Enhance cache-dependency-path handling to support files outside the workspace root

[aparnajyothi-y]

Description:
This PR enhances cacheDependencies in setup-python to properly handle cases where the cache-dependency-path file is located outside the workspace root also.

Related issue:
#476
#361

Check list:

[ X ] Mark if documentation changes are required.
[ X ] Mark if tests were added or updated to cover the changes.

[Copilot]

Pull Request Overview

Enhance the cacheDependencies action to support dependency files located outside the workspace by copying them into the workspace root before caching.

• Exported cacheDependencies and added logic to resolve, copy, and log external dependency files.
• Updated documentation to note support for external paths.
• Added unit tests covering file copying, missing file warnings, and copy errors.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
src/setup-python.ts	Exported cacheDependencies, added resolution and copy logic for external cache-dependency-path.
docs/advanced-usage.md	Added note about external-path support for cache-dependency-path.
tests/setup-python.test.ts	Added tests for copying dependencies, missing files, copy failures, and skipping when no input.

Comments suppressed due to low confidence (2)

src/setup-python.ts:67

• The code computes resolvedDependencyPath but still passes the original cacheDependencyPath to getCacheDistributor, so the distributor won’t use the copied file location. Consider passing resolvedDependencyPath (or falling back to cacheDependencyPath) as the dependency-path argument.

const cacheDistributor = getCacheDistributor(

tests/setup-python.test.ts:59

• Add a test case for when cache-dependency-path points to a file already inside the workspace (sourcePath === targetPath) to ensure the logic skips copying but still sets the resolved path correctly.

it('copies the dependency file and resolves the path with directory structure', async () => {

[PeterJCLaw]

Hi folks, apologies for not reviewing this sooner after the request for reviews, however I believe there are two potential failure modes with this change:

• files outside the workspace, but not from a composite action will still fail (I don't think they'll get copied, so perhaps this isn't new and is just accepted?)
• if the file path from a composite action happens to match the workspace relative path to a file which the end-user (i.e: user of the composite action) also has a file, then that user's file will be overwritten in a potentially surprising and hard-to-workaround manner

For the latter, consider the following:

• composite action passes e.g: cache-dependency-path: requirements.txt (with or without ${{ github.action_path }})
• the sourcePath will be like /home/runner/work/_actions/USER/REPO/BRANCH/requirements.txt
• the relativePath will be requirements.txt
• the targetPath will be like /github/workspace/requirements.txt

If the end-user has checked out their own project to the workspace root (as is typical and the default of actions/checkout) then they could very well already have a file at /github/workspace/requirements.txt which is overwritten.

I've put together a demo of this at https://github.com/PeterJCLaw/test-setup-python-1128/actions/runs/16059637945. Since requirements.txt is a very common name for this file, clashes here seem quite likely.

Based on this I would encourage that this PR be reverted (sorry) before the next release as it is likely to be breaking in a confusing way for many users.