Skip to content

Sync with upstream actions/setup-node (main)#4

Open
stormslowly wants to merge 13 commits into
mainfrom
update_upstream
Open

Sync with upstream actions/setup-node (main)#4
stormslowly wants to merge 13 commits into
mainfrom
update_upstream

Conversation

@stormslowly

Copy link
Copy Markdown
Collaborator

Why

Keep this fork in sync with upstream actions/setup-node@main — pulls in dependency upgrades, the new OIDC publishing docs, and other fixes from 11 upstream commits.

What

Merged upstream/main (11 commits) into the fork. Notable conflict resolutions:

  • @actions/* deps — adopted upstream upgrades (http-client 2→3, io 1→2, tool-cache 2→3, glob 0.5.1, cache 5.1.0). Kept our tsx/uuid.
  • official_builds.ts — kept the fork version. Upstream's new mirror/mirrorToken code references NodeInputs fields this fork removed, so taking it would not compile. Hardcoded cnpm-mirror behavior is preserved.
  • Docs — added upstream's "Publishing to npm with Trusted Publisher (OIDC)" section; dropped the "Use private mirror" section (documents mirror/mirror-token inputs this fork does not expose).
  • versions.yml — kept the fork CI matrix (node-version: [17, 19], macos-latest).
  • Generated artifactspackage-lock.json, dist/, and .licenses/ regenerated from source.

Verified locally: tsc --noEmit, ncc build, and jest (141 passed / 3 intentionally-skipped mirror tests) all pass.

Open points for review

  • versions.yml: kept node-version: [17, 19] (upstream bumped to [21, 23]); the matrix also has a duplicated macos-latest runner.
  • tsx / uuid are declared but unused across the codebase — candidates for a follow-up cleanup.

Copilot AI and others added 12 commits April 16, 2026 12:06
* chore: upgrade @actions dependencies and update licenses

- @actions/core: ^1.11.1 → ^2.0.3
- @actions/cache: ^5.0.1 → ^5.0.5
- @actions/glob: ^0.5.0 → ^0.5.1
- @actions/http-client: ^2.2.1 → ^3.0.2
- @actions/tool-cache: ^2.0.2 → ^3.0.1
- @actions/io: ^1.0.2 → ^2.0.0
- Run npm audit fix
- Update license files for new versions
- Rebuild dist files

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/872a3dbf-9b85-446b-963b-9127718d9560

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

* fix: update license files to fix Licensed CI failures

Update 5 license records that were out of date after the dependency
upgrade:
- brace-expansion: 1.1.12 → 1.1.13
- fast-xml-builder: 1.0.0 → 1.1.4
- fast-xml-parser: 5.4.1 → 5.5.11
- strnum: 2.1.2 → 2.2.3
- path-expression-matcher: add new record (version 1.4.0, new transitive dep)

Rebuild dist/ files to reflect updated lock file

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/fb0e70ce-ad19-48df-88a4-97f3bdc896cb

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

* feat: upgrade @actions/exec to ^2.0.0 and fix license records

- Upgrade @actions/exec from ^1.1.1 to ^2.0.0 in package.json
- Update package-lock.json via npm install
- Run `licensed cache` to regenerate license records:
  - Remove exec-1.1.1.dep.yml and exec-2.0.0.dep.yml (replaced by exec.dep.yml)
  - Remove io-1.1.3.dep.yml and io-2.0.0.dep.yml (replaced by io.dep.yml)
  - Create exec.dep.yml (v2.0.0) - single version now in tree
  - Create io.dep.yml (v2.0.0) - @actions/exec@1.1.1's nested io@1.1.3 removed
- Rebuild dist/ files

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/24a1a530-6840-4445-8262-8342ec739e6d

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>
…ctions#1533)

* setup node in local

* update workflows to remove EOL versions

* update node-dist versions in versions.yml
* update restore-only cache example in advanced-usage.md

* fix copilot suggestion

* update naming
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
* Only use `mirrorToken` in `getManifest` if it's provided

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

* `npm run build`

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

---------

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
Bump @actions/cache to 5.1.0, log cache write denied
Sync with actions/setup-node upstream (11 commits): bump @actions/* deps,
add OIDC publishing docs. Fork customizations preserved (hardcoded cnpm
mirror, no configurable mirror inputs).
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This pull request updates package metadata and npm license manifests, changes NODE_AUTH_TOKEN export behavior and cache-save logging with matching tests, revises advanced usage documentation, and pins GitHub Actions workflow steps to specific commit SHAs.

Changes

Area Change
Dependencies package.json version bump, @actions/* dependency updates, and new undici / fast-xml-parser overrides
Licenses Added, removed, replaced, and version-updated .licenses/npm entries
Auth NODE_AUTH_TOKEN is now exported only when present on process.env
Cache cacheId === -1 handling now logs a debug message before returning
Docs Restore-only cache example rewritten; OIDC publishing section added
Workflows actions/checkout pinned to commit SHAs; pnpm/action-setup pinned in one job

Sequence Diagram(s)

Not applicable.

Estimated code review effort: 3

Suggested labels: dependencies, documentation, bug-fix

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: syncing the fork with upstream actions/setup-node main.
Description check ✅ Passed The description is detailed and covers motivation, changes, conflicts, and verification, though it doesn't follow the template headings exactly.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch update_upstream

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/advanced-usage.md`:
- Around line 332-376: The commented pnpm setup step in the restore-only cache
example uses an inconsistent action version, so if it is uncommented it may
break. Update the `pnpm/action-setup` reference in this snippet to match the
working pnpm example used elsewhere in the document, keeping the commented
guidance aligned with the documented `pnpm` workflow. Locate the fix in the
restore-only cache YAML example near the `pnpm/action-setup` and `pnpm install`
entries.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3cbdc523-f3ad-457d-9fcd-72273cb30d0e

📥 Commits

Reviewing files that changed from the base of the PR and between 340069d and 654fbf5.

⛔ Files ignored due to path filters (3)
  • dist/cache-save/index.js is excluded by !**/dist/**
  • dist/setup/index.js is excluded by !**/dist/**
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (25)
  • .licenses/npm/@actions/cache.dep.yml
  • .licenses/npm/@actions/core-1.11.1.dep.yml
  • .licenses/npm/@actions/core.dep.yml
  • .licenses/npm/@actions/exec-1.1.1.dep.yml
  • .licenses/npm/@actions/exec.dep.yml
  • .licenses/npm/@actions/io-1.1.3.dep.yml
  • .licenses/npm/@actions/io.dep.yml
  • .licenses/npm/@actions/tool-cache.dep.yml
  • .licenses/npm/@nodable/entities.dep.yml
  • .licenses/npm/anynum.dep.yml
  • .licenses/npm/brace-expansion.dep.yml
  • .licenses/npm/fast-xml-builder.dep.yml
  • .licenses/npm/fast-xml-parser.dep.yml
  • .licenses/npm/is-unsafe.dep.yml
  • .licenses/npm/path-expression-matcher.dep.yml
  • .licenses/npm/strnum.dep.yml
  • .licenses/npm/undici.dep.yml
  • .licenses/npm/xml-naming.dep.yml
  • README.md
  • __tests__/authutil.test.ts
  • __tests__/cache-save.test.ts
  • docs/advanced-usage.md
  • package.json
  • src/authutil.ts
  • src/cache-save.ts
💤 Files with no reviewable changes (3)
  • .licenses/npm/@actions/io-1.1.3.dep.yml
  • .licenses/npm/@actions/core-1.11.1.dep.yml
  • .licenses/npm/@actions/exec-1.1.1.dep.yml

Comment thread docs/advanced-usage.md
Comment on lines +332 to +376
**Restore-only cache**

You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.

```yaml
## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# Restore Node.js modules cache (restore-only)
- name: Restore Node modules cache
uses: actions/cache@v5
id: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
# Setup Node.js
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
# Install dependencies
- run: npm install
steps:
- uses: actions/checkout@v6
# - uses: pnpm/action-setup@v6
# with:
# version: 10

- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'

- name: Normalize runner architecture
shell: bash
run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV

- name: Output of cache path
id: cachepath
shell: bash
run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT
# run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
# For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+)
# run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT

- name: Restore Node cache
uses: actions/cache/restore@v5
with:
path: ${{ steps.cachepath.outputs.path }}
key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}

- run: npm ci
# - run: yarn install --frozen-lockfile # optional, --immutable
# - run: pnpm install
```
> **Note**: Uncomment the commands relevant to your project's package manager.

> For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm).
> For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache).

## Multiple Operating Systems and Architectures
## Multiple operating systems and architectures

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix commented pnpm action version to match documented version.

Line 339 references pnpm/action-setup@v6 in a commented step, but the active pnpm example earlier in this file (line 289) uses pnpm/action-setup@v4. If users uncomment this step, v6 may not exist and will fail. Align the commented version with the working example.

📝 Suggested fix
-# - uses: pnpm/action-setup@v6 
+# - uses: pnpm/action-setup@v4 
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
**Restore-only cache**
You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.
```yaml
## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# Restore Node.js modules cache (restore-only)
- name: Restore Node modules cache
uses: actions/cache@v5
id: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
# Setup Node.js
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
# Install dependencies
- run: npm install
steps:
- uses: actions/checkout@v6
# - uses: pnpm/action-setup@v6
# with:
# version: 10
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Normalize runner architecture
shell: bash
run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
- name: Output of cache path
id: cachepath
shell: bash
run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT
# run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
# For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+)
# run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT
- name: Restore Node cache
uses: actions/cache/restore@v5
with:
path: ${{ steps.cachepath.outputs.path }}
key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
- run: npm ci
# - run: yarn install --frozen-lockfile # optional, --immutable
# - run: pnpm install
```
> **Note**: Uncomment the commands relevant to your project's package manager.
> For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm).
> For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache).
## Multiple Operating Systems and Architectures
## Multiple operating systems and architectures
**Restore-only cache**
You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 373-373: Blank line inside blockquote

(MD028, no-blanks-blockquote)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/advanced-usage.md` around lines 332 - 376, The commented pnpm setup step
in the restore-only cache example uses an inconsistent action version, so if it
is uncommented it may break. Update the `pnpm/action-setup` reference in this
snippet to match the working pnpm example used elsewhere in the document,
keeping the commented guidance aligned with the documented `pnpm` workflow.
Locate the fix in the restore-only cache YAML example near the
`pnpm/action-setup` and `pnpm install` entries.

Org policy requires all actions to be pinned to a full-length commit SHA.
- actions/checkout@v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3)
- pnpm/action-setup@v4 -> b906affcce14559ad1aafd4ab0e942779e9f58b1

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
.github/workflows/versions.yml (1)

23-23: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider setting persist-credentials: false on checkout steps.

zizmor flags artipacked on every checkout step in this file; these matrix jobs don't push back to the repo, so persisting the token isn't needed.

🔒️ Example fix (apply to each checkout step)
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          persist-credentials: false

Also applies to: 40-40, 57-57, 76-76, 91-91, 106-106, 121-121, 137-137, 153-153, 166-166

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/versions.yml at line 23, Update each actions/checkout step
in the versions workflow to disable persisted Git credentials by setting
persist-credentials to false; the matrix jobs only read the repo and do not need
the token stored, so apply this to every checkout usage in the workflow.

Source: Linters/SAST tools

.github/workflows/e2e-cache.yml (1)

24-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider setting persist-credentials: false on checkout steps.

zizmor flags every actions/checkout step here for artipacked (credential persistence). None of these test jobs push back to the repo, so the checked-out token isn't needed after checkout.

🔒️ Example fix (apply to each checkout step)
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          persist-credentials: false

Also applies to: 47-49, 80-80, 112-112, 146-146, 173-173, 200-200, 227-227, 256-256, 281-281

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-cache.yml at line 24, Add persist-credentials: false
to every actions/checkout step in the e2e-cache workflow, since these jobs only
read the repository and do not need the token after checkout. Update each
checkout invocation consistently so the workflow no longer leaves credentials
available for later steps.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/proxy.yml:
- Line 28: The checkout steps in the workflow are leaving the GitHub token
persisted in git config by default. Update both uses of actions/checkout in
proxy.yml to set persist-credentials to false so the jobs only use read access;
this applies to each checkout step in the workflow.

In @.github/workflows/publish-immutable-actions.yml:
- Line 17: The checkout step in the publish workflow is still persisting Git
credentials, which should be disabled for this publish-only job. Update the
actions/checkout usage in the workflow to set persist-credentials to false so
the token is not left available to later steps. Use the existing checkout step
in the publish-immutable-actions workflow as the place to apply this change.

---

Nitpick comments:
In @.github/workflows/e2e-cache.yml:
- Line 24: Add persist-credentials: false to every actions/checkout step in the
e2e-cache workflow, since these jobs only read the repository and do not need
the token after checkout. Update each checkout invocation consistently so the
workflow no longer leaves credentials available for later steps.

In @.github/workflows/versions.yml:
- Line 23: Update each actions/checkout step in the versions workflow to disable
persisted Git credentials by setting persist-credentials to false; the matrix
jobs only read the repo and do not need the token stored, so apply this to every
checkout usage in the workflow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1b3b812e-077a-4008-9d2c-8adba6071f9c

📥 Commits

Reviewing files that changed from the base of the PR and between 654fbf5 and 5242a95.

📒 Files selected for processing (4)
  • .github/workflows/e2e-cache.yml
  • .github/workflows/proxy.yml
  • .github/workflows/publish-immutable-actions.yml
  • .github/workflows/versions.yml

https_proxy: http://squid-proxy:3128
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '1,120p' .github/workflows/proxy.yml

Repository: rstackjs/setup-node

Length of output: 1442


Disable persisted checkout credentials in both jobs. actions/checkout writes the token into git config by default; these steps only need read access, so set persist-credentials: false on both checkout steps in .github/workflows/proxy.yml.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/proxy.yml at line 28, The checkout steps in the workflow
are leaving the GitHub token persisted in git config by default. Update both
uses of actions/checkout in proxy.yml to set persist-credentials to false so the
jobs only use read access; this applies to each checkout step in the workflow.

Source: Linters/SAST tools

steps:
- name: Checking out
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map the workflow file structure first.
ast-grep outline .github/workflows/publish-immutable-actions.yml --view expanded || true

# Show the workflow with line numbers.
cat -n .github/workflows/publish-immutable-actions.yml

# Inspect other steps in the job for any git/network use that might require checkout credentials.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/publish-immutable-actions.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
    if any(k in line for k in ['checkout', 'git ', 'gh ', 'push', 'pull', 'fetch', 'submodule', 'publish', 'npm', 'yarn', 'pnpm']):
        print(f"{i}: {line}")
PY

Repository: rstackjs/setup-node

Length of output: 971


Stop persisting checkout credentials. This job only checks out the repo before publishing, so persist-credentials: false keeps the checkout token out of the workspace for later steps.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-immutable-actions.yml at line 17, The checkout
step in the publish workflow is still persisting Git credentials, which should
be disabled for this publish-only job. Update the actions/checkout usage in the
workflow to set persist-credentials to false so the token is not left available
to later steps. Use the existing checkout step in the publish-immutable-actions
workflow as the place to apply this change.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants