Compare commits

...

10 Commits

Author SHA1 Message Date
Chiranjib Swain 7c2c68d20d docs: Update caching recommendations to mitigate cache poisoning risks (#1567)
* docs: Update caching recommendations to mitigate cache poisoning risks

* docs: Disable automatic npm caching to mitigate cache poisoning risks
2026-07-02 13:14:10 -05:00
Bassem Dghaidi 6a61c0375d Merge pull request #1569 from jasongin/update-actions-cache-5.1.0
Bump @actions/cache to 5.1.0, log cache write denied
2026-06-23 11:19:27 +02:00
Jason Ginchereau 30eb73b41d Resolve high-severity audit issues 2026-06-18 17:59:56 -07:00
Jason Ginchereau 4e1a87a501 Update dist 2026-06-18 15:55:36 -07:00
Jason Ginchereau 360237f0c0 Strict equality 2026-06-18 15:46:26 -07:00
Jason Ginchereau 4f8aac5beb Bump @actions/cache to 5.1.0, log cache write denied 2026-06-18 15:18:53 -07:00
Timo Sand f4a67bbeca Only use mirrorToken in getManifest if it's provided (#1548)
* Only use `mirrorToken` in `getManifest` if it's provided

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

* `npm run build`

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

---------

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
2026-06-09 11:03:18 -05:00
gowridurgad 0355742c94 Remove dummy NODE_AUTH_TOKEN export (#1558)
Co-authored-by: gowridurgad <gowridurgad@gmail.com>
2026-05-27 21:56:31 -05:00
priya-kinthali ad1b57eb81 docs: Update restore-only cache documentation (#1550)
* update restore-only cache example in advanced-usage.md

* fix copilot suggestion

* update naming
2026-05-26 17:51:36 -05:00
Chiranjib Swain 670825a89d Add documentation for publishing to npm with Trusted Publisher (OIDC) (#1536) 2026-04-22 21:58:57 -05:00
22 changed files with 1474 additions and 24689 deletions
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: "@actions/cache" name: "@actions/cache"
version: 5.0.5 version: 5.1.0
type: npm type: npm
summary: Actions cache lib summary: Actions cache lib
homepage: https://github.com/actions/toolkit/tree/main/packages/cache homepage: https://github.com/actions/toolkit/tree/main/packages/cache
-30
View File
@@ -1,30 +0,0 @@
---
name: "@fastify/busboy"
version: 2.1.1
type: npm
summary: A streaming parser for HTML form data for node.js
homepage:
license: mit
licenses:
- sources: LICENSE
text: |-
Copyright Brian White. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
notices: []
+11
View File
@@ -0,0 +1,11 @@
---
name: "@nodable/entities"
version: 2.2.0
type: npm
summary: Entity parser for XML, HTML, External entites with security and NCR control
homepage:
license: mit
licenses:
- sources: README.md
text: MIT
notices: []
@@ -1,16 +1,17 @@
--- ---
name: undici name: anynum
version: 6.24.1 version: 1.0.1
type: npm type: npm
summary: An HTTP/1.1 client, written from scratch for Node.js summary: Normalize all Unicode decimal digits (Devanagari, Arabic, Thai, etc.) to
homepage: https://undici.nodejs.org ASCII numerals. Zero dependencies, performance-first.
homepage:
license: mit license: mit
licenses: licenses:
- sources: LICENSE - sources: LICENSE
text: | text: |
MIT License MIT License
Copyright (c) Matteo Collina and Undici contributors Copyright (c) 2026 Natural Intelligence
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: fast-xml-builder name: fast-xml-builder
version: 1.1.4 version: 1.2.0
type: npm type: npm
summary: Build XML from JSON without C/C++ based libraries summary: Build XML from JSON without C/C++ based libraries
homepage: homepage:
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: fast-xml-parser name: fast-xml-parser
version: 5.5.11 version: 5.9.2
type: npm type: npm
summary: Validate XML, Parse XML, Build XML without C/C++ based libraries summary: Validate XML, Parse XML, Build XML without C/C++ based libraries
homepage: homepage:
+35
View File
@@ -0,0 +1,35 @@
---
name: is-unsafe
version: 1.0.1
type: npm
summary: Zero-dependency, DOM-free, pure predicate for detecting unsafe strings across
HTML, XML, SVG, SQL, SHELL, and REGEX contexts
homepage:
license: mit
licenses:
- sources: LICENSE
text: |
MIT License
Copyright (c) 2026 Natural Intelligence
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
- sources: README.md
text: MIT
notices: []
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: path-expression-matcher name: path-expression-matcher
version: 1.4.0 version: 1.5.0
type: npm type: npm
summary: Efficient path tracking and pattern matching for XML/JSON parsers summary: Efficient path tracking and pattern matching for XML/JSON parsers
homepage: https://github.com/NaturalIntelligence/path-expression-matcher#readme homepage: https://github.com/NaturalIntelligence/path-expression-matcher#readme
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
name: strnum name: strnum
version: 2.2.3 version: 2.4.1
type: npm type: npm
summary: Parse String to Number based on configuration summary: Parse String to Number based on configuration
homepage: homepage:
@@ -1,6 +1,6 @@
--- ---
name: undici name: undici
version: 5.29.0 version: 6.27.0
type: npm type: npm
summary: An HTTP/1.1 client, written from scratch for Node.js summary: An HTTP/1.1 client, written from scratch for Node.js
homepage: https://undici.nodejs.org homepage: https://undici.nodejs.org
+12
View File
@@ -0,0 +1,12 @@
---
name: xml-naming
version: 0.1.0
type: npm
summary: Validates XML name productions — Name, NCName, QName, NMToken, NMTokens —
for XML 1.0 and 1.1
homepage:
license: mit
licenses:
- sources: README.md
text: MIT
notices: []
+4
View File
@@ -119,6 +119,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: 24 node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -217,6 +218,7 @@ jobs:
uses: actions/setup-node@v6 uses: actions/setup-node@v6
with: with:
node-version: ${{ matrix.node }} node-version: ${{ matrix.node }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -232,6 +234,7 @@ uses: actions/setup-node@v6
with: with:
token: ${{ secrets.GH_DOTCOM_TOKEN }} token: ${{ secrets.GH_DOTCOM_TOKEN }}
node-version: 24 node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
``` ```
If the runner is not able to access github.com, any Nodejs versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. If the runner is not able to access github.com, any Nodejs versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information.
@@ -249,6 +252,7 @@ If the runner is not able to access github.com, any Nodejs versions requested du
- [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm) - [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm)
- [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn) - [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn)
- [Using private packages](docs/advanced-usage.md#use-private-packages) - [Using private packages](docs/advanced-usage.md#use-private-packages)
- [Publishing to npm with Trusted Publisher (OIDC)](docs/advanced-usage.md#publishing-to-npm-with-trusted-publisher-oidc)
- [Using private mirror](docs/advanced-usage.md#use-private-mirror) - [Using private mirror](docs/advanced-usage.md#use-private-mirror)
## Recommended permissions ## Recommended permissions
+21
View File
@@ -118,6 +118,27 @@ describe('authutil tests', () => {
expect(process.env.NODE_AUTH_TOKEN).toEqual('foobar'); expect(process.env.NODE_AUTH_TOKEN).toEqual('foobar');
}); });
it('should not export NODE_AUTH_TOKEN if not set in environment', async () => {
const exportSpy = jest.spyOn(core, 'exportVariable');
delete process.env.NODE_AUTH_TOKEN;
await auth.configAuthentication('https://registry.npmjs.org/');
expect(fs.statSync(rcFile)).toBeDefined();
const rc = readRcFile(rcFile);
expect(rc['registry']).toBe('https://registry.npmjs.org/');
expect(exportSpy).not.toHaveBeenCalledWith(
'NODE_AUTH_TOKEN',
expect.anything()
);
});
it('should export NODE_AUTH_TOKEN if set to empty string', async () => {
const exportSpy = jest.spyOn(core, 'exportVariable');
process.env.NODE_AUTH_TOKEN = '';
await auth.configAuthentication('https://registry.npmjs.org/');
expect(fs.statSync(rcFile)).toBeDefined();
expect(exportSpy).toHaveBeenCalledWith('NODE_AUTH_TOKEN', '');
});
it('configAuthentication should overwrite non-scoped with non-scoped', async () => { it('configAuthentication should overwrite non-scoped with non-scoped', async () => {
fs.writeFileSync(rcFile, 'registry=NNN'); fs.writeFileSync(rcFile, 'registry=NNN');
await auth.configAuthentication('https://registry.npmjs.org/'); await auth.configAuthentication('https://registry.npmjs.org/');
+3 -1
View File
@@ -343,7 +343,9 @@ describe('run', () => {
expect(getInputSpy).not.toHaveBeenCalled(); expect(getInputSpy).not.toHaveBeenCalled();
expect(getStateSpy).toHaveBeenCalledTimes(4); expect(getStateSpy).toHaveBeenCalledTimes(4);
expect(getCommandOutputSpy).toHaveBeenCalledTimes(0); expect(getCommandOutputSpy).toHaveBeenCalledTimes(0);
expect(debugSpy).toHaveBeenCalledTimes(0); expect(debugSpy).toHaveBeenLastCalledWith(
`Cache was not saved for the key: ${yarnFileHash}`
);
expect(infoSpy).not.toHaveBeenCalledWith( expect(infoSpy).not.toHaveBeenCalledWith(
`Cache hit occurred on the primary key ${npmFileHash}, not saving cache.` `Cache hit occurred on the primary key ${npmFileHash}, not saving cache.`
); );
+335 -97
View File
File diff suppressed because one or more lines are too long
+342 -23975
View File
File diff suppressed because one or more lines are too long
+96 -20
View File
@@ -69,6 +69,7 @@ steps:
with: with:
node-version: '24' node-version: '24'
check-latest: true check-latest: true
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -86,6 +87,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version-file: '.nvmrc' node-version-file: '.nvmrc'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -131,6 +133,7 @@ jobs:
with: with:
node-version: '24' node-version: '24'
architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -151,6 +154,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-v8-canary' # it will install the latest v8 canary release for node 24.0.0 node-version: '24.0.0-v8-canary' # it will install the latest v8 canary release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -166,6 +170,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24-v8-canary' # it will install the latest v8 canary release for node 24 node-version: '24-v8-canary' # it will install the latest v8 canary release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -182,6 +187,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: 'v24.0.0-v8-canary2025030537242e55ac' node-version: 'v24.0.0-v8-canary2025030537242e55ac'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -202,6 +208,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24-nightly' # it will install the latest nightly release for node 24 node-version: '24-nightly' # it will install the latest nightly release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -218,6 +225,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-nightly' # it will install the latest nightly release for node 24.0.0 node-version: '24.0.0-nightly' # it will install the latest nightly release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -234,6 +242,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-nightly202505066102159fa1' node-version: '24.0.0-nightly202505066102159fa1'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -252,11 +261,12 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-rc.4' node-version: '24.0.0-rc.4'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
**Note:** Unlike nightly versions, which support version range specifiers, you must specify the exact version for a release candidate: `24.0.0-rc.4`. **Note**: Unlike nightly versions, which support version range specifiers, you must specify the exact version for a release candidate: `24.0.0-rc.4`.
## Caching packages data ## Caching packages data
The action follows [actions/cache](https://github.com/actions/cache/blob/main/examples.md#node---npm) guidelines, and caches global cache on the machine instead of `node_modules`, so cache can be reused between different Node.js versions. The action follows [actions/cache](https://github.com/actions/cache/blob/main/examples.md#node---npm) guidelines, and caches global cache on the machine instead of `node_modules`, so cache can be reused between different Node.js versions.
@@ -329,36 +339,52 @@ steps:
- run: npm test - run: npm test
``` ```
**Restore-Only Cache** **Restore-only cache**
You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.
