Sync with upstream actions/setup-node (main)#4
Conversation
* chore: upgrade @actions dependencies and update licenses - @actions/core: ^1.11.1 → ^2.0.3 - @actions/cache: ^5.0.1 → ^5.0.5 - @actions/glob: ^0.5.0 → ^0.5.1 - @actions/http-client: ^2.2.1 → ^3.0.2 - @actions/tool-cache: ^2.0.2 → ^3.0.1 - @actions/io: ^1.0.2 → ^2.0.0 - Run npm audit fix - Update license files for new versions - Rebuild dist files Agent-Logs-Url: https://github.com/actions/setup-node/sessions/872a3dbf-9b85-446b-963b-9127718d9560 Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> * fix: update license files to fix Licensed CI failures Update 5 license records that were out of date after the dependency upgrade: - brace-expansion: 1.1.12 → 1.1.13 - fast-xml-builder: 1.0.0 → 1.1.4 - fast-xml-parser: 5.4.1 → 5.5.11 - strnum: 2.1.2 → 2.2.3 - path-expression-matcher: add new record (version 1.4.0, new transitive dep) Rebuild dist/ files to reflect updated lock file Agent-Logs-Url: https://github.com/actions/setup-node/sessions/fb0e70ce-ad19-48df-88a4-97f3bdc896cb Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> * feat: upgrade @actions/exec to ^2.0.0 and fix license records - Upgrade @actions/exec from ^1.1.1 to ^2.0.0 in package.json - Update package-lock.json via npm install - Run `licensed cache` to regenerate license records: - Remove exec-1.1.1.dep.yml and exec-2.0.0.dep.yml (replaced by exec.dep.yml) - Remove io-1.1.3.dep.yml and io-2.0.0.dep.yml (replaced by io.dep.yml) - Create exec.dep.yml (v2.0.0) - single version now in tree - Create io.dep.yml (v2.0.0) - @actions/exec@1.1.1's nested io@1.1.3 removed - Rebuild dist/ files Agent-Logs-Url: https://github.com/actions/setup-node/sessions/24a1a530-6840-4445-8262-8342ec739e6d Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>
…ctions#1533) * setup node in local * update workflows to remove EOL versions * update node-dist versions in versions.yml
* update restore-only cache example in advanced-usage.md * fix copilot suggestion * update naming
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
* Only use `mirrorToken` in `getManifest` if it's provided Signed-off-by: Timo Sand <timo.sand@f-secure.com> * `npm run build` Signed-off-by: Timo Sand <timo.sand@f-secure.com> --------- Signed-off-by: Timo Sand <timo.sand@f-secure.com>
Bump @actions/cache to 5.1.0, log cache write denied
Sync with actions/setup-node upstream (11 commits): bump @actions/* deps, add OIDC publishing docs. Fork customizations preserved (hardcoded cnpm mirror, no configurable mirror inputs).
📝 WalkthroughWalkthroughThis pull request updates package metadata and npm license manifests, changes Changes
Sequence Diagram(s)Not applicable. Estimated code review effort: 3 Suggested labels: dependencies, documentation, bug-fix 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/advanced-usage.md`:
- Around line 332-376: The commented pnpm setup step in the restore-only cache
example uses an inconsistent action version, so if it is uncommented it may
break. Update the `pnpm/action-setup` reference in this snippet to match the
working pnpm example used elsewhere in the document, keeping the commented
guidance aligned with the documented `pnpm` workflow. Locate the fix in the
restore-only cache YAML example near the `pnpm/action-setup` and `pnpm install`
entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 3cbdc523-f3ad-457d-9fcd-72273cb30d0e
⛔ Files ignored due to path filters (3)
dist/cache-save/index.jsis excluded by!**/dist/**dist/setup/index.jsis excluded by!**/dist/**package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (25)
.licenses/npm/@actions/cache.dep.yml.licenses/npm/@actions/core-1.11.1.dep.yml.licenses/npm/@actions/core.dep.yml.licenses/npm/@actions/exec-1.1.1.dep.yml.licenses/npm/@actions/exec.dep.yml.licenses/npm/@actions/io-1.1.3.dep.yml.licenses/npm/@actions/io.dep.yml.licenses/npm/@actions/tool-cache.dep.yml.licenses/npm/@nodable/entities.dep.yml.licenses/npm/anynum.dep.yml.licenses/npm/brace-expansion.dep.yml.licenses/npm/fast-xml-builder.dep.yml.licenses/npm/fast-xml-parser.dep.yml.licenses/npm/is-unsafe.dep.yml.licenses/npm/path-expression-matcher.dep.yml.licenses/npm/strnum.dep.yml.licenses/npm/undici.dep.yml.licenses/npm/xml-naming.dep.ymlREADME.md__tests__/authutil.test.ts__tests__/cache-save.test.tsdocs/advanced-usage.mdpackage.jsonsrc/authutil.tssrc/cache-save.ts
💤 Files with no reviewable changes (3)
- .licenses/npm/@actions/io-1.1.3.dep.yml
- .licenses/npm/@actions/core-1.11.1.dep.yml
- .licenses/npm/@actions/exec-1.1.1.dep.yml
| **Restore-only cache** | ||
|
|
||
| You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows. | ||
|
|
||
| ```yaml | ||
| ## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache | ||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| # Restore Node.js modules cache (restore-only) | ||
| - name: Restore Node modules cache | ||
| uses: actions/cache@v5 | ||
| id: cache-node-modules | ||
| with: | ||
| path: ~/.npm | ||
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-node- | ||
| # Setup Node.js | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
| # Install dependencies | ||
| - run: npm install | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| # - uses: pnpm/action-setup@v6 | ||
| # with: | ||
| # version: 10 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
|
|
||
| - name: Normalize runner architecture | ||
| shell: bash | ||
| run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | ||
|
|
||
| - name: Output of cache path | ||
| id: cachepath | ||
| shell: bash | ||
| run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT | ||
| # run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT | ||
| # For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+) | ||
| # run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Restore Node cache | ||
| uses: actions/cache/restore@v5 | ||
| with: | ||
| path: ${{ steps.cachepath.outputs.path }} | ||
| key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }} | ||
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }} | ||
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} | ||
|
|
||
| - run: npm ci | ||
| # - run: yarn install --frozen-lockfile # optional, --immutable | ||
| # - run: pnpm install | ||
| ``` | ||
| > **Note**: Uncomment the commands relevant to your project's package manager. | ||
|
|
||
| > For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm). | ||
| > For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache). | ||
|
|
||
| ## Multiple Operating Systems and Architectures | ||
| ## Multiple operating systems and architectures |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Fix commented pnpm action version to match documented version.
Line 339 references pnpm/action-setup@v6 in a commented step, but the active pnpm example earlier in this file (line 289) uses pnpm/action-setup@v4. If users uncomment this step, v6 may not exist and will fail. Align the commented version with the working example.
📝 Suggested fix
-# - uses: pnpm/action-setup@v6
+# - uses: pnpm/action-setup@v4 📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| **Restore-only cache** | |
| You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows. | |
| ```yaml | |
| ## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| # Restore Node.js modules cache (restore-only) | |
| - name: Restore Node modules cache | |
| uses: actions/cache@v5 | |
| id: cache-node-modules | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| # Setup Node.js | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '24' | |
| # Install dependencies | |
| - run: npm install | |
| steps: | |
| - uses: actions/checkout@v6 | |
| # - uses: pnpm/action-setup@v6 | |
| # with: | |
| # version: 10 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '24' | |
| - name: Normalize runner architecture | |
| shell: bash | |
| run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Output of cache path | |
| id: cachepath | |
| shell: bash | |
| run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT | |
| # run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT | |
| # For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+) | |
| # run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT | |
| - name: Restore Node cache | |
| uses: actions/cache/restore@v5 | |
| with: | |
| path: ${{ steps.cachepath.outputs.path }} | |
| key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }} | |
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| - run: npm ci | |
| # - run: yarn install --frozen-lockfile # optional, --immutable | |
| # - run: pnpm install | |
| ``` | |
| > **Note**: Uncomment the commands relevant to your project's package manager. | |
| > For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm). | |
| > For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache). | |
| ## Multiple Operating Systems and Architectures | |
| ## Multiple operating systems and architectures | |
| **Restore-only cache** | |
| You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows. | |
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 373-373: Blank line inside blockquote
(MD028, no-blanks-blockquote)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/advanced-usage.md` around lines 332 - 376, The commented pnpm setup step
in the restore-only cache example uses an inconsistent action version, so if it
is uncommented it may break. Update the `pnpm/action-setup` reference in this
snippet to match the working pnpm example used elsewhere in the document,
keeping the commented guidance aligned with the documented `pnpm` workflow.
Locate the fix in the restore-only cache YAML example near the
`pnpm/action-setup` and `pnpm install` entries.
Org policy requires all actions to be pinned to a full-length commit SHA. - actions/checkout@v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3) - pnpm/action-setup@v4 -> b906affcce14559ad1aafd4ab0e942779e9f58b1
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/versions.yml (1)
23-23: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider setting
persist-credentials: falseon checkout steps.zizmor flags
artipackedon every checkout step in this file; these matrix jobs don't push back to the repo, so persisting the token isn't needed.🔒️ Example fix (apply to each checkout step)
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: falseAlso applies to: 40-40, 57-57, 76-76, 91-91, 106-106, 121-121, 137-137, 153-153, 166-166
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/versions.yml at line 23, Update each actions/checkout step in the versions workflow to disable persisted Git credentials by setting persist-credentials to false; the matrix jobs only read the repo and do not need the token stored, so apply this to every checkout usage in the workflow.Source: Linters/SAST tools
.github/workflows/e2e-cache.yml (1)
24-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider setting
persist-credentials: falseon checkout steps.zizmor flags every
actions/checkoutstep here forartipacked(credential persistence). None of these test jobs push back to the repo, so the checked-out token isn't needed after checkout.🔒️ Example fix (apply to each checkout step)
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: falseAlso applies to: 47-49, 80-80, 112-112, 146-146, 173-173, 200-200, 227-227, 256-256, 281-281
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/e2e-cache.yml at line 24, Add persist-credentials: false to every actions/checkout step in the e2e-cache workflow, since these jobs only read the repository and do not need the token after checkout. Update each checkout invocation consistently so the workflow no longer leaves credentials available for later steps.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/proxy.yml:
- Line 28: The checkout steps in the workflow are leaving the GitHub token
persisted in git config by default. Update both uses of actions/checkout in
proxy.yml to set persist-credentials to false so the jobs only use read access;
this applies to each checkout step in the workflow.
In @.github/workflows/publish-immutable-actions.yml:
- Line 17: The checkout step in the publish workflow is still persisting Git
credentials, which should be disabled for this publish-only job. Update the
actions/checkout usage in the workflow to set persist-credentials to false so
the token is not left available to later steps. Use the existing checkout step
in the publish-immutable-actions workflow as the place to apply this change.
---
Nitpick comments:
In @.github/workflows/e2e-cache.yml:
- Line 24: Add persist-credentials: false to every actions/checkout step in the
e2e-cache workflow, since these jobs only read the repository and do not need
the token after checkout. Update each checkout invocation consistently so the
workflow no longer leaves credentials available for later steps.
In @.github/workflows/versions.yml:
- Line 23: Update each actions/checkout step in the versions workflow to disable
persisted Git credentials by setting persist-credentials to false; the matrix
jobs only read the repo and do not need the token stored, so apply this to every
checkout usage in the workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 1b3b812e-077a-4008-9d2c-8adba6071f9c
📒 Files selected for processing (4)
.github/workflows/e2e-cache.yml.github/workflows/proxy.yml.github/workflows/publish-immutable-actions.yml.github/workflows/versions.yml
| https_proxy: http://squid-proxy:3128 | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
sed -n '1,120p' .github/workflows/proxy.ymlRepository: rstackjs/setup-node
Length of output: 1442
Disable persisted checkout credentials in both jobs. actions/checkout writes the token into git config by default; these steps only need read access, so set persist-credentials: false on both checkout steps in .github/workflows/proxy.yml.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/proxy.yml at line 28, The checkout steps in the workflow
are leaving the GitHub token persisted in git config by default. Update both
uses of actions/checkout in proxy.yml to set persist-credentials to false so the
jobs only use read access; this applies to each checkout step in the workflow.
Source: Linters/SAST tools
| steps: | ||
| - name: Checking out | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Map the workflow file structure first.
ast-grep outline .github/workflows/publish-immutable-actions.yml --view expanded || true
# Show the workflow with line numbers.
cat -n .github/workflows/publish-immutable-actions.yml
# Inspect other steps in the job for any git/network use that might require checkout credentials.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/publish-immutable-actions.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
if any(k in line for k in ['checkout', 'git ', 'gh ', 'push', 'pull', 'fetch', 'submodule', 'publish', 'npm', 'yarn', 'pnpm']):
print(f"{i}: {line}")
PYRepository: rstackjs/setup-node
Length of output: 971
Stop persisting checkout credentials. This job only checks out the repo before publishing, so persist-credentials: false keeps the checkout token out of the workspace for later steps.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish-immutable-actions.yml at line 17, The checkout
step in the publish workflow is still persisting Git credentials, which should
be disabled for this publish-only job. Update the actions/checkout usage in the
workflow to set persist-credentials to false so the token is not left available
to later steps. Use the existing checkout step in the publish-immutable-actions
workflow as the place to apply this change.
Source: Linters/SAST tools
Why
Keep this fork in sync with upstream
actions/setup-node@main— pulls in dependency upgrades, the new OIDC publishing docs, and other fixes from 11 upstream commits.What
Merged
upstream/main(11 commits) into the fork. Notable conflict resolutions:@actions/*deps — adopted upstream upgrades (http-client2→3,io1→2,tool-cache2→3,glob0.5.1,cache5.1.0). Kept ourtsx/uuid.official_builds.ts— kept the fork version. Upstream's newmirror/mirrorTokencode referencesNodeInputsfields this fork removed, so taking it would not compile. Hardcoded cnpm-mirror behavior is preserved.mirror/mirror-tokeninputs this fork does not expose).versions.yml— kept the fork CI matrix (node-version: [17, 19],macos-latest).package-lock.json,dist/, and.licenses/regenerated from source.Verified locally:
tsc --noEmit,ncc build, andjest(141 passed / 3 intentionally-skipped mirror tests) all pass.Open points for review
versions.yml: keptnode-version: [17, 19](upstream bumped to[21, 23]); the matrix also has a duplicatedmacos-latestrunner.tsx/uuidare declared but unused across the codebase — candidates for a follow-up cleanup.