Sync with upstream actions/setup-node (main)#4
Conversation
* chore: upgrade @actions dependencies and update licenses - @actions/core: ^1.11.1 → ^2.0.3 - @actions/cache: ^5.0.1 → ^5.0.5 - @actions/glob: ^0.5.0 → ^0.5.1 - @actions/http-client: ^2.2.1 → ^3.0.2 - @actions/tool-cache: ^2.0.2 → ^3.0.1 - @actions/io: ^1.0.2 → ^2.0.0 - Run npm audit fix - Update license files for new versions - Rebuild dist files Agent-Logs-Url: https://github.com/actions/setup-node/sessions/872a3dbf-9b85-446b-963b-9127718d9560 Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> * fix: update license files to fix Licensed CI failures Update 5 license records that were out of date after the dependency upgrade: - brace-expansion: 1.1.12 → 1.1.13 - fast-xml-builder: 1.0.0 → 1.1.4 - fast-xml-parser: 5.4.1 → 5.5.11 - strnum: 2.1.2 → 2.2.3 - path-expression-matcher: add new record (version 1.4.0, new transitive dep) Rebuild dist/ files to reflect updated lock file Agent-Logs-Url: https://github.com/actions/setup-node/sessions/fb0e70ce-ad19-48df-88a4-97f3bdc896cb Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> * feat: upgrade @actions/exec to ^2.0.0 and fix license records - Upgrade @actions/exec from ^1.1.1 to ^2.0.0 in package.json - Update package-lock.json via npm install - Run `licensed cache` to regenerate license records: - Remove exec-1.1.1.dep.yml and exec-2.0.0.dep.yml (replaced by exec.dep.yml) - Remove io-1.1.3.dep.yml and io-2.0.0.dep.yml (replaced by io.dep.yml) - Create exec.dep.yml (v2.0.0) - single version now in tree - Create io.dep.yml (v2.0.0) - @actions/exec@1.1.1's nested io@1.1.3 removed - Rebuild dist/ files Agent-Logs-Url: https://github.com/actions/setup-node/sessions/24a1a530-6840-4445-8262-8342ec739e6d Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>
…ctions#1533) * setup node in local * update workflows to remove EOL versions * update node-dist versions in versions.yml
* update restore-only cache example in advanced-usage.md * fix copilot suggestion * update naming
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
* Only use `mirrorToken` in `getManifest` if it's provided Signed-off-by: Timo Sand <timo.sand@f-secure.com> * `npm run build` Signed-off-by: Timo Sand <timo.sand@f-secure.com> --------- Signed-off-by: Timo Sand <timo.sand@f-secure.com>
Bump @actions/cache to 5.1.0, log cache write denied
Sync with actions/setup-node upstream (11 commits): bump @actions/* deps, add OIDC publishing docs. Fork customizations preserved (hardcoded cnpm mirror, no configurable mirror inputs).
📝 WalkthroughWalkthroughThis pull request updates package.json version and several Changes
Sequence Diagram(s)Not applicable — changes are dependency/version bumps, license metadata, small conditional logic fixes, and documentation updates without a meaningful multi-component interaction flow. Estimated code review effort: 🎯 3 (Moderate) Related issues: None specified. Related PRs: None specified. Suggested labels: dependencies, documentation, bug-fix Suggested reviewers: None specified. 🐰 PoemA rabbit hopped through yaml trees, 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/advanced-usage.md`:
- Around line 332-376: The commented pnpm setup step in the restore-only cache
example uses an inconsistent action version, so if it is uncommented it may
break. Update the `pnpm/action-setup` reference in this snippet to match the
working pnpm example used elsewhere in the document, keeping the commented
guidance aligned with the documented `pnpm` workflow. Locate the fix in the
restore-only cache YAML example near the `pnpm/action-setup` and `pnpm install`
entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 3cbdc523-f3ad-457d-9fcd-72273cb30d0e
⛔ Files ignored due to path filters (3)
dist/cache-save/index.jsis excluded by!**/dist/**dist/setup/index.jsis excluded by!**/dist/**package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (25)
.licenses/npm/@actions/cache.dep.yml.licenses/npm/@actions/core-1.11.1.dep.yml.licenses/npm/@actions/core.dep.yml.licenses/npm/@actions/exec-1.1.1.dep.yml.licenses/npm/@actions/exec.dep.yml.licenses/npm/@actions/io-1.1.3.dep.yml.licenses/npm/@actions/io.dep.yml.licenses/npm/@actions/tool-cache.dep.yml.licenses/npm/@nodable/entities.dep.yml.licenses/npm/anynum.dep.yml.licenses/npm/brace-expansion.dep.yml.licenses/npm/fast-xml-builder.dep.yml.licenses/npm/fast-xml-parser.dep.yml.licenses/npm/is-unsafe.dep.yml.licenses/npm/path-expression-matcher.dep.yml.licenses/npm/strnum.dep.yml.licenses/npm/undici.dep.yml.licenses/npm/xml-naming.dep.ymlREADME.md__tests__/authutil.test.ts__tests__/cache-save.test.tsdocs/advanced-usage.mdpackage.jsonsrc/authutil.tssrc/cache-save.ts
💤 Files with no reviewable changes (3)
- .licenses/npm/@actions/io-1.1.3.dep.yml
- .licenses/npm/@actions/core-1.11.1.dep.yml
- .licenses/npm/@actions/exec-1.1.1.dep.yml
| **Restore-only cache** | ||
|
|
||
| You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows. | ||
|
|
||
| ```yaml | ||
| ## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache | ||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| # Restore Node.js modules cache (restore-only) | ||
| - name: Restore Node modules cache | ||
| uses: actions/cache@v5 | ||
| id: cache-node-modules | ||
| with: | ||
| path: ~/.npm | ||
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-node- | ||
| # Setup Node.js | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
| # Install dependencies | ||
| - run: npm install | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| # - uses: pnpm/action-setup@v6 | ||
| # with: | ||
| # version: 10 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
|
|
||
| - name: Normalize runner architecture | ||
| shell: bash | ||
| run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | ||
|
|
||
| - name: Output of cache path | ||
| id: cachepath | ||
| shell: bash | ||
| run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT | ||
| # run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT | ||
| # For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+) | ||
| # run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Restore Node cache | ||
| uses: actions/cache/restore@v5 | ||
| with: | ||
| path: ${{ steps.cachepath.outputs.path }} | ||
| key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }} | ||
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }} | ||
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} | ||
|
|
||
| - run: npm ci | ||
| # - run: yarn install --frozen-lockfile # optional, --immutable | ||
| # - run: pnpm install | ||
| ``` | ||
| > **Note**: Uncomment the commands relevant to your project's package manager. | ||
|
|
||
| > For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm). | ||
| > For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache). | ||
|
|
||
| ## Multiple Operating Systems and Architectures | ||
| ## Multiple operating systems and architectures |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Fix commented pnpm action version to match documented version.
Line 339 references pnpm/action-setup@v6 in a commented step, but the active pnpm example earlier in this file (line 289) uses pnpm/action-setup@v4. If users uncomment this step, v6 may not exist and will fail. Align the commented version with the working example.
📝 Suggested fix
-# - uses: pnpm/action-setup@v6
+# - uses: pnpm/action-setup@v4 📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| **Restore-only cache** | |
| You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows. | |
| ```yaml | |
| ## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| # Restore Node.js modules cache (restore-only) | |
| - name: Restore Node modules cache | |
| uses: actions/cache@v5 | |
| id: cache-node-modules | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| # Setup Node.js | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '24' | |
| # Install dependencies | |
| - run: npm install | |
| steps: | |
| - uses: actions/checkout@v6 | |
| # - uses: pnpm/action-setup@v6 | |
| # with: | |
| # version: 10 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '24' | |
| - name: Normalize runner architecture | |
| shell: bash | |
| run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Output of cache path | |
| id: cachepath | |
| shell: bash | |
| run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT | |
| # run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT | |
| # For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+) | |
| # run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT | |
| - name: Restore Node cache | |
| uses: actions/cache/restore@v5 | |
| with: | |
| path: ${{ steps.cachepath.outputs.path }} | |
| key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }} | |
| # key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| - run: npm ci | |
| # - run: yarn install --frozen-lockfile # optional, --immutable | |
| # - run: pnpm install | |
| ``` | |
| > **Note**: Uncomment the commands relevant to your project's package manager. | |
| > For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm). | |
| > For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache). | |
| ## Multiple Operating Systems and Architectures | |
| ## Multiple operating systems and architectures | |
| **Restore-only cache** | |
| You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows. | |
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 373-373: Blank line inside blockquote
(MD028, no-blanks-blockquote)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/advanced-usage.md` around lines 332 - 376, The commented pnpm setup step
in the restore-only cache example uses an inconsistent action version, so if it
is uncommented it may break. Update the `pnpm/action-setup` reference in this
snippet to match the working pnpm example used elsewhere in the document,
keeping the commented guidance aligned with the documented `pnpm` workflow.
Locate the fix in the restore-only cache YAML example near the
`pnpm/action-setup` and `pnpm install` entries.
Why
Keep this fork in sync with upstream
actions/setup-node@main— pulls in dependency upgrades, the new OIDC publishing docs, and other fixes from 11 upstream commits.What
Merged
upstream/main(11 commits) into the fork. Notable conflict resolutions:@actions/*deps — adopted upstream upgrades (http-client2→3,io1→2,tool-cache2→3,glob0.5.1,cache5.1.0). Kept ourtsx/uuid.official_builds.ts— kept the fork version. Upstream's newmirror/mirrorTokencode referencesNodeInputsfields this fork removed, so taking it would not compile. Hardcoded cnpm-mirror behavior is preserved.mirror/mirror-tokeninputs this fork does not expose).versions.yml— kept the fork CI matrix (node-version: [17, 19],macos-latest).package-lock.json,dist/, and.licenses/regenerated from source.Verified locally:
tsc --noEmit,ncc build, andjest(141 passed / 3 intentionally-skipped mirror tests) all pass.Open points for review
versions.yml: keptnode-version: [17, 19](upstream bumped to[21, 23]); the matrix also has a duplicatedmacos-latestrunner.tsx/uuidare declared but unused across the codebase — candidates for a follow-up cleanup.