Skip to content

Sync with upstream actions/setup-node (main)#4

Open
stormslowly wants to merge 12 commits into
mainfrom
update_upstream
Open

Sync with upstream actions/setup-node (main)#4
stormslowly wants to merge 12 commits into
mainfrom
update_upstream

Conversation

@stormslowly

Copy link
Copy Markdown
Collaborator

Why

Keep this fork in sync with upstream actions/setup-node@main — pulls in dependency upgrades, the new OIDC publishing docs, and other fixes from 11 upstream commits.

What

Merged upstream/main (11 commits) into the fork. Notable conflict resolutions:

  • @actions/* deps — adopted upstream upgrades (http-client 2→3, io 1→2, tool-cache 2→3, glob 0.5.1, cache 5.1.0). Kept our tsx/uuid.
  • official_builds.ts — kept the fork version. Upstream's new mirror/mirrorToken code references NodeInputs fields this fork removed, so taking it would not compile. Hardcoded cnpm-mirror behavior is preserved.
  • Docs — added upstream's "Publishing to npm with Trusted Publisher (OIDC)" section; dropped the "Use private mirror" section (documents mirror/mirror-token inputs this fork does not expose).
  • versions.yml — kept the fork CI matrix (node-version: [17, 19], macos-latest).
  • Generated artifactspackage-lock.json, dist/, and .licenses/ regenerated from source.

Verified locally: tsc --noEmit, ncc build, and jest (141 passed / 3 intentionally-skipped mirror tests) all pass.

Open points for review

  • versions.yml: kept node-version: [17, 19] (upstream bumped to [21, 23]); the matrix also has a duplicated macos-latest runner.
  • tsx / uuid are declared but unused across the codebase — candidates for a follow-up cleanup.

Copilot AI and others added 12 commits April 16, 2026 12:06
* chore: upgrade @actions dependencies and update licenses

- @actions/core: ^1.11.1 → ^2.0.3
- @actions/cache: ^5.0.1 → ^5.0.5
- @actions/glob: ^0.5.0 → ^0.5.1
- @actions/http-client: ^2.2.1 → ^3.0.2
- @actions/tool-cache: ^2.0.2 → ^3.0.1
- @actions/io: ^1.0.2 → ^2.0.0
- Run npm audit fix
- Update license files for new versions
- Rebuild dist files

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/872a3dbf-9b85-446b-963b-9127718d9560

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

* fix: update license files to fix Licensed CI failures

Update 5 license records that were out of date after the dependency
upgrade:
- brace-expansion: 1.1.12 → 1.1.13
- fast-xml-builder: 1.0.0 → 1.1.4
- fast-xml-parser: 5.4.1 → 5.5.11
- strnum: 2.1.2 → 2.2.3
- path-expression-matcher: add new record (version 1.4.0, new transitive dep)

Rebuild dist/ files to reflect updated lock file

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/fb0e70ce-ad19-48df-88a4-97f3bdc896cb

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

* feat: upgrade @actions/exec to ^2.0.0 and fix license records

- Upgrade @actions/exec from ^1.1.1 to ^2.0.0 in package.json
- Update package-lock.json via npm install
- Run `licensed cache` to regenerate license records:
  - Remove exec-1.1.1.dep.yml and exec-2.0.0.dep.yml (replaced by exec.dep.yml)
  - Remove io-1.1.3.dep.yml and io-2.0.0.dep.yml (replaced by io.dep.yml)
  - Create exec.dep.yml (v2.0.0) - single version now in tree
  - Create io.dep.yml (v2.0.0) - @actions/exec@1.1.1's nested io@1.1.3 removed
- Rebuild dist/ files

Agent-Logs-Url: https://github.com/actions/setup-node/sessions/24a1a530-6840-4445-8262-8342ec739e6d

Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gowridurgad <159780674+gowridurgad@users.noreply.github.com>
…ctions#1533)

* setup node in local

* update workflows to remove EOL versions

* update node-dist versions in versions.yml
* update restore-only cache example in advanced-usage.md

* fix copilot suggestion

* update naming
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
* Only use `mirrorToken` in `getManifest` if it's provided

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

* `npm run build`

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

---------

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
Bump @actions/cache to 5.1.0, log cache write denied
Sync with actions/setup-node upstream (11 commits): bump @actions/* deps,
add OIDC publishing docs. Fork customizations preserved (hardcoded cnpm
mirror, no configurable mirror inputs).
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This pull request updates package.json version and several @actions/* dependency versions, adds an overrides block for undici and fast-xml-parser, and refreshes corresponding .licenses/npm YAML metadata (updates, additions, removals, and replacements). It modifies src/authutil.ts so NODE_AUTH_TOKEN is only exported when explicitly set, and src/cache-save.ts to use strict equality for cacheId with an added debug log, both with corresponding test updates. Documentation in README.md and docs/advanced-usage.md is updated with a revised restore-only cache example and a new Trusted Publisher (OIDC) publishing guide.

Changes

Area Change
Dependencies package.json version bump, @actions/* dependency updates, new overrides block; corresponding .licenses/npm yml updates, additions, and removals
Auth Conditional NODE_AUTH_TOKEN export in writeRegistryToFile; tests added
Cache Strict cacheId equality check with debug log in cache-save.ts; test assertion updated
Docs Restore-only cache example rewritten; new OIDC publishing section added to README.md and advanced-usage.md

Sequence Diagram(s)

Not applicable — changes are dependency/version bumps, license metadata, small conditional logic fixes, and documentation updates without a meaningful multi-component interaction flow.

Estimated code review effort: 🎯 3 (Moderate)

Related issues: None specified.

Related PRs: None specified.

Suggested labels: dependencies, documentation, bug-fix

Suggested reviewers: None specified.

🐰 Poem

A rabbit hopped through yaml trees,
Bumped some versions, licensed leas,
Fixed a token, left it be,
Debugged a cache with -1 key,
Then wrote of OIDC with glee. 🥕

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description has useful context, but it does not follow the required template and is missing the Related issue and checklist sections. Reformat it to the repo template with Description, Related issue, and checklist items for docs changes and tests updated.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: syncing the fork with upstream actions/setup-node on main.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch update_upstream

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/advanced-usage.md`:
- Around line 332-376: The commented pnpm setup step in the restore-only cache
example uses an inconsistent action version, so if it is uncommented it may
break. Update the `pnpm/action-setup` reference in this snippet to match the
working pnpm example used elsewhere in the document, keeping the commented
guidance aligned with the documented `pnpm` workflow. Locate the fix in the
restore-only cache YAML example near the `pnpm/action-setup` and `pnpm install`
entries.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3cbdc523-f3ad-457d-9fcd-72273cb30d0e

📥 Commits

Reviewing files that changed from the base of the PR and between 340069d and 654fbf5.

⛔ Files ignored due to path filters (3)
  • dist/cache-save/index.js is excluded by !**/dist/**
  • dist/setup/index.js is excluded by !**/dist/**
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (25)
  • .licenses/npm/@actions/cache.dep.yml
  • .licenses/npm/@actions/core-1.11.1.dep.yml
  • .licenses/npm/@actions/core.dep.yml
  • .licenses/npm/@actions/exec-1.1.1.dep.yml
  • .licenses/npm/@actions/exec.dep.yml
  • .licenses/npm/@actions/io-1.1.3.dep.yml
  • .licenses/npm/@actions/io.dep.yml
  • .licenses/npm/@actions/tool-cache.dep.yml
  • .licenses/npm/@nodable/entities.dep.yml
  • .licenses/npm/anynum.dep.yml
  • .licenses/npm/brace-expansion.dep.yml
  • .licenses/npm/fast-xml-builder.dep.yml
  • .licenses/npm/fast-xml-parser.dep.yml
  • .licenses/npm/is-unsafe.dep.yml
  • .licenses/npm/path-expression-matcher.dep.yml
  • .licenses/npm/strnum.dep.yml
  • .licenses/npm/undici.dep.yml
  • .licenses/npm/xml-naming.dep.yml
  • README.md
  • __tests__/authutil.test.ts
  • __tests__/cache-save.test.ts
  • docs/advanced-usage.md
  • package.json
  • src/authutil.ts
  • src/cache-save.ts
💤 Files with no reviewable changes (3)
  • .licenses/npm/@actions/io-1.1.3.dep.yml
  • .licenses/npm/@actions/core-1.11.1.dep.yml
  • .licenses/npm/@actions/exec-1.1.1.dep.yml

Comment thread docs/advanced-usage.md
Comment on lines +332 to +376
**Restore-only cache**

You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.

```yaml
## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# Restore Node.js modules cache (restore-only)
- name: Restore Node modules cache
uses: actions/cache@v5
id: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
# Setup Node.js
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
# Install dependencies
- run: npm install
steps:
- uses: actions/checkout@v6
# - uses: pnpm/action-setup@v6
# with:
# version: 10

- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'

- name: Normalize runner architecture
shell: bash
run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV

- name: Output of cache path
id: cachepath
shell: bash
run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT
# run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
# For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+)
# run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT

- name: Restore Node cache
uses: actions/cache/restore@v5
with:
path: ${{ steps.cachepath.outputs.path }}
key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}

- run: npm ci
# - run: yarn install --frozen-lockfile # optional, --immutable
# - run: pnpm install
```
> **Note**: Uncomment the commands relevant to your project's package manager.

> For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm).
> For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache).

## Multiple Operating Systems and Architectures
## Multiple operating systems and architectures

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix commented pnpm action version to match documented version.

Line 339 references pnpm/action-setup@v6 in a commented step, but the active pnpm example earlier in this file (line 289) uses pnpm/action-setup@v4. If users uncomment this step, v6 may not exist and will fail. Align the commented version with the working example.

📝 Suggested fix
-# - uses: pnpm/action-setup@v6 
+# - uses: pnpm/action-setup@v4 
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
**Restore-only cache**
You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.
```yaml
## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# Restore Node.js modules cache (restore-only)
- name: Restore Node modules cache
uses: actions/cache@v5
id: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
# Setup Node.js
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
# Install dependencies
- run: npm install
steps:
- uses: actions/checkout@v6
# - uses: pnpm/action-setup@v6
# with:
# version: 10
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Normalize runner architecture
shell: bash
run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
- name: Output of cache path
id: cachepath
shell: bash
run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT
# run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
# For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+)
# run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT
- name: Restore Node cache
uses: actions/cache/restore@v5
with:
path: ${{ steps.cachepath.outputs.path }}
key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
- run: npm ci
# - run: yarn install --frozen-lockfile # optional, --immutable
# - run: pnpm install
```
> **Note**: Uncomment the commands relevant to your project's package manager.
> For more details related to cache scenarios, please refer [Node – npm](https://github.com/actions/cache/blob/main/examples.md#node---npm).
> For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache).
## Multiple Operating Systems and Architectures
## Multiple operating systems and architectures
**Restore-only cache**
You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 373-373: Blank line inside blockquote

(MD028, no-blanks-blockquote)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/advanced-usage.md` around lines 332 - 376, The commented pnpm setup step
in the restore-only cache example uses an inconsistent action version, so if it
is uncommented it may break. Update the `pnpm/action-setup` reference in this
snippet to match the working pnpm example used elsewhere in the document,
keeping the commented guidance aligned with the documented `pnpm` workflow.
Locate the fix in the restore-only cache YAML example near the
`pnpm/action-setup` and `pnpm install` entries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants