Sync with upstream actions/setup-node (main)#4
Conversation
* chore: upgrade @actions dependencies and update licenses - @actions/core: ^1.11.1 → ^2.0.3 - @actions/cache: ^5.0.1 → ^5.0.5 - @actions/glob: ^0.5.0 → ^0.5.1 - @actions/http-client: ^2.2.1 → ^3.0.2 - @actions/tool-cache: ^2.0.2 → ^3.0.1 - @actions/io: ^1.0.2 → ^2.0.0 - Run npm audit fix - Update license files for new versions - Rebuild dist files Agent-Logs-Url: https://github.com/actions/setup-node/sessions/872a3dbf-9b85-446b-963b-9127718d9560 Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> * fix: update license files to fix Licensed CI failures Update 5 license records that were out of date after the dependency upgrade: - brace-expansion: 1.1.12 → 1.1.13 - fast-xml-builder: 1.0.0 → 1.1.4 - fast-xml-parser: 5.4.1 → 5.5.11 - strnum: 2.1.2 → 2.2.3 - path-expression-matcher: add new record (version 1.4.0, new transitive dep) Rebuild dist/ files to reflect updated lock file Agent-Logs-Url: https://github.com/actions/setup-node/sessions/fb0e70ce-ad19-48df-88a4-97f3bdc896cb Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> * feat: upgrade @actions/exec to ^2.0.0 and fix license records - Upgrade @actions/exec from ^1.1.1 to ^2.0.0 in package.json - Update package-lock.json via npm install - Run `licensed cache` to regenerate license records: - Remove exec-1.1.1.dep.yml and exec-2.0.0.dep.yml (replaced by exec.dep.yml) - Remove io-1.1.3.dep.yml and io-2.0.0.dep.yml (replaced by io.dep.yml) - Create exec.dep.yml (v2.0.0) - single version now in tree - Create io.dep.yml (v2.0.0) - @actions/exec@1.1.1's nested io@1.1.3 removed - Rebuild dist/ files Agent-Logs-Url: https://github.com/actions/setup-node/sessions/24a1a530-6840-4445-8262-8342ec739e6d Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>
…ctions#1533) * setup node in local * update workflows to remove EOL versions * update node-dist versions in versions.yml
* update restore-only cache example in advanced-usage.md * fix copilot suggestion * update naming
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
* Only use `mirrorToken` in `getManifest` if it's provided Signed-off-by: Timo Sand <timo.sand@f-secure.com> * `npm run build` Signed-off-by: Timo Sand <timo.sand@f-secure.com> --------- Signed-off-by: Timo Sand <timo.sand@f-secure.com>
Bump @actions/cache to 5.1.0, log cache write denied
Sync with actions/setup-node upstream (11 commits): bump @actions/* deps, add OIDC publishing docs. Fork customizations preserved (hardcoded cnpm mirror, no configurable mirror inputs).
|
Warning Review limit reached
Next review available in: 52 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (11)
📝 WalkthroughWalkthroughThis pull request updates package metadata and npm license manifests, changes Changes
Sequence Diagram(s)Not applicable. Estimated code review effort: 3 Suggested labels: dependencies, documentation, bug-fix 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/advanced-usage.md`:
- Around line 332-376: The commented pnpm setup step in the restore-only cache
example uses an inconsistent action version, so if it is uncommented it may
break. Update the `pnpm/action-setup` reference in this snippet to match the
working pnpm example used elsewhere in the document, keeping the commented
guidance aligned with the documented `pnpm` workflow. Locate the fix in the
restore-only cache YAML example near the `pnpm/action-setup` and `pnpm install`
entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 3cbdc523-f3ad-457d-9fcd-72273cb30d0e
⛔ Files ignored due to path filters (3)
dist/cache-save/index.jsis excluded by!**/dist/**dist/setup/index.jsis excluded by!**/dist/**package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (25)
.licenses/npm/@actions/cache.dep.yml.licenses/npm/@actions/core-1.11.1.dep.yml.licenses/npm/@actions/core.dep.yml.licenses/npm/@actions/exec-1.1.1.dep.yml.licenses/npm/@actions/exec.dep.yml.licenses/npm/@actions/io-1.1.3.dep.yml.licenses/npm/@actions/io.dep.yml.licenses/npm/@actions/tool-cache.dep.yml.licenses/npm/@nodable/entities.dep.yml.licenses/npm/anynum.dep.yml.licenses/npm/brace-expansion.dep.yml.licenses/npm/fast-xml-builder.dep.yml.licenses/npm/fast-xml-parser.dep.yml.licenses/npm/is-unsafe.dep.yml.licenses/npm/path-expression-matcher.dep.yml.licenses/npm/strnum.dep.yml.licenses/npm/undici.dep.yml.licenses/npm/xml-naming.dep.ymlREADME.md__tests__/authutil.test.ts__tests__/cache-save.test.tsdocs/advanced-usage.mdpackage.jsonsrc/authutil.tssrc/cache-save.ts
💤 Files with no reviewable changes (3)
- .licenses/npm/@actions/io-1.1.3.dep.yml
- .licenses/npm/@actions/core-1.11.1.dep.yml
- .licenses/npm/@actions/exec-1.1.1.dep.yml
Org policy requires all actions to be pinned to a full-length commit SHA. - actions/checkout@v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3) - pnpm/action-setup@v4 -> b906affcce14559ad1aafd4ab0e942779e9f58b1
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/versions.yml (1)
23-23: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider setting
persist-credentials: falseon checkout steps.zizmor flags
artipackedon every checkout step in this file; these matrix jobs don't push back to the repo, so persisting the token isn't needed.🔒️ Example fix (apply to each checkout step)
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: falseAlso applies to: 40-40, 57-57, 76-76, 91-91, 106-106, 121-121, 137-137, 153-153, 166-166
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/versions.yml at line 23, Update each actions/checkout step in the versions workflow to disable persisted Git credentials by setting persist-credentials to false; the matrix jobs only read the repo and do not need the token stored, so apply this to every checkout usage in the workflow.Source: Linters/SAST tools
.github/workflows/e2e-cache.yml (1)
24-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider setting
persist-credentials: falseon checkout steps.zizmor flags every
actions/checkoutstep here forartipacked(credential persistence). None of these test jobs push back to the repo, so the checked-out token isn't needed after checkout.🔒️ Example fix (apply to each checkout step)
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: falseAlso applies to: 47-49, 80-80, 112-112, 146-146, 173-173, 200-200, 227-227, 256-256, 281-281
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/e2e-cache.yml at line 24, Add persist-credentials: false to every actions/checkout step in the e2e-cache workflow, since these jobs only read the repository and do not need the token after checkout. Update each checkout invocation consistently so the workflow no longer leaves credentials available for later steps.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/proxy.yml:
- Line 28: The checkout steps in the workflow are leaving the GitHub token
persisted in git config by default. Update both uses of actions/checkout in
proxy.yml to set persist-credentials to false so the jobs only use read access;
this applies to each checkout step in the workflow.
In @.github/workflows/publish-immutable-actions.yml:
- Line 17: The checkout step in the publish workflow is still persisting Git
credentials, which should be disabled for this publish-only job. Update the
actions/checkout usage in the workflow to set persist-credentials to false so
the token is not left available to later steps. Use the existing checkout step
in the publish-immutable-actions workflow as the place to apply this change.
---
Nitpick comments:
In @.github/workflows/e2e-cache.yml:
- Line 24: Add persist-credentials: false to every actions/checkout step in the
e2e-cache workflow, since these jobs only read the repository and do not need
the token after checkout. Update each checkout invocation consistently so the
workflow no longer leaves credentials available for later steps.
In @.github/workflows/versions.yml:
- Line 23: Update each actions/checkout step in the versions workflow to disable
persisted Git credentials by setting persist-credentials to false; the matrix
jobs only read the repo and do not need the token stored, so apply this to every
checkout usage in the workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 1b3b812e-077a-4008-9d2c-8adba6071f9c
📒 Files selected for processing (4)
.github/workflows/e2e-cache.yml.github/workflows/proxy.yml.github/workflows/publish-immutable-actions.yml.github/workflows/versions.yml
Replace the external actions/reusable-workflows call (blocked by org SHA-pin policy, and mutable @main ref) with the same jobs inlined: - actions/checkout @ df4cb1c0 (v6.0.3) - actions/setup-node @ 48b55a0 (v6.4.0) Inputs frozen to the values previously passed (node 24.x, npm cache, 3-OS matrix, audit enabled).
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/basic-validation.yml (1)
15-48: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick winAdd explicit
permissions:block.Static analysis flags this job as using default (overly broad) permissions since no
permissions:block is defined. Scope it down to what's actually needed (contents: readshould suffice for build/test/audit steps).🔒 Proposed fix
build: runs-on: ${{ matrix.os }} + permissions: + contents: read strategy:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/basic-validation.yml around lines 15 - 48, The workflow job in basic-validation currently relies on default GitHub token permissions, which are broader than needed. Add an explicit permissions block to the build job in basic-validation and scope it to contents: read, since the Checkout, setup-node, install, lint, build, test, and audit steps only need repository read access.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/basic-validation.yml:
- Around line 22-23: The Checkout step in the basic-validation workflow is
persisting the GitHub token in the local git config, which static analysis
flags. Update the actions/checkout usage in the workflow to disable credential
persistence by setting persist-credentials to false, since no later step needs
authenticated git access.
---
Outside diff comments:
In @.github/workflows/basic-validation.yml:
- Around line 15-48: The workflow job in basic-validation currently relies on
default GitHub token permissions, which are broader than needed. Add an explicit
permissions block to the build job in basic-validation and scope it to contents:
read, since the Checkout, setup-node, install, lint, build, test, and audit
steps only need repository read access.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: bf2b3b73-fa4c-4c45-becc-c0037511be1e
📒 Files selected for processing (1)
.github/workflows/basic-validation.yml
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Set persist-credentials: false on checkout.
Static analysis flags credential persistence (artipacked): the GitHub token is persisted to the local git config for the job's lifetime and could leak via later steps/artifacts. Since no subsequent step needs authenticated git access, disable persistence.
🔒 Proposed fix
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/basic-validation.yml around lines 22 - 23, The Checkout
step in the basic-validation workflow is persisting the GitHub token in the
local git config, which static analysis flags. Update the actions/checkout usage
in the workflow to disable credential persistence by setting persist-credentials
to false, since no later step needs authenticated git access.
Source: Linters/SAST tools
Replace the two remaining external actions/reusable-workflows calls (blocked by org SHA-pin policy) with the same jobs inlined: - actions/checkout @ df4cb1c0 (v6.0.3) - actions/setup-node @ 48b55a0 (v6.4.0) - actions/upload-artifact @ 330a01c4 (v5.0.0) Also refresh .licenses records via 'licensed cache': 8 records had drifted from the regenerated lockfile (azure/typespec/esbuild/tsx/uuid patch bumps) and 4 stale records removed; 'licensed status' now passes with 0 errors.
Why
Keep this fork in sync with upstream
actions/setup-node@main— pulls in dependency upgrades, the new OIDC publishing docs, and other fixes from 11 upstream commits.What
Merged
upstream/main(11 commits) into the fork. Notable conflict resolutions:@actions/*deps — adopted upstream upgrades (http-client2→3,io1→2,tool-cache2→3,glob0.5.1,cache5.1.0). Kept ourtsx/uuid.official_builds.ts— kept the fork version. Upstream's newmirror/mirrorTokencode referencesNodeInputsfields this fork removed, so taking it would not compile. Hardcoded cnpm-mirror behavior is preserved.mirror/mirror-tokeninputs this fork does not expose).versions.yml— kept the fork CI matrix (node-version: [17, 19],macos-latest).package-lock.json,dist/, and.licenses/regenerated from source.Verified locally:
tsc --noEmit,ncc build, andjest(141 passed / 3 intentionally-skipped mirror tests) all pass.Open points for review
versions.yml: keptnode-version: [17, 19](upstream bumped to[21, 23]); the matrix also has a duplicatedmacos-latestrunner.tsx/uuidare declared but unused across the codebase — candidates for a follow-up cleanup.