie-attribute-list with an
-    //    attribute-name of "SameSite" and an attribute-value of
-    //    enforcement.
-    cookieAttributeList.sameSite = enforcement
  } else {
    cookieAttributeList.unparsed ??= []

@@ -44685,40 +44844,35 @@ const tail = Buffer.from([0x00, 0x00, 0xff, 0xff])
 const kBuffer = Symbol('kBuffer')
 const kLength = Symbol('kLength')

-// Default maximum decompressed message size: 4 MB
-const kDefaultMaxDecompressedSize = 4 * 1024 * 1024
-
 class PerMessageDeflate {
  /** @type {import('node:zlib').InflateRaw} */
  #inflate

  #options = {}

-  /** @type {boolean} */
-  #aborted = false
-
-  /** @type {Function|null} */
-  #currentCallback = null
+  #maxPayloadSize = 0

  /**
   * @param {Map<string, string>} extensions
   */
-  constructor (extensions) {
+  constructor (extensions, options) {
    this.#options.serverNoContextTakeover = extensions.has('server_no_context_takeover')
    this.#options.serverMaxWindowBits = extensions.get('server_max_window_bits')
+
+    this.#maxPayloadSize = options.maxPayloadSize
  }

+  /**
+   * Decompress a compressed payload.
+   * @param {Buffer} chunk Compressed data
+   * @param {boolean} fin Final fragment flag
+   * @param {Function} callback Callback function
+   */
  decompress (chunk, fin, callback) {
    // An endpoint uses the following algorithm to decompress a message.
    // 1.  Append 4 octets of 0x00 0x00 0xff 0xff to the tail end of the
    //     payload of the message.
    // 2.  Decompress the resulting data using DEFLATE.
-
-    if (this.#aborted) {
-      callback(new MessageSizeExceededError())
-      return
-    }
-
    if (!this.#inflate) {
      let windowBits = Z_DEFAULT_WINDOWBITS

@@ -44741,23 +44895,12 @@ class PerMessageDeflate {
      this.#inflate[kLength] = 0

      this.#inflate.on('data', (data) => {
-        if (this.#aborted) {
-          return
-        }
-
        this.#inflate[kLength] += data.length

-        if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) {
-          this.#aborted = true
+        if (this.#maxPayloadSize > 0 && this.#inflate[kLength] > this.#maxPayloadSize) {
+          callback(new MessageSizeExceededError())
          this.#inflate.removeAllListeners()
-          this.#inflate.destroy()
          this.#inflate = null
-
-          if (this.#currentCallback) {
-            const cb = this.#currentCallback
-            this.#currentCallback = null
-            cb(new MessageSizeExceededError())
-          }
          return
        }

@@ -44770,14 +44913,13 @@ class PerMessageDeflate {
      })
    }

-    this.#currentCallback = callback
    this.#inflate.write(chunk)
    if (fin) {
      this.#inflate.write(tail)
    }

    this.#inflate.flush(() => {
-      if (this.#aborted || !this.#inflate) {
+      if (!this.#inflate) {
        return
      }

@@ -44785,7 +44927,6 @@ class PerMessageDeflate {

      this.#inflate[kBuffer].length = 0
      this.#inflate[kLength] = 0
-      this.#currentCallback = null

      callback(null, full)
    })
@@ -44821,6 +44962,12 @@ const {
 const { WebsocketFrameSend } = __nccwpck_require__(3264)
 const { closeWebSocketConnection } = __nccwpck_require__(86897)
 const { PerMessageDeflate } = __nccwpck_require__(19469)
+const { MessageSizeExceededError } = __nccwpck_require__(68707)
+
+function failWebsocketConnectionWithCode (ws, code, reason) {
+  closeWebSocketConnection(ws, code, reason, Buffer.byteLength(reason))
+  failWebsocketConnection(ws, reason)
+}

 // This code was influenced by ws released under the MIT license.
 // Copyright (c) 2011 Einar Otto Stangvik <einaros@gmail.com>
@@ -44829,6 +44976,7 @@ const { PerMessageDeflate } = __nccwpck_require__(19469)

 class ByteParser extends Writable {
  #buffers = []
+  #fragmentsBytes = 0
  #byteOffset = 0
  #loop = false

@@ -44840,18 +44988,27 @@ class ByteParser extends Writable {
  /** @type {Map<string, PerMessageDeflate>} */
  #extensions

+  /** @type {number} */
+  #maxFragments
+
+  /** @type {number} */
+  #maxPayloadSize
+
  /**
   * @param {import('./websocket').WebSocket} ws
   * @param {Map<string, string>|null} extensions
+   * @param {{ maxFragments?: number, maxPayloadSize?: number }} [options]
   */
-  constructor (ws, extensions) {
+  constructor (ws, extensions, options = {}) {
    super()

    this.ws = ws
    this.#extensions = extensions == null ? new Map() : extensions
+    this.#maxFragments = options.maxFragments ?? 0
+    this.#maxPayloadSize = options.maxPayloadSize ?? 0

    if (this.#extensions.has('permessage-deflate')) {
-      this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions))
+      this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions, options))
    }
  }

@@ -44867,6 +45024,19 @@ class ByteParser extends Writable {
    this.run(callback)
  }

+  #validatePayloadLength () {
+    if (
+      this.#maxPayloadSize > 0 &&
+      !isControlFrame(this.#info.opcode) &&
+      this.#info.payloadLength + this.#fragmentsBytes > this.#maxPayloadSize
+    ) {
+      failWebsocketConnectionWithCode(this.ws, 1009, 'Payload size exceeds maximum allowed size')
+      return false
+    }
+
+    return true
+  }
+
  /**
   * Runs whenever a new chunk is received.
   * Callback is called whenever there are no more chunks buffering,
@@ -44955,6 +45125,10 @@ class ByteParser extends Writable {
        if (payloadLength <= 125) {
          this.#info.payloadLength = payloadLength
          this.#state = parserStates.READ_DATA
+
+          if (!this.#validatePayloadLength()) {
+            return
+          }
        } else if (payloadLength === 126) {
          this.#state = parserStates.PAYLOADLENGTH_16
        } else if (payloadLength === 127) {
@@ -44979,6 +45153,10 @@ class ByteParser extends Writable {

        this.#info.payloadLength = buffer.readUInt16BE(0)
        this.#state = parserStates.READ_DATA
+
+        if (!this.#validatePayloadLength()) {
+          return
+        }
      } else if (this.#state === parserStates.PAYLOADLENGTH_64) {
        if (this.#byteOffset < 8) {
          return callback()
@@ -45001,6 +45179,10 @@ class ByteParser extends Writable {

        this.#info.payloadLength = lower
        this.#state = parserStates.READ_DATA
+
+        if (!this.#validatePayloadLength()) {
+          return
+        }
      } else if (this.#state === parserStates.READ_DATA) {
        if (this.#byteOffset < this.#info.payloadLength) {
          return callback()
@@ -45013,42 +45195,58 @@ class ByteParser extends Writable {
          this.#state = parserStates.INFO
        } else {
          if (!this.#info.compressed) {
-            this.#fragments.push(body)
+            if (!this.writeFragments(body)) {
+              return
+            }
+
+            if (this.#maxPayloadSize > 0 && this.#fragmentsBytes > this.#maxPayloadSize) {
+              failWebsocketConnectionWithCode(this.ws, 1009, new MessageSizeExceededError().message)
+              return
+            }

            // If the frame is not fragmented, a message has been received.
            // If the frame is fragmented, it will terminate with a fin bit set
            // and an opcode of 0 (continuation), therefore we handle that when
            // parsing continuation frames, not here.
            if (!this.#info.fragmented && this.#info.fin) {
-              const fullMessage = Buffer.concat(this.#fragments)
-              websocketMessageReceived(this.ws, this.#info.binaryType, fullMessage)
-              this.#fragments.length = 0
+              websocketMessageReceived(this.ws, this.#info.binaryType, this.consumeFragments())
            }

            this.#state = parserStates.INFO
          } else {
-            this.#extensions.get('permessage-deflate').decompress(body, this.#info.fin, (error, data) => {
-              if (error) {
-                failWebsocketConnection(this.ws, error.message)
-                return
-              }
+            this.#extensions.get('permessage-deflate').decompress(
+              body,
+              this.#info.fin,
+              (error, data) => {
+                if (error) {
+                  const code = error instanceof MessageSizeExceededError ? 1009 : 1007
+                  failWebsocketConnectionWithCode(this.ws, code, error.message)
+                  return
+                }

-              this.#fragments.push(data)
+                if (!this.writeFragments(data)) {
+                  return
+                }
+
+                if (this.#maxPayloadSize > 0 && this.#fragmentsBytes > this.#maxPayloadSize) {
+                  failWebsocketConnectionWithCode(this.ws, 1009, new MessageSizeExceededError().message)
+                  return
+                }
+
+                if (!this.#info.fin) {
+                  this.#state = parserStates.INFO
+                  this.#loop = true
+                  this.run(callback)
+                  return
+                }
+
+                websocketMessageReceived(this.ws, this.#info.binaryType, this.consumeFragments())

-              if (!this.#info.fin) {
-                this.#state = parserStates.INFO
                this.#loop = true
+                this.#state = parserStates.INFO
                this.run(callback)
-                return
              }
-
-              websocketMessageReceived(this.ws, this.#info.binaryType, Buffer.concat(this.#fragments))
-
-              this.#loop = true
-              this.#state = parserStates.INFO
-              this.#fragments.length = 0
-              this.run(callback)
-            })
+            )

            this.#loop = false
            break
@@ -45100,6 +45298,35 @@ class ByteParser extends Writable {
    return buffer
  }

+  writeFragments (fragment) {
+    if (
+      this.#maxFragments > 0 &&
+      this.#fragments.length === this.#maxFragments
+    ) {
+      failWebsocketConnectionWithCode(this.ws, 1008, 'Too many message fragments')
+      return false
+    }
+
+    this.#fragmentsBytes += fragment.length
+    this.#fragments.push(fragment)
+    return true
+  }
+
+  consumeFragments () {
+    const fragments = this.#fragments
+
+    if (fragments.length === 1) {
+      this.#fragmentsBytes = 0
+      return fragments.shift()
+    }
+
+    const output = Buffer.concat(fragments, this.#fragmentsBytes)
+    this.#fragments = []
+    this.#fragmentsBytes = 0
+
+    return output
+  }
+
  parseCloseBody (data) {
    assert(data.length !== 1)

@@ -46135,7 +46362,14 @@ class WebSocket extends EventTarget {
    // once this happens, the connection is open
    this[kResponse] = response

-    const parser = new ByteParser(this, parsedExtensions)
+    const webSocketOptions = this[kController]?.dispatcher?.webSocketOptions
+    const maxFragments = webSocketOptions?.maxFragments
+    const maxPayloadSize = webSocketOptions?.maxPayloadSize
+
+    const parser = new ByteParser(this, parsedExtensions, {
+      maxFragments,
+      maxPayloadSize
+    })
    parser.on('drain', onParserDrain)
    parser.on('error', onParserError.bind(this))

@@ -46404,6 +46638,10 @@ const cachePackages = () => __awaiter(void 0, void 0, void 0, function* () {
    }
    const cacheId = yield cache.saveCache(cachePaths, primaryKey);
    if (cacheId === -1) {
+        // saveCache returns -1 without throwing when the cache was not saved, e.g.
+        // a reserve collision or a read-only token (fork PR). @actions/cache has
+        // already logged the reason at the appropriate severity, so just trace it.
+        core.debug(`Cache was not saved for the key: ${primaryKey}`);
        return;
    }
    core.info(`Cache saved with the key: ${primaryKey}`);
@@ -87992,7 +88230,7 @@ function randomUUID() {
 /***/ ((module) => {

 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"5.0.5","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^2.0.0","@actions/exec":"^2.0.0","@actions/glob":"^0.5.1","@protobuf-ts/runtime-rpc":"^2.11.1","@actions/http-client":"^3.0.2","@actions/io":"^2.0.0","@azure/abort-controller":"^1.1.0","@azure/core-rest-pipeline":"^1.22.0","@azure/storage-blob":"^12.29.1","semver":"^6.3.1"},"devDependencies":{"@types/node":"^24.1.0","@types/semver":"^6.0.0","@protobuf-ts/plugin":"^2.9.4","typescript":"^5.2.2"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"5.1.0","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^2.0.0","@actions/exec":"^2.0.0","@actions/glob":"^0.5.1","@protobuf-ts/runtime-rpc":"^2.11.1","@actions/http-client":"^3.0.2","@actions/io":"^2.0.0","@azure/abort-controller":"^1.1.0","@azure/core-rest-pipeline":"^1.22.0","@azure/storage-blob":"^12.29.1","semver":"^6.3.1"},"devDependencies":{"@types/node":"^24.1.0","@types/semver":"^6.0.0","@protobuf-ts/plugin":"^2.9.4","typescript":"^5.2.2"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}');

 /***/ })

@@ -1,6 +1,6 @@
 {
  "name": "setup-go",
-  "version": "6.2.0",
+  "version": "6.5.0",
  "private": true,
  "description": "setup go action",
  "main": "lib/setup-go.js",
@@ -28,7 +28,7 @@
  "author": "GitHub",
  "license": "MIT",
  "dependencies": {
-    "@actions/cache": "^5.0.5",
+    "@actions/cache": "^5.1.0",
    "@actions/core": "^2.0.3",
    "@actions/exec": "^2.0.0",
    "@actions/glob": "^0.5.1",
@@ -50,7 +50,7 @@
    "eslint-plugin-node": "^11.1.0",
    "jest": "^29.7.0",
    "jest-circus": "^29.7.0",
-    "nock": "^10.0.6",
+    "nock": "^14.0.16",
    "prettier": "^2.8.4",
    "ts-jest": "^29.3.2",
    "typescript": "^5.8.3"
@@ -81,6 +81,10 @@ const cachePackages = async () => {

  const cacheId = await cache.saveCache(cachePaths, primaryKey);
  if (cacheId === -1) {
+    // saveCache returns -1 without throwing when the cache was not saved, e.g.
+    // a reserve collision or a read-only token (fork PR). @actions/cache has
+    // already logged the reason at the appropriate severity, so just trace it.
+    core.debug(`Cache was not saved for the key: ${primaryKey}`);
    return;
  }
  core.info(`Cache saved with the key: ${primaryKey}`);