Compare commits

..

11 Commits

Author SHA1 Message Date
gowridurgad 04be95cf35 Add cache-primary-key and cache-matched-key as outputs (#1577)
* Add cache-primary-key and cache-matched-key as outputs

* Refine cache output descriptions

---------

Co-authored-by: gowridurgad <gowridurgad@gmail.com>
2026-07-07 13:57:48 -05:00
Chiranjib Swain 7c2c68d20d docs: Update caching recommendations to mitigate cache poisoning risks (#1567)
* docs: Update caching recommendations to mitigate cache poisoning risks

* docs: Disable automatic npm caching to mitigate cache poisoning risks
2026-07-02 13:14:10 -05:00
Bassem Dghaidi 6a61c0375d Merge pull request #1569 from jasongin/update-actions-cache-5.1.0
Bump @actions/cache to 5.1.0, log cache write denied
2026-06-23 11:19:27 +02:00
Jason Ginchereau 30eb73b41d Resolve high-severity audit issues 2026-06-18 17:59:56 -07:00
Jason Ginchereau 4e1a87a501 Update dist 2026-06-18 15:55:36 -07:00
Jason Ginchereau 360237f0c0 Strict equality 2026-06-18 15:46:26 -07:00
Jason Ginchereau 4f8aac5beb Bump @actions/cache to 5.1.0, log cache write denied 2026-06-18 15:18:53 -07:00
Timo Sand f4a67bbeca Only use mirrorToken in getManifest if it's provided (#1548)
* Only use `mirrorToken` in `getManifest` if it's provided

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

* `npm run build`

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

---------

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
2026-06-09 11:03:18 -05:00
gowridurgad 0355742c94 Remove dummy NODE_AUTH_TOKEN export (#1558)
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
2026-05-27 21:56:31 -05:00
priya-kinthali ad1b57eb81 docs: Update restore-only cache documentation (#1550)
* update restore-only cache example in advanced-usage.md

* fix copilot suggestion

* update naming
2026-05-26 17:51:36 -05:00
Chiranjib Swain 670825a89d Add documentation for publishing to npm with Trusted Publisher (OIDC) (#1536) 2026-04-22 21:58:57 -05:00
19 changed files with 761 additions and 639 deletions
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: fast-xml-builder name: fast-xml-builder
version: 1.2.1 version: 1.2.0
type: npm type: npm
summary: Build XML from JSON without C/C++ based libraries summary: Build XML from JSON without C/C++ based libraries
homepage: homepage:
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: fast-xml-parser name: fast-xml-parser
version: 5.9.3 version: 5.9.2
type: npm type: npm
summary: Validate XML, Parse XML, Build XML without C/C++ based libraries summary: Validate XML, Parse XML, Build XML without C/C++ based libraries
homepage: homepage:
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: path-expression-matcher name: path-expression-matcher
version: 1.6.2 version: 1.5.0
type: npm type: npm
summary: Efficient path tracking and pattern matching for XML/JSON parsers summary: Efficient path tracking and pattern matching for XML/JSON parsers
homepage: https://github.com/NaturalIntelligence/path-expression-matcher#readme homepage: https://github.com/NaturalIntelligence/path-expression-matcher#readme
+4
View File
@@ -119,6 +119,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: 24 node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -217,6 +218,7 @@ jobs:
uses: actions/setup-node@v6 uses: actions/setup-node@v6
with: with:
node-version: ${{ matrix.node }} node-version: ${{ matrix.node }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -232,6 +234,7 @@ uses: actions/setup-node@v6
with: with:
token: ${{ secrets.GH_DOTCOM_TOKEN }} token: ${{ secrets.GH_DOTCOM_TOKEN }}
node-version: 24 node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
``` ```
If the runner is not able to access github.com, any Nodejs versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. If the runner is not able to access github.com, any Nodejs versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information.
@@ -249,6 +252,7 @@ If the runner is not able to access github.com, any Nodejs versions requested du
- [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm) - [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm)
- [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn) - [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn)
- [Using private packages](docs/advanced-usage.md#use-private-packages) - [Using private packages](docs/advanced-usage.md#use-private-packages)
- [Publishing to npm with Trusted Publisher (OIDC)](docs/advanced-usage.md#publishing-to-npm-with-trusted-publisher-oidc)
- [Using private mirror](docs/advanced-usage.md#use-private-mirror) - [Using private mirror](docs/advanced-usage.md#use-private-mirror)
## Recommended permissions ## Recommended permissions
+21
View File
@@ -118,6 +118,27 @@ describe('authutil tests', () => {
expect(process.env.NODE_AUTH_TOKEN).toEqual('foobar'); expect(process.env.NODE_AUTH_TOKEN).toEqual('foobar');
}); });
it('should not export NODE_AUTH_TOKEN if not set in environment', async () => {
const exportSpy = jest.spyOn(core, 'exportVariable');
delete process.env.NODE_AUTH_TOKEN;
await auth.configAuthentication('https://registry.npmjs.org/');
expect(fs.statSync(rcFile)).toBeDefined();
const rc = readRcFile(rcFile);
expect(rc['registry']).toBe('https://registry.npmjs.org/');
expect(exportSpy).not.toHaveBeenCalledWith(
'NODE_AUTH_TOKEN',
expect.anything()
);
});
it('should export NODE_AUTH_TOKEN if set to empty string', async () => {
const exportSpy = jest.spyOn(core, 'exportVariable');
process.env.NODE_AUTH_TOKEN = '';
await auth.configAuthentication('https://registry.npmjs.org/');
expect(fs.statSync(rcFile)).toBeDefined();
expect(exportSpy).toHaveBeenCalledWith('NODE_AUTH_TOKEN', '');
});
it('configAuthentication should overwrite non-scoped with non-scoped', async () => { it('configAuthentication should overwrite non-scoped with non-scoped', async () => {
fs.writeFileSync(rcFile, 'registry=NNN'); fs.writeFileSync(rcFile, 'registry=NNN');
await auth.configAuthentication('https://registry.npmjs.org/'); await auth.configAuthentication('https://registry.npmjs.org/');
+19 -1
View File
@@ -137,6 +137,7 @@ describe('cache-restore', () => {
] as const)( ] as const)(
'restored dependencies for %s', 'restored dependencies for %s',
async (packageManager, toolVersion, fileHash) => { async (packageManager, toolVersion, fileHash) => {
const expectedCacheKey = `node-cache-${platform}-${arch}-${packageManager}-${fileHash}`;
// Set workspace to the appropriate fixture folder // Set workspace to the appropriate fixture folder
setWorkspaceFor(packageManager); setWorkspaceFor(packageManager);
getCommandOutputSpy.mockImplementation((command: string) => { getCommandOutputSpy.mockImplementation((command: string) => {
@@ -150,12 +151,20 @@ describe('cache-restore', () => {
await restoreCache(packageManager, ''); await restoreCache(packageManager, '');
expect(hashFilesSpy).toHaveBeenCalled(); expect(hashFilesSpy).toHaveBeenCalled();
expect(infoSpy).toHaveBeenCalledWith( expect(infoSpy).toHaveBeenCalledWith(
`Cache restored from key: node-cache-${platform}-${arch}-${packageManager}-${fileHash}` `Cache restored from key: ${expectedCacheKey}`
); );
expect(infoSpy).not.toHaveBeenCalledWith( expect(infoSpy).not.toHaveBeenCalledWith(
`${packageManager} cache is not found` `${packageManager} cache is not found`
); );
expect(setOutputSpy).toHaveBeenCalledWith('cache-hit', true); expect(setOutputSpy).toHaveBeenCalledWith('cache-hit', true);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-primary-key',
expectedCacheKey
);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-matched-key',
expectedCacheKey
);
} }
); );
}); });
@@ -169,6 +178,7 @@ describe('cache-restore', () => {
] as const)( ] as const)(
'dependencies are changed %s', 'dependencies are changed %s',
async (packageManager, toolVersion, fileHash) => { async (packageManager, toolVersion, fileHash) => {
const expectedCacheKey = `node-cache-${platform}-${arch}-${packageManager}-${fileHash}`;
// Set workspace to the appropriate fixture folder // Set workspace to the appropriate fixture folder
setWorkspaceFor(packageManager); setWorkspaceFor(packageManager);
getCommandOutputSpy.mockImplementation((command: string) => { getCommandOutputSpy.mockImplementation((command: string) => {
@@ -186,6 +196,14 @@ describe('cache-restore', () => {
`${packageManager} cache is not found` `${packageManager} cache is not found`
); );
expect(setOutputSpy).toHaveBeenCalledWith('cache-hit', false); expect(setOutputSpy).toHaveBeenCalledWith('cache-hit', false);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-primary-key',
expectedCacheKey
);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-matched-key',
undefined
);
} }
); );
}); });
+4
View File
@@ -34,6 +34,10 @@ inputs:
outputs: outputs:
cache-hit: cache-hit:
description: 'A boolean value to indicate if a cache was hit.' description: 'A boolean value to indicate if a cache was hit.'
cache-primary-key:
description: 'The key used to restore and save the cache.'
cache-matched-key:
description: 'The key of the cache that was restored. Empty when no cache is found.'
node-version: node-version:
description: 'The installed node version.' description: 'The installed node version.'
runs: runs:
+13 -4
View File
@@ -56941,8 +56941,10 @@ function writeRegistryToFile(registryUrl, fileLocation) {
newContents += `${authString}${os.EOL}${registryString}`; newContents += `${authString}${os.EOL}${registryString}`;
fs.writeFileSync(fileLocation, newContents); fs.writeFileSync(fileLocation, newContents);
core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation); core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation);
// Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it // Only export NODE_AUTH_TOKEN if explicitly provided by user
core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX'); if (Object.prototype.hasOwnProperty.call(process.env, 'NODE_AUTH_TOKEN')) {
core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN);
}
} }
@@ -57019,6 +57021,7 @@ const restoreCache = async (packageManager, cacheDependencyPath) => {
const primaryKey = `${keyPrefix}-${fileHash}`; const primaryKey = `${keyPrefix}-${fileHash}`;
core.debug(`primary key is ${primaryKey}`); core.debug(`primary key is ${primaryKey}`);
core.saveState(constants_1.State.CachePrimaryKey, primaryKey); core.saveState(constants_1.State.CachePrimaryKey, primaryKey);
core.setOutput('cache-primary-key', primaryKey);
const isManagedByYarnBerry = await (0, cache_utils_1.repoHasYarnBerryManagedDependencies)(packageManagerInfo, cacheDependencyPath); const isManagedByYarnBerry = await (0, cache_utils_1.repoHasYarnBerryManagedDependencies)(packageManagerInfo, cacheDependencyPath);
let cacheKey; let cacheKey;
if (isManagedByYarnBerry) { if (isManagedByYarnBerry) {
@@ -57029,6 +57032,8 @@ const restoreCache = async (packageManager, cacheDependencyPath) => {
cacheKey = await cache.restoreCache(cachePaths, primaryKey); cacheKey = await cache.restoreCache(cachePaths, primaryKey);
} }
core.setOutput('cache-hit', Boolean(cacheKey)); core.setOutput('cache-hit', Boolean(cacheKey));
core.setOutput('cache-matched-key', cacheKey);
core.debug(`cache-matched-key is ${cacheKey}`);
if (!cacheKey) { if (!cacheKey) {
core.info(`${packageManager} cache is not found`); core.info(`${packageManager} cache is not found`);
return; return;
@@ -57886,7 +57891,9 @@ class OfficialBuilds extends base_distribution_1.default {
const versionInfo = await this.getInfoFromManifest(this.nodeInfo.versionSpec, this.nodeInfo.stable, osArch, manifest); const versionInfo = await this.getInfoFromManifest(this.nodeInfo.versionSpec, this.nodeInfo.stable, osArch, manifest);
if (versionInfo) { if (versionInfo) {
core.info(`Acquiring ${versionInfo.resolvedVersion} - ${versionInfo.arch} from ${versionInfo.downloadUrl}`); core.info(`Acquiring ${versionInfo.resolvedVersion} - ${versionInfo.arch} from ${versionInfo.downloadUrl}`);
downloadPath = await tc.downloadTool(versionInfo.downloadUrl, undefined, this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth); downloadPath = await tc.downloadTool(versionInfo.downloadUrl, undefined, this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth);
if (downloadPath) { if (downloadPath) {
toolPath = await this.extractArchive(downloadPath, versionInfo, false); toolPath = await this.extractArchive(downloadPath, versionInfo, false);
} }
@@ -57957,7 +57964,9 @@ class OfficialBuilds extends base_distribution_1.default {
} }
getManifest() { getManifest() {
core.debug('Getting manifest from actions/node-versions@main'); core.debug('Getting manifest from actions/node-versions@main');
return tc.getManifestFromRepo('actions', 'node-versions', this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth, 'main'); return tc.getManifestFromRepo('actions', 'node-versions', this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth, 'main');
} }
resolveLtsAliasFromManifest(versionSpec, stable, manifest) { resolveLtsAliasFromManifest(versionSpec, stable, manifest) {
const alias = versionSpec.split('lts/')[1]?.toLowerCase(); const alias = versionSpec.split('lts/')[1]?.toLowerCase();
+99 -23
View File
@@ -69,6 +69,7 @@ steps:
with: with:
node-version: '24' node-version: '24'
check-latest: true check-latest: true
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -86,6 +87,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version-file: '.nvmrc' node-version-file: '.nvmrc'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -131,6 +133,7 @@ jobs:
with: with:
node-version: '24' node-version: '24'
architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -151,6 +154,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-v8-canary' # it will install the latest v8 canary release for node 24.0.0 node-version: '24.0.0-v8-canary' # it will install the latest v8 canary release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -166,6 +170,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24-v8-canary' # it will install the latest v8 canary release for node 24 node-version: '24-v8-canary' # it will install the latest v8 canary release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -182,6 +187,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: 'v24.0.0-v8-canary2025030537242e55ac' node-version: 'v24.0.0-v8-canary2025030537242e55ac'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -202,6 +208,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24-nightly' # it will install the latest nightly release for node 24 node-version: '24-nightly' # it will install the latest nightly release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -218,6 +225,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-nightly' # it will install the latest nightly release for node 24.0.0 node-version: '24.0.0-nightly' # it will install the latest nightly release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -234,6 +242,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-nightly202505066102159fa1' node-version: '24.0.0-nightly202505066102159fa1'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -252,11 +261,12 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-rc.4' node-version: '24.0.0-rc.4'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
**Note:** Unlike nightly versions, which support version range specifiers, you must specify the exact version for a release candidate: `24.0.0-rc.4`. **Note**: Unlike nightly versions, which support version range specifiers, you must specify the exact version for a release candidate: `24.0.0-rc.4`.
## Caching packages data ## Caching packages data
The action follows [actions/cache](https://github.com/actions/cache/blob/main/examples.md#node---npm) guidelines, and caches global cache on the machine instead of `node_modules`, so cache can be reused between different Node.js versions. The action follows [actions/cache](https://github.com/actions/cache/blob/main/examples.md#node---npm) guidelines, and caches global cache on the machine instead of `node_modules`, so cache can be reused between different Node.js versions.
@@ -329,36 +339,52 @@ steps:
- run: npm test - run: npm test
``` ```
**Restore-Only Cache** **Restore-only cache**
You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.
```yaml ```yaml
## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache steps:
jobs: - uses: actions/checkout@v6
build: # - uses: pnpm/action-setup@v6
runs-on: ubuntu-latest # with:
steps: # version: 10
- uses: actions/checkout@v6
# Restore Node.js modules cache (restore-only) - name: Setup Node.js
- name: Restore Node modules cache
uses: actions/cache@v5
id: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
# Setup Node.js
- name: Setup Node.js
uses: actions/setup-node@v6 uses: actions/setup-node@v6
with: with:
node-version: '24' node-version: '24'
# Install dependencies package-manager-cache: false # Disable automatic npm caching if not required
- run: npm install
- name: Normalize runner architecture
shell: bash
run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
- name: Output of cache path
id: cachepath
shell: bash
run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT
# run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
# For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+)
# run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT
- name: Restore Node cache
uses: actions/cache/restore@v5
with:
path: ${{ steps.cachepath.outputs.path }}
key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
- run: npm ci
# - run: yarn install --frozen-lockfile # optional, --immutable
# - run: pnpm install
``` ```
> **Note**: Uncomment the commands relevant to your project's package manager.
> For more details related to cache scenarios, please refer [Node npm](https://github.com/actions/cache/blob/main/examples.md#node---npm). > For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache).
## Multiple Operating Systems and Architectures ## Multiple operating systems and architectures
```yaml ```yaml
jobs: jobs:
@@ -389,6 +415,7 @@ jobs:
with: with:
node-version: ${{ matrix.node_version }} node-version: ${{ matrix.node_version }}
architecture: ${{ matrix.architecture }} architecture: ${{ matrix.architecture }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -401,6 +428,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: 'https://registry.npmjs.org' registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci - run: npm ci
- run: npm publish - run: npm publish
env: env:
@@ -408,6 +436,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
registry-url: 'https://npm.pkg.github.com' registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm publish - run: npm publish
env: env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -421,6 +450,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: <registry url> registry-url: <registry url>
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn install --frozen-lockfile - run: yarn install --frozen-lockfile
- run: yarn publish - run: yarn publish
env: env:
@@ -428,6 +458,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
registry-url: 'https://npm.pkg.github.com' registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn publish - run: yarn publish
env: env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -441,6 +472,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: 'https://registry.npmjs.org' registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
# Skip post-install scripts here, as a malicious # Skip post-install scripts here, as a malicious
# script could steal NODE_AUTH_TOKEN. # script could steal NODE_AUTH_TOKEN.
- run: npm ci --ignore-scripts - run: npm ci --ignore-scripts
@@ -460,6 +492,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.x' node-version: '24.x'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- name: Setup .yarnrc.yml - name: Setup .yarnrc.yml
run: | run: |
yarn config set npmScopes.my-org.npmRegistryServer "https://npm.pkg.github.com" yarn config set npmScopes.my-org.npmRegistryServer "https://npm.pkg.github.com"
@@ -475,6 +508,48 @@ To access private GitHub Packages within the same organization, go to "Manage Ac
Please refer to the [Ensuring workflow access to your package - Configuring a package's access control and visibility](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) for more details. Please refer to the [Ensuring workflow access to your package - Configuring a package's access control and visibility](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) for more details.
## Publishing to npm with Trusted Publisher (OIDC)
npm supports Trusted Publishers, enabling packages to be published from GitHub Actions using OpenID Connect (OIDC) instead of long-lived npm tokens. This improves security by replacing static credentials with short-lived tokens, reducing the risk of credential leakage and simplifying authentication in CI/CD workflows.
### Requirements
Trusted publishing requires a compatible npm version:
* **npm ≥ 11.5.1 (required)**
* **Node.js 24 or newer (recommended)** — includes a compatible npm version by default
> If npm is below 11.5.1, publishing will fail even if OIDC permissions are correctly configured.
You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used).
> **Note**: In publishing workflows, set `package-manager-cache: false` because setup-node enables npm caching automatically when `package.json` specifies npm via `packageManager` or `devEngines.packageManager` (see [Running without a lockfile](#running-without-a-lockfile)), and a poisoned cache may expose credentials (including OIDC tokens) to attacker-controlled code.
### Example workflow
```yaml
permissions:
contents: read
id-token: write # Required for OIDC
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci
- run: npm run build --if-present
- run: npm publish
```
> **Note**: If the Trusted Publisher configuration (GitHub owner/repo/workflow file, and optional environment) does not match the workflow run identity exactly, publishing may fail with **E404 Not Found** even if the package exists on npm.
For more details, see the [npm Trusted Publishers documentation](https://docs.npmjs.com/trusted-publishers) and the [GitHub Actions OpenID Connect (OIDC) overview](https://docs.github.com/en/actions/concepts/security/openid-connect).
## Use private mirror ## Use private mirror
It is possible to use a private mirror hosting Node.js binaries. This mirror must be a full mirror of the official Node.js distribution. It is possible to use a private mirror hosting Node.js binaries. This mirror must be a full mirror of the official Node.js distribution.
@@ -488,4 +563,5 @@ The token will be passed in the `Authorization` header.
node-version: '24.x' node-version: '24.x'
mirror: 'https://nodejs.org/dist' mirror: 'https://nodejs.org/dist'
mirror-token: 'your-mirror-token' mirror-token: 'your-mirror-token'
cache-package-manager: false # Disable automatic npm caching if not required
``` ```
+123 -139
View File
@@ -9,7 +9,7 @@
"version": "6.5.0", "version": "6.5.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/cache": "5.1.0", "@actions/cache": "^5.1.0",
"@actions/core": "^2.0.3", "@actions/core": "^2.0.3",
"@actions/exec": "^2.0.0", "@actions/exec": "^2.0.0",
"@actions/github": "^6.0.1", "@actions/github": "^6.0.1",
@@ -457,13 +457,13 @@
} }
}, },
"node_modules/@babel/code-frame": { "node_modules/@babel/code-frame": {
"version": "7.29.7", "version": "7.27.1",
"resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz",
"integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==", "integrity": "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/helper-validator-identifier": "^7.29.7", "@babel/helper-validator-identifier": "^7.27.1",
"js-tokens": "^4.0.0", "js-tokens": "^4.0.0",
"picocolors": "^1.1.1" "picocolors": "^1.1.1"
}, },
@@ -472,9 +472,9 @@
} }
}, },
"node_modules/@babel/compat-data": { "node_modules/@babel/compat-data": {
"version": "7.29.7", "version": "7.28.5",
"resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.28.5.tgz",
"integrity": "sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==", "integrity": "sha512-6uFXyCayocRbqhZOB+6XcuZbkMNimwfVGFji8CTZnCzOHVGvDqzvitu1re2AU5LROliz7eQPhB8CpAMvnx9EjA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -482,21 +482,21 @@
} }
}, },
"node_modules/@babel/core": { "node_modules/@babel/core": {
"version": "7.29.7", "version": "7.28.5",
"resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.28.5.tgz",
"integrity": "sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==", "integrity": "sha512-e7jT4DxYvIDLk1ZHmU/m/mB19rex9sv0c2ftBtjSBv+kVM/902eh0fINUzD7UwLLNR+jU585GxUJ8/EBfAM5fw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/code-frame": "^7.29.7", "@babel/code-frame": "^7.27.1",
"@babel/generator": "^7.29.7", "@babel/generator": "^7.28.5",
"@babel/helper-compilation-targets": "^7.29.7", "@babel/helper-compilation-targets": "^7.27.2",
"@babel/helper-module-transforms": "^7.29.7", "@babel/helper-module-transforms": "^7.28.3",
"@babel/helpers": "^7.29.7", "@babel/helpers": "^7.28.4",
"@babel/parser": "^7.29.7", "@babel/parser": "^7.28.5",
"@babel/template": "^7.29.7", "@babel/template": "^7.27.2",
"@babel/traverse": "^7.29.7", "@babel/traverse": "^7.28.5",
"@babel/types": "^7.29.7", "@babel/types": "^7.28.5",
"@jridgewell/remapping": "^2.3.5", "@jridgewell/remapping": "^2.3.5",
"convert-source-map": "^2.0.0", "convert-source-map": "^2.0.0",
"debug": "^4.1.0", "debug": "^4.1.0",
@@ -523,14 +523,14 @@
} }
}, },
"node_modules/@babel/generator": { "node_modules/@babel/generator": {
"version": "7.29.7", "version": "7.28.5",
"resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.28.5.tgz",
"integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==", "integrity": "sha512-3EwLFhZ38J4VyIP6WNtt2kUdW9dokXA9Cr4IVIFHuCpZ3H8/YFOl5JjZHisrn1fATPBmKKqXzDFvh9fUwHz6CQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/parser": "^7.29.7", "@babel/parser": "^7.28.5",
"@babel/types": "^7.29.7", "@babel/types": "^7.28.5",
"@jridgewell/gen-mapping": "^0.3.12", "@jridgewell/gen-mapping": "^0.3.12",
"@jridgewell/trace-mapping": "^0.3.28", "@jridgewell/trace-mapping": "^0.3.28",
"jsesc": "^3.0.2" "jsesc": "^3.0.2"
@@ -540,14 +540,14 @@
} }
}, },
"node_modules/@babel/helper-compilation-targets": { "node_modules/@babel/helper-compilation-targets": {
"version": "7.29.7", "version": "7.27.2",
"resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.27.2.tgz",
"integrity": "sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==", "integrity": "sha512-2+1thGUUWWjLTYTHZWK1n8Yga0ijBz1XAhUXcKy81rd5g6yh7hGqMp45v7cadSbEHc9G3OTv45SyneRN3ps4DQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/compat-data": "^7.29.7", "@babel/compat-data": "^7.27.2",
"@babel/helper-validator-option": "^7.29.7", "@babel/helper-validator-option": "^7.27.1",
"browserslist": "^4.24.0", "browserslist": "^4.24.0",
"lru-cache": "^5.1.1", "lru-cache": "^5.1.1",
"semver": "^6.3.1" "semver": "^6.3.1"
@@ -567,9 +567,9 @@
} }
}, },
"node_modules/@babel/helper-globals": { "node_modules/@babel/helper-globals": {
"version": "7.29.7", "version": "7.28.0",
"resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz",
"integrity": "sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==", "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -577,29 +577,29 @@
} }
}, },
"node_modules/@babel/helper-module-imports": { "node_modules/@babel/helper-module-imports": {
"version": "7.29.7", "version": "7.27.1",
"resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.27.1.tgz",
"integrity": "sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==", "integrity": "sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/traverse": "^7.29.7", "@babel/traverse": "^7.27.1",
"@babel/types": "^7.29.7" "@babel/types": "^7.27.1"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
} }
}, },
"node_modules/@babel/helper-module-transforms": { "node_modules/@babel/helper-module-transforms": {
"version": "7.29.7", "version": "7.28.3",
"resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.3.tgz",
"integrity": "sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==", "integrity": "sha512-gytXUbs8k2sXS9PnQptz5o0QnpLL51SwASIORY6XaBKF88nsOT0Zw9szLqlSGQDP/4TljBAD5y98p2U1fqkdsw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/helper-module-imports": "^7.29.7", "@babel/helper-module-imports": "^7.27.1",
"@babel/helper-validator-identifier": "^7.29.7", "@babel/helper-validator-identifier": "^7.27.1",
"@babel/traverse": "^7.29.7" "@babel/traverse": "^7.28.3"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
@@ -619,9 +619,9 @@
} }
}, },
"node_modules/@babel/helper-string-parser": { "node_modules/@babel/helper-string-parser": {
"version": "7.29.7", "version": "7.27.1",
"resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
"integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==", "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -629,9 +629,9 @@
} }
}, },
"node_modules/@babel/helper-validator-identifier": { "node_modules/@babel/helper-validator-identifier": {
"version": "7.29.7", "version": "7.28.5",
"resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
"integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==", "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -639,9 +639,9 @@
} }
}, },
"node_modules/@babel/helper-validator-option": { "node_modules/@babel/helper-validator-option": {
"version": "7.29.7", "version": "7.27.1",
"resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz",
"integrity": "sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==", "integrity": "sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -649,27 +649,27 @@
} }
}, },
"node_modules/@babel/helpers": { "node_modules/@babel/helpers": {
"version": "7.29.7", "version": "7.28.4",
"resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.28.4.tgz",
"integrity": "sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==", "integrity": "sha512-HFN59MmQXGHVyYadKLVumYsA9dBFun/ldYxipEjzA4196jpLZd8UjEEBLkbEkvfYreDqJhZxYAWFPtrfhNpj4w==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/template": "^7.29.7", "@babel/template": "^7.27.2",
"@babel/types": "^7.29.7" "@babel/types": "^7.28.4"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
} }
}, },
"node_modules/@babel/parser": { "node_modules/@babel/parser": {
"version": "7.29.7", "version": "7.28.5",
"resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.5.tgz",
"integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==", "integrity": "sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/types": "^7.29.7" "@babel/types": "^7.28.5"
}, },
"bin": { "bin": {
"parser": "bin/babel-parser.js" "parser": "bin/babel-parser.js"
@@ -918,33 +918,33 @@
} }
}, },
"node_modules/@babel/template": { "node_modules/@babel/template": {
"version": "7.29.7", "version": "7.27.2",
"resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.2.tgz",
"integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==", "integrity": "sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/code-frame": "^7.29.7", "@babel/code-frame": "^7.27.1",
"@babel/parser": "^7.29.7", "@babel/parser": "^7.27.2",
"@babel/types": "^7.29.7" "@babel/types": "^7.27.1"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
} }
}, },
"node_modules/@babel/traverse": { "node_modules/@babel/traverse": {
"version": "7.29.7", "version": "7.28.5",
"resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.5.tgz",
"integrity": "sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==", "integrity": "sha512-TCCj4t55U90khlYkVV/0TfkJkAkUg3jZFA3Neb7unZT8CPok7iiRfaX0F+WnqWqt7OxhOn0uBKXCw4lbL8W0aQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/code-frame": "^7.29.7", "@babel/code-frame": "^7.27.1",
"@babel/generator": "^7.29.7", "@babel/generator": "^7.28.5",
"@babel/helper-globals": "^7.29.7", "@babel/helper-globals": "^7.28.0",
"@babel/parser": "^7.29.7", "@babel/parser": "^7.28.5",
"@babel/template": "^7.29.7", "@babel/template": "^7.27.2",
"@babel/types": "^7.29.7", "@babel/types": "^7.28.5",
"debug": "^4.3.1" "debug": "^4.3.1"
}, },
"engines": { "engines": {
@@ -952,14 +952,14 @@
} }
}, },
"node_modules/@babel/types": { "node_modules/@babel/types": {
"version": "7.29.7", "version": "7.28.5",
"resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz", "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.5.tgz",
"integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==", "integrity": "sha512-qQ5m48eI/MFLQ5PxQj4PFaprjyCTLI37ElWMmNs0K8Lk3dVeOdNpB3ks8jc7yM5CDmVC73eMVk/trk3fgmrUpA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/helper-string-parser": "^7.29.7", "@babel/helper-string-parser": "^7.27.1",
"@babel/helper-validator-identifier": "^7.29.7" "@babel/helper-validator-identifier": "^7.28.5"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
@@ -1115,9 +1115,9 @@
} }
}, },
"node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": { "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": {
"version": "3.15.0", "version": "3.14.2",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.15.0.tgz", "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
"integrity": "sha512-ttBQIIQPDeLjpPOohtUdXuXUVoA2uIB6fEH9HyJ7234s5mBJ5wTx20njxplLZQgLaOfpmPQA7X2t5AX6tIPbog==", "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
@@ -2430,16 +2430,13 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/baseline-browser-mapping": { "node_modules/baseline-browser-mapping": {
"version": "2.10.42", "version": "2.9.7",
"resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.42.tgz", "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.9.7.tgz",
"integrity": "sha512-c/jurFrDLyui7o1J86yLkRu4LMsTYcBohveus7/I2Hzdn9KIP2bdJPTue/lR1KH46enoPbD77GKeSYNdyPoD3Q==", "integrity": "sha512-k9xFKplee6KIio3IDbwj+uaCLpqzOwakOgmqzPezM0sFJlFKcg30vk2wOiAJtkTSfx0SSQDSe8q+mWA/fSH5Zg==",
"dev": true, "dev": true,
"license": "Apache-2.0", "license": "Apache-2.0",
"bin": { "bin": {
"baseline-browser-mapping": "dist/cli.cjs" "baseline-browser-mapping": "dist/cli.js"
},
"engines": {
"node": ">=6.0.0"
} }
}, },
"node_modules/before-after-hook": { "node_modules/before-after-hook": {
@@ -2472,9 +2469,9 @@
} }
}, },
"node_modules/browserslist": { "node_modules/browserslist": {
"version": "4.28.5", "version": "4.28.1",
"resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.5.tgz", "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.1.tgz",
"integrity": "sha512-Cu2E6QejHWzuDMTkuwgpABFgDfZrXLQq5V13YOACZx4mFAG4IwGTbTfHPMr4WtxlHoXSM8FIuRwYYCz5XiabaQ==", "integrity": "sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA==",
"dev": true, "dev": true,
"funding": [ "funding": [
{ {
@@ -2492,11 +2489,11 @@
], ],
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"baseline-browser-mapping": "^2.10.42", "baseline-browser-mapping": "^2.9.0",
"caniuse-lite": "^1.0.30001800", "caniuse-lite": "^1.0.30001759",
"electron-to-chromium": "^1.5.387", "electron-to-chromium": "^1.5.263",
"node-releases": "^2.0.50", "node-releases": "^2.0.27",
"update-browserslist-db": "^1.2.3" "update-browserslist-db": "^1.2.0"
}, },
"bin": { "bin": {
"browserslist": "cli.js" "browserslist": "cli.js"
@@ -2556,9 +2553,9 @@
} }
}, },
"node_modules/caniuse-lite": { "node_modules/caniuse-lite": {
"version": "1.0.30001803", "version": "1.0.30001760",
"resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001803.tgz", "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001760.tgz",
"integrity": "sha512-g/uHREV2ZpK9qMalCsWaxmA6ol+DX8GYhuf3T40RKoP+oL7vhRJh8LNt73PCjpnR6l14FzfPrB5Yux4PKm2meg==", "integrity": "sha512-7AAMPcueWELt1p3mi13HR/LHH0TJLT11cnwDJEs3xA4+CK/PLKeO9Kl1oru24htkyUKtkGCvAx4ohB0Ttry8Dw==",
"dev": true, "dev": true,
"funding": [ "funding": [
{ {
@@ -2831,9 +2828,9 @@
} }
}, },
"node_modules/electron-to-chromium": { "node_modules/electron-to-chromium": {
"version": "1.5.389", "version": "1.5.267",
"resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.389.tgz", "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.267.tgz",
"integrity": "sha512-cEto7aeOqBfU1D+c5py5pE+ooscKE75JifxLBdFUZsqAxRS6y7kebtxAZvICszSl05gPjYHDTjY+lXpyGvpJbg==", "integrity": "sha512-0Drusm6MVRXSOJpGbaSVgcQsuB4hEkMpHXaVstcPmhu5LIedxs1xNK/nIxmQIU/RPC0+1/o0AVZfBTkTNJOdUw==",
"dev": true, "dev": true,
"license": "ISC" "license": "ISC"
}, },
@@ -3326,9 +3323,9 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/fast-xml-builder": { "node_modules/fast-xml-builder": {
"version": "1.2.1", "version": "1.2.0",
"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.1.tgz", "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
"integrity": "sha512-tPb5TTWfgfVx5BNSi2xV0eLr89POeXXn0dXIsCJ9m1narrWxeIyx6je9d7Rce/3NyXLbvuQmLkxq+RuxMWejvw==", "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
"funding": [ "funding": [
{ {
"type": "github", "type": "github",
@@ -3342,9 +3339,9 @@
} }
}, },
"node_modules/fast-xml-parser": { "node_modules/fast-xml-parser": {
"version": "5.9.3", "version": "5.9.2",
"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.9.3.tgz", "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.9.2.tgz",
"integrity": "sha512-brCNCeScma/kqa54J4PIDriSSSLssRkuYaUCpvHJulGc3HGI/xxKUCTDcYkAdqJsyb//ydpbxecjC3hB9+tb/g==", "integrity": "sha512-DYPkXnVSJHAGAkSBeVYhEo/seIpz2SLr9OQcX7m6lXaX3gvoB+DCKzFdZIEhZGI3I1DUhObBAUOT/v2xfoXz/w==",
"funding": [ "funding": [
{ {
"type": "github", "type": "github",
@@ -3357,7 +3354,7 @@
"fast-xml-builder": "^1.2.0", "fast-xml-builder": "^1.2.0",
"is-unsafe": "^1.0.1", "is-unsafe": "^1.0.1",
"path-expression-matcher": "^1.5.0", "path-expression-matcher": "^1.5.0",
"strnum": "^2.4.1", "strnum": "^2.4.0",
"xml-naming": "^0.1.0" "xml-naming": "^0.1.0"
}, },
"bin": { "bin": {
@@ -4554,20 +4551,10 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/js-yaml": { "node_modules/js-yaml": {
"version": "4.3.0", "version": "4.1.1",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.3.0.tgz", "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
"integrity": "sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==", "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
"dev": true, "dev": true,
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/puzrin"
},
{
"type": "github",
"url": "https://github.com/sponsors/nodeca"
}
],
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"argparse": "^2.0.1" "argparse": "^2.0.1"
@@ -4852,14 +4839,11 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/node-releases": { "node_modules/node-releases": {
"version": "2.0.50", "version": "2.0.27",
"resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.50.tgz", "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz",
"integrity": "sha512-J6l92tKHX6w8Jy5nO1Vuc01NoIiRGi/d6qBKVxh+IQ8Cr3b6HbVNfKiF8ZpFKufTwpwxMmce2W3iQZ861ZRyTg==", "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT"
"engines": {
"node": ">=18"
}
}, },
"node_modules/normalize-path": { "node_modules/normalize-path": {
"version": "3.0.0", "version": "3.0.0",
@@ -5012,9 +4996,9 @@
} }
}, },
"node_modules/path-expression-matcher": { "node_modules/path-expression-matcher": {
"version": "1.6.2", "version": "1.5.0",
"resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.6.2.tgz", "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
"integrity": "sha512-enSlaiat05iasnzmgNxRj8reFdj3puY2QpNgP1aPIaVfT6nn9ICuPoFlKHk8EN22HcwewshO+mN2DGbkCEOtqQ==", "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
"funding": [ "funding": [
{ {
"type": "github", "type": "github",
@@ -5883,9 +5867,9 @@
"license": "ISC" "license": "ISC"
}, },
"node_modules/update-browserslist-db": { "node_modules/update-browserslist-db": {
"version": "1.2.3", "version": "1.2.2",
"resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz", "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.2.tgz",
"integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==", "integrity": "sha512-E85pfNzMQ9jpKkA7+TJAi4TJN+tBCuWh5rUcS/sv6cFi+1q9LYDwDI5dpUL0u/73EElyQ8d3TEaeW4sPedBqYA==",
"dev": true, "dev": true,
"funding": [ "funding": [
{ {
+1 -1
View File
@@ -28,7 +28,7 @@
"author": "GitHub", "author": "GitHub",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/cache": "5.1.0", "@actions/cache": "^5.1.0",
"@actions/core": "^2.0.3", "@actions/core": "^2.0.3",
"@actions/exec": "^2.0.0", "@actions/exec": "^2.0.0",
"@actions/github": "^6.0.1", "@actions/github": "^6.0.1",
+4 -5
View File
@@ -46,9 +46,8 @@ function writeRegistryToFile(registryUrl: string, fileLocation: string) {
newContents += `${authString}${os.EOL}${registryString}`; newContents += `${authString}${os.EOL}${registryString}`;
fs.writeFileSync(fileLocation, newContents); fs.writeFileSync(fileLocation, newContents);
core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation); core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation);
// Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it // Only export NODE_AUTH_TOKEN if explicitly provided by user
core.exportVariable( if (Object.prototype.hasOwnProperty.call(process.env, 'NODE_AUTH_TOKEN')) {
'NODE_AUTH_TOKEN', core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN);
process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX' }
);
} }
+3
View File
@@ -45,6 +45,7 @@ export const restoreCache = async (
core.debug(`primary key is ${primaryKey}`); core.debug(`primary key is ${primaryKey}`);
core.saveState(State.CachePrimaryKey, primaryKey); core.saveState(State.CachePrimaryKey, primaryKey);
core.setOutput('cache-primary-key', primaryKey);
const isManagedByYarnBerry = await repoHasYarnBerryManagedDependencies( const isManagedByYarnBerry = await repoHasYarnBerryManagedDependencies(
packageManagerInfo, packageManagerInfo,
@@ -61,6 +62,8 @@ export const restoreCache = async (
} }
core.setOutput('cache-hit', Boolean(cacheKey)); core.setOutput('cache-hit', Boolean(cacheKey));
core.setOutput('cache-matched-key', cacheKey);
core.debug(`cache-matched-key is ${cacheKey}`);
if (!cacheKey) { if (!cacheKey) {
core.info(`${packageManager} cache is not found`); core.info(`${packageManager} cache is not found`);
@@ -84,7 +84,9 @@ export default class OfficialBuilds extends BaseDistribution {
downloadPath = await tc.downloadTool( downloadPath = await tc.downloadTool(
versionInfo.downloadUrl, versionInfo.downloadUrl,
undefined, undefined,
this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth
); );
if (downloadPath) { if (downloadPath) {
@@ -188,7 +190,9 @@ export default class OfficialBuilds extends BaseDistribution {
return tc.getManifestFromRepo( return tc.getManifestFromRepo(
'actions', 'actions',
'node-versions', 'node-versions',
this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth, this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth,
'main' 'main'
); );
} }