```yaml ```yaml
## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache
jobs:
build:
runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
# Restore Node.js modules cache (restore-only) # - uses: pnpm/action-setup@v6
- name: Restore Node modules cache # with:
uses: actions/cache@v5 # version: 10
id: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
# Setup Node.js
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@v6 uses: actions/setup-node@v6
with: with:
node-version: '24' node-version: '24'
# Install dependencies package-manager-cache: false # Disable automatic npm caching if not required
- run: npm install
- name: Normalize runner architecture
shell: bash
run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
- name: Output of cache path
id: cachepath
shell: bash
run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT
# run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
# For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+)
# run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT
- name: Restore Node cache
uses: actions/cache/restore@v5
with:
path: ${{ steps.cachepath.outputs.path }}
key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
- run: npm ci
# - run: yarn install --frozen-lockfile # optional, --immutable
# - run: pnpm install
``` ```
> **Note**: Uncomment the commands relevant to your project's package manager.
> For more details related to cache scenarios, please refer [Node npm](https://github.com/actions/cache/blob/main/examples.md#node---npm). > For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache).
## Multiple Operating Systems and Architectures ## Multiple operating systems and architectures
```yaml ```yaml
jobs: jobs:
@@ -389,6 +415,7 @@ jobs:
with: with:
node-version: ${{ matrix.node_version }} node-version: ${{ matrix.node_version }}
architecture: ${{ matrix.architecture }} architecture: ${{ matrix.architecture }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@@ -401,6 +428,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: 'https://registry.npmjs.org' registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci - run: npm ci
- run: npm publish - run: npm publish
env: env:
@@ -408,6 +436,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
registry-url: 'https://npm.pkg.github.com' registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm publish - run: npm publish
env: env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -421,6 +450,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: <registry url> registry-url: <registry url>
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn install --frozen-lockfile - run: yarn install --frozen-lockfile
- run: yarn publish - run: yarn publish
env: env:
@@ -428,6 +458,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
registry-url: 'https://npm.pkg.github.com' registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn publish - run: yarn publish
env: env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -441,6 +472,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: 'https://registry.npmjs.org' registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
# Skip post-install scripts here, as a malicious # Skip post-install scripts here, as a malicious
# script could steal NODE_AUTH_TOKEN. # script could steal NODE_AUTH_TOKEN.
- run: npm ci --ignore-scripts - run: npm ci --ignore-scripts
@@ -460,6 +492,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.x' node-version: '24.x'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- name: Setup .yarnrc.yml - name: Setup .yarnrc.yml
run: | run: |
yarn config set npmScopes.my-org.npmRegistryServer "https://npm.pkg.github.com" yarn config set npmScopes.my-org.npmRegistryServer "https://npm.pkg.github.com"
@@ -475,6 +508,48 @@ To access private GitHub Packages within the same organization, go to "Manage Ac
Please refer to the [Ensuring workflow access to your package - Configuring a package's access control and visibility](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) for more details. Please refer to the [Ensuring workflow access to your package - Configuring a package's access control and visibility](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) for more details.
## Publishing to npm with Trusted Publisher (OIDC)
npm supports Trusted Publishers, enabling packages to be published from GitHub Actions using OpenID Connect (OIDC) instead of long-lived npm tokens. This improves security by replacing static credentials with short-lived tokens, reducing the risk of credential leakage and simplifying authentication in CI/CD workflows.
### Requirements
Trusted publishing requires a compatible npm version:
* **npm ≥ 11.5.1 (required)**
* **Node.js 24 or newer (recommended)** — includes a compatible npm version by default
> If npm is below 11.5.1, publishing will fail even if OIDC permissions are correctly configured.
You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used).
> **Note**: In publishing workflows, set `package-manager-cache: false` because setup-node enables npm caching automatically when `package.json` specifies npm via `packageManager` or `devEngines.packageManager` (see [Running without a lockfile](#running-without-a-lockfile)), and a poisoned cache may expose credentials (including OIDC tokens) to attacker-controlled code.
### Example workflow
```yaml
permissions:
contents: read
id-token: write # Required for OIDC
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci
- run: npm run build --if-present
- run: npm publish
```
> **Note**: If the Trusted Publisher configuration (GitHub owner/repo/workflow file, and optional environment) does not match the workflow run identity exactly, publishing may fail with **E404 Not Found** even if the package exists on npm.
For more details, see the [npm Trusted Publishers documentation](https://docs.npmjs.com/trusted-publishers) and the [GitHub Actions OpenID Connect (OIDC) overview](https://docs.github.com/en/actions/concepts/security/openid-connect).
## Use private mirror ## Use private mirror
It is possible to use a private mirror hosting Node.js binaries. This mirror must be a full mirror of the official Node.js distribution. It is possible to use a private mirror hosting Node.js binaries. This mirror must be a full mirror of the official Node.js distribution.
@@ -488,4 +563,5 @@ The token will be passed in the `Authorization` header.
node-version: '24.x' node-version: '24.x'
mirror: 'https://nodejs.org/dist' mirror: 'https://nodejs.org/dist'
mirror-token: 'your-mirror-token' mirror-token: 'your-mirror-token'
cache-package-manager: false # Disable automatic npm caching if not required
``` ```
+84 -47
View File
@@ -1,15 +1,15 @@
{ {
"name": "setup-node", "name": "setup-node",
"version": "6.4.0", "version": "6.5.0",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "setup-node", "name": "setup-node",
"version": "6.4.0", "version": "6.5.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/cache": "^5.0.5", "@actions/cache": "^5.1.0",
"@actions/core": "^2.0.3", "@actions/core": "^2.0.3",
"@actions/exec": "^2.0.0", "@actions/exec": "^2.0.0",
"@actions/github": "^6.0.1", "@actions/github": "^6.0.1",
@@ -42,9 +42,9 @@
} }
}, },
"node_modules/@actions/cache": { "node_modules/@actions/cache": {
"version": "5.0.5", "version": "5.1.0",
"resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.0.5.tgz", "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.1.0.tgz",
"integrity": "sha512-jiQSg0gfd+C2KPgcmdCOq7dCuCIQQWQ4b1YfGIRaaA9w7PJbRwTOcCz4LiFEUnqZGf0ha/8OKL3BeNwetHzYsQ==", "integrity": "sha512-kTIj4YPrjjRPKSGlj7f8eq+Pijoy/SKBEbJcAwNsQTFGEF29NGqj1mqD02/PmhV6r4bRAixycexAWpmUJ2aCwg==",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "^2.0.0", "@actions/core": "^2.0.0",
@@ -112,18 +112,6 @@
"undici": "^5.25.4" "undici": "^5.25.4"
} }
}, },
"node_modules/@actions/github/node_modules/undici": {
"version": "5.29.0",
"resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
"integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
"license": "MIT",
"dependencies": {
"@fastify/busboy": "^2.0.0"
},
"engines": {
"node": ">=14.0"
}
},
"node_modules/@actions/glob": { "node_modules/@actions/glob": {
"version": "0.5.1", "version": "0.5.1",
"resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.5.1.tgz", "resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.5.1.tgz",
@@ -1047,15 +1035,6 @@
"node": "^12.22.0 || ^14.17.0 || >=16.0.0" "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
} }
}, },
"node_modules/@fastify/busboy": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
"integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
"license": "MIT",
"engines": {
"node": ">=14"
}
},
"node_modules/@humanwhocodes/config-array": { "node_modules/@humanwhocodes/config-array": {
"version": "0.13.0", "version": "0.13.0",
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz", "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz",
@@ -1553,6 +1532,18 @@
"@jridgewell/sourcemap-codec": "^1.4.14" "@jridgewell/sourcemap-codec": "^1.4.14"
} }
}, },
"node_modules/@nodable/entities": {
"version": "2.2.0",
"resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.2.0.tgz",
"integrity": "sha512-9uGyhaQavEUMC8AIddIjau4NsnsXhou+j5sBAGojCM1oxmQpVKTWR/9JxABD6UAv12vpIms55fPZKFQEhG6uBg==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/nodable"
}
],
"license": "MIT"
},
"node_modules/@nodelib/fs.scandir": { "node_modules/@nodelib/fs.scandir": {
"version": "2.1.5", "version": "2.1.5",
"resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -2277,6 +2268,18 @@
"node": ">= 8" "node": ">= 8"
} }
}, },
"node_modules/anynum": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/anynum/-/anynum-1.0.1.tgz",
"integrity": "sha512-N6//FLET/tXYNM/F6ABca1oH6fWB+KlTt909Le28WMDBk8oaT4vY17DCrwg2MvmuqUKt3Ni4N5dGJ/EoBgcO6A==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT"
},
"node_modules/argparse": { "node_modules/argparse": {
"version": "2.0.1", "version": "2.0.1",
"resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
@@ -3320,9 +3323,9 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/fast-xml-builder": { "node_modules/fast-xml-builder": {
"version": "1.1.4", "version": "1.2.0",
"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz", "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
"integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==", "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
"funding": [ "funding": [
{ {
"type": "github", "type": "github",
@@ -3331,13 +3334,14 @@
], ],
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"path-expression-matcher": "^1.1.3" "path-expression-matcher": "^1.5.0",
"xml-naming": "^0.1.0"
} }
}, },
"node_modules/fast-xml-parser": { "node_modules/fast-xml-parser": {
"version": "5.5.11", "version": "5.9.2",
"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.11.tgz", "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.9.2.tgz",
"integrity": "sha512-QL0eb0YbSTVWF6tTf1+LEMSgtCEjBYPpnAjoLC8SscESlAjXEIRJ7cHtLG0pLeDFaZLa4VKZLArtA/60ZS7vyA==", "integrity": "sha512-DYPkXnVSJHAGAkSBeVYhEo/seIpz2SLr9OQcX7m6lXaX3gvoB+DCKzFdZIEhZGI3I1DUhObBAUOT/v2xfoXz/w==",
"funding": [ "funding": [
{ {
"type": "github", "type": "github",
@@ -3346,9 +3350,12 @@
], ],
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"fast-xml-builder": "^1.1.4", "@nodable/entities": "^2.2.0",
"path-expression-matcher": "^1.4.0", "fast-xml-builder": "^1.2.0",
"strnum": "^2.2.3" "is-unsafe": "^1.0.1",
"path-expression-matcher": "^1.5.0",
"strnum": "^2.4.0",
"xml-naming": "^0.1.0"
}, },
"bin": { "bin": {
"fxparser": "src/cli/cli.js" "fxparser": "src/cli/cli.js"
@@ -3863,6 +3870,18 @@
"url": "https://github.com/sponsors/sindresorhus" "url": "https://github.com/sponsors/sindresorhus"
} }
}, },
"node_modules/is-unsafe": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/is-unsafe/-/is-unsafe-1.0.1.tgz",
"integrity": "sha512-CLK2+VdgERgD96EYm5lUQssZYlRg2tkZnbsxZoacmSiRxiFJ4Nk4SzjCl+Ur+v3kXIY9dTIdb3IH22y1mZ56LA==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT"
},
"node_modules/isexe": { "node_modules/isexe": {
"version": "2.0.0", "version": "2.0.0",
"resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
@@ -4977,9 +4996,9 @@
} }
}, },
"node_modules/path-expression-matcher": { "node_modules/path-expression-matcher": {
"version": "1.4.0", "version": "1.5.0",
"resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.4.0.tgz", "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
"integrity": "sha512-s4DQMxIdhj3jLFWd9LxHOplj4p9yQ4ffMGowFf3cpEgrrJjEhN0V5nxw4Ye1EViAGDoL4/1AeO6qHpqYPOzE4Q==", "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
"funding": [ "funding": [
{ {
"type": "github", "type": "github",
@@ -5575,16 +5594,19 @@
} }
}, },
"node_modules/strnum": { "node_modules/strnum": {
"version": "2.2.3", "version": "2.4.1",
"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz", "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.4.1.tgz",
"integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==", "integrity": "sha512-M9eUSMT2dCB2cTNPG7UYj6KuK7RJR2SN2+yCV/fTW3xzTCS6EaGZ5pSMgDIjB7r8zSfTGk+dvvn9rTjpVS9Mwg==",
"funding": [ "funding": [
{ {
"type": "github", "type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence" "url": "https://github.com/sponsors/NaturalIntelligence"
} }
], ],
"license": "MIT" "license": "MIT",
"dependencies": {
"anynum": "^1.0.1"
}
}, },
"node_modules/supports-color": { "node_modules/supports-color": {
"version": "7.2.0", "version": "7.2.0",
@@ -5823,9 +5845,9 @@
} }
}, },
"node_modules/undici": { "node_modules/undici": {
"version": "6.24.1", "version": "6.27.0",
"resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz", "resolved": "https://registry.npmjs.org/undici/-/undici-6.27.0.tgz",
"integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==", "integrity": "sha512-YmfV3YnEDzXRC5lZ2jWtWWHKGUm1zIt8AhesR1tens+HTNv+YZlN/dp6G727LOvMJ8xjP9Be7Y2Sdr96LDm+pg==",
"license": "MIT", "license": "MIT",
"engines": { "engines": {
"node": ">=18.17" "node": ">=18.17"
@@ -5981,6 +6003,21 @@
"node": "^12.13.0 || ^14.15.0 || >=16.0.0" "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
} }
}, },
"node_modules/xml-naming": {
"version": "0.1.0",
"resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
"integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT",
"engines": {
"node": ">=16.0.0"
}
},
"node_modules/y18n": { "node_modules/y18n": {
"version": "5.0.8", "version": "5.0.8",
"resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
+6 -2
View File
@@ -1,6 +1,6 @@
{ {
"name": "setup-node", "name": "setup-node",
"version": "6.4.0", "version": "6.5.0",
"private": true, "private": true,
"description": "setup node action", "description": "setup node action",
"main": "lib/setup-node.js", "main": "lib/setup-node.js",
@@ -28,7 +28,7 @@
"author": "GitHub", "author": "GitHub",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/cache": "^5.0.5", "@actions/cache": "^5.1.0",
"@actions/core": "^2.0.3", "@actions/core": "^2.0.3",
"@actions/exec": "^2.0.0", "@actions/exec": "^2.0.0",
"@actions/github": "^6.0.1", "@actions/github": "^6.0.1",
@@ -55,5 +55,9 @@
"prettier": "^3.6.2", "prettier": "^3.6.2",
"ts-jest": "^29.4.1", "ts-jest": "^29.4.1",
"typescript": "^5.4.2" "typescript": "^5.4.2"
},
"overrides": {
"undici": "^6.24.1",
"fast-xml-parser": "^5.9.2"
} }
} }
+4 -5
View File
@@ -46,9 +46,8 @@ function writeRegistryToFile(registryUrl: string, fileLocation: string) {
newContents += `${authString}${os.EOL}${registryString}`; newContents += `${authString}${os.EOL}${registryString}`;
fs.writeFileSync(fileLocation, newContents); fs.writeFileSync(fileLocation, newContents);
core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation); core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation);
// Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it // Only export NODE_AUTH_TOKEN if explicitly provided by user
core.exportVariable( if (Object.prototype.hasOwnProperty.call(process.env, 'NODE_AUTH_TOKEN')) {
'NODE_AUTH_TOKEN', core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN);
process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX' }
);
} }
+5 -1
View File
@@ -62,7 +62,11 @@ const cachePackages = async (packageManager: string) => {
} }
const cacheId = await cache.saveCache(cachePaths, primaryKey); const cacheId = await cache.saveCache(cachePaths, primaryKey);
if (cacheId == -1) { if (cacheId === -1) {
// saveCache returns -1 without throwing when the cache was not saved, e.g.
// a reserve collision or a read-only token (fork PR). @actions/cache has
// already logged the reason at the appropriate severity, so just trace it.
core.debug(`Cache was not saved for the key: ${primaryKey}`);
return; return;
} }
@@ -84,7 +84,9 @@ export default class OfficialBuilds extends BaseDistribution {
downloadPath = await tc.downloadTool( downloadPath = await tc.downloadTool(
versionInfo.downloadUrl, versionInfo.downloadUrl,
undefined, undefined,
this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth
); );
if (downloadPath) { if (downloadPath) {
@@ -188,7 +190,9 @@ export default class OfficialBuilds extends BaseDistribution {
return tc.getManifestFromRepo( return tc.getManifestFromRepo(
'actions', 'actions',
'node-versions', 'node-versions',
this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth, this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth,
'main' 'main'
); );
} }