Skip to content

Sync with upstream actions/setup-node (main)#4

Merged
stormslowly merged 15 commits into
mainfrom
update_upstream
Jul 2, 2026
Merged

Sync with upstream actions/setup-node (main)#4
stormslowly merged 15 commits into
mainfrom
update_upstream

Conversation

@stormslowly

Copy link
Copy Markdown
Collaborator

Why

Keep this fork in sync with upstream actions/setup-node@main — pulls in dependency upgrades, the new OIDC publishing docs, and other fixes from 11 upstream commits.

What

Merged upstream/main (11 commits) into the fork. Notable conflict resolutions:

  • @actions/* deps — adopted upstream upgrades (http-client 2→3, io 1→2, tool-cache 2→3, glob 0.5.1, cache 5.1.0). Kept our tsx/uuid.
  • official_builds.ts — kept the fork version. Upstream's new mirror/mirrorToken code references NodeInputs fields this fork removed, so taking it would not compile. Hardcoded cnpm-mirror behavior is preserved.
  • Docs — added upstream's "Publishing to npm with Trusted Publisher (OIDC)" section; dropped the "Use private mirror" section (documents mirror/mirror-token inputs this fork does not expose).
  • versions.yml — kept the fork CI matrix (node-version: [17, 19], macos-latest).
  • Generated artifactspackage-lock.json, dist/, and .licenses/ regenerated from source.

Verified locally: tsc --noEmit, ncc build, and jest (141 passed / 3 intentionally-skipped mirror tests) all pass.

Open points for review

  • versions.yml: kept node-version: [17, 19] (upstream bumped to [21, 23]); the matrix also has a duplicated macos-latest runner.
  • tsx / uuid are declared but unused across the codebase — candidates for a follow-up cleanup.

Copilot AI and others added 12 commits April 16, 2026 12:06
* chore: upgrade @actions dependencies and update licenses

- @actions/core: ^1.11.1 → ^2.0.3
- @actions/cache: ^5.0.1 → ^5.0.5
- @actions/glob: ^0.5.0 → ^0.5.1
- @actions/http-client: ^2.2.1 → ^3.0.2
- @actions/tool-cache: ^2.0.2 → ^3.0.1
- @actions/io: ^1.0.2 → ^2.0.0
- Run npm audit fix
- Update license files for new versions
- Rebuild dist files

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/872a3dbf-9b85-446b-963b-9127718d9560

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

* fix: update license files to fix Licensed CI failures

Update 5 license records that were out of date after the dependency
upgrade:
- brace-expansion: 1.1.12 → 1.1.13
- fast-xml-builder: 1.0.0 → 1.1.4
- fast-xml-parser: 5.4.1 → 5.5.11
- strnum: 2.1.2 → 2.2.3
- path-expression-matcher: add new record (version 1.4.0, new transitive dep)

Rebuild dist/ files to reflect updated lock file

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/fb0e70ce-ad19-48df-88a4-97f3bdc896cb

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

* feat: upgrade @actions/exec to ^2.0.0 and fix license records

- Upgrade @actions/exec from ^1.1.1 to ^2.0.0 in package.json
- Update package-lock.json via npm install
- Run `licensed cache` to regenerate license records:
  - Remove exec-1.1.1.dep.yml and exec-2.0.0.dep.yml (replaced by exec.dep.yml)
  - Remove io-1.1.3.dep.yml and io-2.0.0.dep.yml (replaced by io.dep.yml)
  - Create exec.dep.yml (v2.0.0) - single version now in tree
  - Create io.dep.yml (v2.0.0) - @actions/exec@1.1.1's nested io@1.1.3 removed
- Rebuild dist/ files

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/24a1a530-6840-4445-8262-8342ec739e6d

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>
…ctions#1533)

* setup node in local

* update workflows to remove EOL versions

* update node-dist versions in versions.yml
* update restore-only cache example in advanced-usage.md

* fix copilot suggestion

* update naming
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
* Only use `mirrorToken` in `getManifest` if it's provided

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

* `npm run build`

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

---------

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
Bump @actions/cache to 5.1.0, log cache write denied
Sync with actions/setup-node upstream (11 commits): bump @actions/* deps,
add OIDC publishing docs. Fork customizations preserved (hardcoded cnpm
mirror, no configurable mirror inputs).
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@stormslowly, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 52 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f3adbabc-7fb7-4a67-8d62-f2ee2b062554

📥 Commits

Reviewing files that changed from the base of the PR and between d8f5032 and d9833ae.

📒 Files selected for processing (11)
  • .github/workflows/check-dist.yml
  • .github/workflows/licensed.yml
  • .licenses/npm/@azure/core-http-compat.dep.yml
  • .licenses/npm/@azure/core-rest-pipeline.dep.yml
  • .licenses/npm/@azure/storage-blob.dep.yml
  • .licenses/npm/@azure/storage-common.dep.yml
  • .licenses/npm/@typespec/ts-http-runtime.dep.yml
  • .licenses/npm/esbuild.dep.yml
  • .licenses/npm/semver-7.7.4.dep.yml
  • .licenses/npm/tsx.dep.yml
  • .licenses/npm/uuid.dep.yml
📝 Walkthrough

Walkthrough

This pull request updates package metadata and npm license manifests, changes NODE_AUTH_TOKEN export behavior and cache-save logging with matching tests, revises advanced usage documentation, and pins GitHub Actions workflow steps to specific commit SHAs.

Changes

Area Change
Dependencies package.json version bump, @actions/* dependency updates, and new undici / fast-xml-parser overrides
Licenses Added, removed, replaced, and version-updated .licenses/npm entries
Auth NODE_AUTH_TOKEN is now exported only when present on process.env
Cache cacheId === -1 handling now logs a debug message before returning
Docs Restore-only cache example rewritten; OIDC publishing section added
Workflows actions/checkout pinned to commit SHAs; pnpm/action-setup pinned in one job

Sequence Diagram(s)

Not applicable.

Estimated code review effort: 3

Suggested labels: dependencies, documentation, bug-fix

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is informative, but it does not follow the required template and omits the related issue and checklist sections. Rewrite it to use the repository template with Description, Related issue, and Check list sections, and mark whether docs/tests were updated.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: syncing the fork with upstream actions/setup-node.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch update_upstream

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/advanced-usage.md`:
- Around line 332-376: The commented pnpm setup step in the restore-only cache
example uses an inconsistent action version, so if it is uncommented it may
break. Update the `pnpm/action-setup` reference in this snippet to match the
working pnpm example used elsewhere in the document, keeping the commented
guidance aligned with the documented `pnpm` workflow. Locate the fix in the
restore-only cache YAML example near the `pnpm/action-setup` and `pnpm install`
entries.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3cbdc523-f3ad-457d-9fcd-72273cb30d0e

📥 Commits

Reviewing files that changed from the base of the PR and between 340069d and 654fbf5.

⛔ Files ignored due to path filters (3)
  • dist/cache-save/index.js is excluded by !**/dist/**
  • dist/setup/index.js is excluded by !**/dist/**
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (25)
  • .licenses/npm/@actions/cache.dep.yml
  • .licenses/npm/@actions/core-1.11.1.dep.yml
  • .licenses/npm/@actions/core.dep.yml
  • .licenses/npm/@actions/exec-1.1.1.dep.yml
  • .licenses/npm/@actions/exec.dep.yml
  • .licenses/npm/@actions/io-1.1.3.dep.yml
  • .licenses/npm/@actions/io.dep.yml
  • .licenses/npm/@actions/tool-cache.dep.yml
  • .licenses/npm/@nodable/entities.dep.yml
  • .licenses/npm/anynum.dep.yml
  • .licenses/npm/brace-expansion.dep.yml
  • .licenses/npm/fast-xml-builder.dep.yml
  • .licenses/npm/fast-xml-parser.dep.yml
  • .licenses/npm/is-unsafe.dep.yml
  • .licenses/npm/path-expression-matcher.dep.yml
  • .licenses/npm/strnum.dep.yml
  • .licenses/npm/undici.dep.yml
  • .licenses/npm/xml-naming.dep.yml
  • README.md
  • __tests__/authutil.test.ts
  • __tests__/cache-save.test.ts
  • docs/advanced-usage.md
  • package.json
  • src/authutil.ts
  • src/cache-save.ts
💤 Files with no reviewable changes (3)
  • .licenses/npm/@actions/io-1.1.3.dep.yml
  • .licenses/npm/@actions/core-1.11.1.dep.yml
  • .licenses/npm/@actions/exec-1.1.1.dep.yml

Comment thread docs/advanced-usage.md
Org policy requires all actions to be pinned to a full-length commit SHA.
- actions/checkout@v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3)
- pnpm/action-setup@v4 -> b906affcce14559ad1aafd4ab0e942779e9f58b1

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
.github/workflows/versions.yml (1)

23-23: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider setting persist-credentials: false on checkout steps.

zizmor flags artipacked on every checkout step in this file; these matrix jobs don't push back to the repo, so persisting the token isn't needed.

🔒️ Example fix (apply to each checkout step)
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          persist-credentials: false

Also applies to: 40-40, 57-57, 76-76, 91-91, 106-106, 121-121, 137-137, 153-153, 166-166

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/versions.yml at line 23, Update each actions/checkout step
in the versions workflow to disable persisted Git credentials by setting
persist-credentials to false; the matrix jobs only read the repo and do not need
the token stored, so apply this to every checkout usage in the workflow.

Source: Linters/SAST tools

.github/workflows/e2e-cache.yml (1)

24-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider setting persist-credentials: false on checkout steps.

zizmor flags every actions/checkout step here for artipacked (credential persistence). None of these test jobs push back to the repo, so the checked-out token isn't needed after checkout.

🔒️ Example fix (apply to each checkout step)
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          persist-credentials: false

Also applies to: 47-49, 80-80, 112-112, 146-146, 173-173, 200-200, 227-227, 256-256, 281-281

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-cache.yml at line 24, Add persist-credentials: false
to every actions/checkout step in the e2e-cache workflow, since these jobs only
read the repository and do not need the token after checkout. Update each
checkout invocation consistently so the workflow no longer leaves credentials
available for later steps.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/proxy.yml:
- Line 28: The checkout steps in the workflow are leaving the GitHub token
persisted in git config by default. Update both uses of actions/checkout in
proxy.yml to set persist-credentials to false so the jobs only use read access;
this applies to each checkout step in the workflow.

In @.github/workflows/publish-immutable-actions.yml:
- Line 17: The checkout step in the publish workflow is still persisting Git
credentials, which should be disabled for this publish-only job. Update the
actions/checkout usage in the workflow to set persist-credentials to false so
the token is not left available to later steps. Use the existing checkout step
in the publish-immutable-actions workflow as the place to apply this change.

---

Nitpick comments:
In @.github/workflows/e2e-cache.yml:
- Line 24: Add persist-credentials: false to every actions/checkout step in the
e2e-cache workflow, since these jobs only read the repository and do not need
the token after checkout. Update each checkout invocation consistently so the
workflow no longer leaves credentials available for later steps.

In @.github/workflows/versions.yml:
- Line 23: Update each actions/checkout step in the versions workflow to disable
persisted Git credentials by setting persist-credentials to false; the matrix
jobs only read the repo and do not need the token stored, so apply this to every
checkout usage in the workflow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1b3b812e-077a-4008-9d2c-8adba6071f9c

📥 Commits

Reviewing files that changed from the base of the PR and between 654fbf5 and 5242a95.

📒 Files selected for processing (4)
  • .github/workflows/e2e-cache.yml
  • .github/workflows/proxy.yml
  • .github/workflows/publish-immutable-actions.yml
  • .github/workflows/versions.yml

Comment thread .github/workflows/proxy.yml
Comment thread .github/workflows/publish-immutable-actions.yml
Replace the external actions/reusable-workflows call (blocked by org
SHA-pin policy, and mutable @main ref) with the same jobs inlined:
- actions/checkout @ df4cb1c0 (v6.0.3)
- actions/setup-node @ 48b55a0 (v6.4.0)
Inputs frozen to the values previously passed (node 24.x, npm cache,
3-OS matrix, audit enabled).

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/basic-validation.yml (1)

15-48: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Add explicit permissions: block.

Static analysis flags this job as using default (overly broad) permissions since no permissions: block is defined. Scope it down to what's actually needed (contents: read should suffice for build/test/audit steps).

🔒 Proposed fix
   build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/basic-validation.yml around lines 15 - 48, The workflow
job in basic-validation currently relies on default GitHub token permissions,
which are broader than needed. Add an explicit permissions block to the build
job in basic-validation and scope it to contents: read, since the Checkout,
setup-node, install, lint, build, test, and audit steps only need repository
read access.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/basic-validation.yml:
- Around line 22-23: The Checkout step in the basic-validation workflow is
persisting the GitHub token in the local git config, which static analysis
flags. Update the actions/checkout usage in the workflow to disable credential
persistence by setting persist-credentials to false, since no later step needs
authenticated git access.

---

Outside diff comments:
In @.github/workflows/basic-validation.yml:
- Around line 15-48: The workflow job in basic-validation currently relies on
default GitHub token permissions, which are broader than needed. Add an explicit
permissions block to the build job in basic-validation and scope it to contents:
read, since the Checkout, setup-node, install, lint, build, test, and audit
steps only need repository read access.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: bf2b3b73-fa4c-4c45-becc-c0037511be1e

📥 Commits

Reviewing files that changed from the base of the PR and between 5242a95 and d8f5032.

📒 Files selected for processing (1)
  • .github/workflows/basic-validation.yml

Comment on lines +22 to +23
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Set persist-credentials: false on checkout.

Static analysis flags credential persistence (artipacked): the GitHub token is persisted to the local git config for the job's lifetime and could leak via later steps/artifacts. Since no subsequent step needs authenticated git access, disable persistence.

🔒 Proposed fix
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/basic-validation.yml around lines 22 - 23, The Checkout
step in the basic-validation workflow is persisting the GitHub token in the
local git config, which static analysis flags. Update the actions/checkout usage
in the workflow to disable credential persistence by setting persist-credentials
to false, since no later step needs authenticated git access.

Source: Linters/SAST tools

Replace the two remaining external actions/reusable-workflows calls
(blocked by org SHA-pin policy) with the same jobs inlined:
- actions/checkout @ df4cb1c0 (v6.0.3)
- actions/setup-node @ 48b55a0 (v6.4.0)
- actions/upload-artifact @ 330a01c4 (v5.0.0)

Also refresh .licenses records via 'licensed cache': 8 records had
drifted from the regenerated lockfile (azure/typespec/esbuild/tsx/uuid
patch bumps) and 4 stale records removed; 'licensed status' now passes
with 0 errors.
@stormslowly stormslowly merged commit 3ff0cf4 into main Jul 2, 2026
168 of 169 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants