Only use mirrorToken in getManifest if it's provided#1548
Conversation
|
no one should be allowed to make any changes |
|
Hi @deiga 👋 |
|
Doh! 🤦 |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR adjusts how authentication tokens are selected when downloading Node distributions and fetching the node-versions manifest, preferring the mirror token only when it’s explicitly present.
Changes:
- Update
tc.downloadToolauth selection to usemirrorTokenonly when bothmirrorandmirrorTokenare set. - Update
tc.getManifestFromRepoauth selection similarly. - Regenerate/update the compiled
dist/setup/index.jsto reflect the source change.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/distributions/official_builds/official_builds.ts | Changes token selection logic for downloads and manifest fetches. |
| dist/setup/index.js | Compiled output updated to match the source logic change. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Timo Sand <[email protected]>
Signed-off-by: Timo Sand <[email protected]>
f1a144b to
bf9e4b9
Compare
* Only use `mirrorToken` in `getManifest` if it's provided Signed-off-by: Timo Sand <[email protected]> * `npm run build` Signed-off-by: Timo Sand <[email protected]> --------- Signed-off-by: Timo Sand <[email protected]>
* Only use `mirrorToken` in `getManifest` if it's provided Signed-off-by: Timo Sand <[email protected]> * `npm run build` Signed-off-by: Timo Sand <[email protected]> --------- Signed-off-by: Timo Sand <[email protected]>
#11) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v6.4.0` → `v7.0.0` | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v7.0.0`](https://github.com/actions/setup-node/releases/tag/v7.0.0) [Compare Source](actions/setup-node@v6.5.0...v7.0.0) #### What's Changed ##### Enhancements: - Add cache-primary-key and cache-matched-key as outputs by [@​gowridurgad](https://github.com/gowridurgad) in [#​1577](actions/setup-node#1577) - Migrate to ESM and upgrade dependencies by [@​gowridurgad](https://github.com/gowridurgad) in [#​1574](actions/setup-node#1574) ##### Bug fixes: - Remove dummy NODE\_AUTH\_TOKEN export by [@​gowridurgad](https://github.com/gowridurgad) in [#​1558](actions/setup-node#1558) - Only use `mirrorToken` in `getManifest` if it's provided by [@​deiga](https://github.com/deiga) in [#​1548](actions/setup-node#1548) ##### Documentation updates: - Add documentation for publishing to npm with Trusted Publisher (OIDC) by [@​chiranjib-swain](https://github.com/chiranjib-swain) in [#​1536](actions/setup-node#1536) - docs: Update restore-only cache documentation by [@​priya-kinthali](https://github.com/priya-kinthali) in [#​1550](actions/setup-node#1550) - docs: Update caching recommendations to mitigate cache poisoning risks by [@​chiranjib-swain](https://github.com/chiranjib-swain) in [#​1567](actions/setup-node#1567) ##### Dependency update: - Upgrade [@​actions/cache](https://github.com/actions/cache) to 5.1.0, log cache write denied by [@​jasongin](https://github.com/jasongin) in [#​1569](actions/setup-node#1569) #### New Contributors - [@​chiranjib-swain](https://github.com/chiranjib-swain) made their first contribution in [#​1536](actions/setup-node#1536) - [@​deiga](https://github.com/deiga) made their first contribution in [#​1548](actions/setup-node#1548) - [@​jasongin](https://github.com/jasongin) made their first contribution in [#​1569](actions/setup-node#1569) **Full Changelog**: <actions/setup-node@v6...v7.0.0> ### [`v6.5.0`](https://github.com/actions/setup-node/releases/tag/v6.5.0) [Compare Source](actions/setup-node@v6.4.0...v6.5.0) #### What's Changed - Update [@​actions/cache](https://github.com/actions/cache) to 5.1.0 and add security overrides for undici and fast-xml-parser by [@​HarithaVattikuti](https://github.com/HarithaVattikuti) in [#​1579](actions/setup-node#1579) **Full Changelog**: <actions/setup-node@v6.4.0...v6.5.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Warsaw) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNjEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI2MS4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Reviewed-on: https://git.ajgon.casa/deedee/schemas/pulls/11
Description:
When providing a
mirror, but not amirrorTokenthengetManifestwill use the emptymirrorTokeninstead of any possible github token. This can lead to API Rate Limit exhaustion inadvertently.The proposed fix is to only supply
mirrorTokenif it is actually set.Related issue:
I couldn't find any directly related issues
Check list: