Compare commits

..

23 Commits
v4.2.1 ... main

Author SHA1 Message Date
Ben De St Paer-Gotch
640a1c2554
Merge pull request #1620 from actions/nebuk89-patch-1
Update README.md
2025-06-17 14:18:22 +01:00
Ben De St Paer-Gotch
c45d39173a
Update README.md 2025-06-16 10:08:03 +01:00
Salman Chishti
5a3ec84eff
Merge pull request #1577 from salmanmkc/salmanmkc/4-test
Update to use @actions/cache 4.0.3 package & prepare for new release
2025-03-19 18:06:32 +00:00
Salman Chishti
7de21022a7 Update releases.md 2025-03-18 08:00:50 -07:00
Salman Chishti
76d40dd347 Update to use the latest version of the cache package to obfuscate the SAS 2025-03-18 07:58:36 -07:00
Salman Chishti
76dd5eb692 update cache with main 2025-03-18 03:43:02 -07:00
Salman Chishti
8c80c27c5e new package 2025-03-13 04:55:45 -07:00
Salman Chishti
45cfd0e7ff updates 2025-03-13 04:30:51 -07:00
Salman Chishti
edd449b9cf updated cache with latest changes 2025-03-12 03:22:00 -07:00
Salman Chishti
0576707e37 latest test before pr 2025-03-10 06:54:42 -07:00
Salman Chishti
3105dc9754 update 2025-03-10 04:27:54 -07:00
Salman Chishti
9450d42d15 mask 2025-03-10 04:24:44 -07:00
Salman Chishti
7d05b27fb9 update cache package to mask whole sas to the end of the line 2025-03-10 04:20:14 -07:00
Salman Chishti
507b84c6a6 artifact changes 2025-03-07 08:47:30 -08:00
Salman Chishti
f248408e15 type 2025-03-07 08:12:07 -08:00
Salman Chishti
c30eb5542e debugging 2025-03-07 08:06:30 -08:00
Salman Chishti
5b6ae99d8b mask whole url 2025-03-07 08:02:01 -08:00
Salman Chishti
eca7c65a55 changed 2025-03-07 08:00:03 -08:00
Salman Chishti
1b5d75f5cf add changes 2025-03-07 07:56:21 -08:00
Rob Herley
d4323d4df1
Merge pull request #1560 from actions/robherley/v4.2.2
Bump @actions/cache to v4.0.2
2025-02-27 09:47:05 -05:00
Rob Herley
da26677639
bump @actions/cache to v4.0.2, prep for v4.2.2 release 2025-02-26 12:45:56 -05:00
Rob Herley
7921ae235b
Merge pull request #1557 from actions/robherley/ia-workflow-released
Update publish-immutable-actions.yml
2025-02-18 17:47:05 -05:00
Rob Herley
3937731706
Update publish-immutable-actions.yml 2025-02-18 17:43:49 -05:00
10 changed files with 421 additions and 35 deletions

View File

@ -2,7 +2,7 @@ name: 'Publish Immutable Action Version'
on: on:
release: release:
types: [published] types: [released]
jobs: jobs:
publish: publish:

View File

@ -1,6 +1,6 @@
--- ---
name: "@actions/cache" name: "@actions/cache"
version: 4.0.1 version: 4.0.3
type: npm type: npm
summary: Actions cache lib summary: Actions cache lib
homepage: https://github.com/actions/toolkit/tree/main/packages/cache homepage: https://github.com/actions/toolkit/tree/main/packages/cache

View File

@ -335,9 +335,23 @@ There are a number of community practices/workarounds to fulfill specific requir
Please note that Windows environment variables (like `%LocalAppData%`) will NOT be expanded by this action. Instead, prefer using `~` in your paths which will expand to the HOME directory. For example, instead of `%LocalAppData%`, use `~\AppData\Local`. For a list of supported default environment variables, see the [Learn GitHub Actions: Variables](https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables) page. Please note that Windows environment variables (like `%LocalAppData%`) will NOT be expanded by this action. Instead, prefer using `~` in your paths which will expand to the HOME directory. For example, instead of `%LocalAppData%`, use `~\AppData\Local`. For a list of supported default environment variables, see the [Learn GitHub Actions: Variables](https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables) page.
## Contributing ## Note
We would love for you to contribute to `actions/cache`. Pull requests are welcome! Please see the [CONTRIBUTING.md](CONTRIBUTING.md) for more information. Thank you for your interest in this GitHub repo, however, right now we are not taking contributions.
We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features were working on and what stage theyre in.
We are taking the following steps to better direct requests related to GitHub Actions, including:
1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions)
2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report.
3. Security Issues should be handled as per our [security.md](SECURITY.md).
We will still provide security updates for this project and fix major breaking changes during this time.
You are welcome to still raise bugs in this repo.
## License ## License

View File

@ -1,5 +1,13 @@
# Releases # Releases
### 4.2.3
- Bump `@actions/cache` to v4.0.3 (obfuscates SAS token in debug logs for cache entries)
### 4.2.2
- Bump `@actions/cache` to v4.0.2
### 4.2.1 ### 4.2.1
- Bump `@actions/cache` to v4.0.1 - Bump `@actions/cache` to v4.0.1

View File

@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr
}; };
const response = yield twirpClient.GetCacheEntryDownloadURL(request); const response = yield twirpClient.GetCacheEntryDownloadURL(request);
if (!response.ok) { if (!response.ok) {
core.debug(`Cache not found for keys: ${keys.join(', ')}`); core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`);
return undefined; return undefined;
} }
core.info(`Cache hit for: ${request.key}`); core.info(`Cache hit for: ${request.key}`);
@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
key, key,
version version
}; };
let signedUploadUrl;
try {
const response = yield twirpClient.CreateCacheEntry(request); const response = yield twirpClient.CreateCacheEntry(request);
if (!response.ok) { if (!response.ok) {
throw new Error('Response was not ok');
}
signedUploadUrl = response.signedUploadUrl;
}
catch (error) {
core.debug(`Failed to reserve cache: ${error}`);
throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`);
} }
core.debug(`Attempting to upload cache located at: ${archivePath}`); core.debug(`Attempting to upload cache located at: ${archivePath}`);
yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options);
const finalizeRequest = { const finalizeRequest = {
key, key,
version, version,
@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299);
const auth_1 = __nccwpck_require__(4552); const auth_1 = __nccwpck_require__(4552);
const http_client_1 = __nccwpck_require__(4844); const http_client_1 = __nccwpck_require__(4844);
const cache_twirp_client_1 = __nccwpck_require__(1486); const cache_twirp_client_1 = __nccwpck_require__(1486);
const util_1 = __nccwpck_require__(7564);
/** /**
* This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp.
* *
@ -2255,6 +2264,7 @@ class CacheServiceClient {
(0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`[Response] - ${response.message.statusCode}`);
(0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`);
const body = JSON.parse(rawBody); const body = JSON.parse(rawBody);
(0, util_1.maskSecretUrls)(body);
(0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`);
if (this.isSuccessStatusCode(statusCode)) { if (this.isSuccessStatusCode(statusCode)) {
return { response, body }; return { response, body };
@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString;
/***/ }), /***/ }),
/***/ 7564:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.maskSecretUrls = exports.maskSigUrl = void 0;
const core_1 = __nccwpck_require__(7484);
/**
* Masks the `sig` parameter in a URL and sets it as a secret.
*
* @param url - The URL containing the signature parameter to mask
* @remarks
* This function attempts to parse the provided URL and identify the 'sig' query parameter.
* If found, it registers both the raw and URL-encoded signature values as secrets using
* the Actions `setSecret` API, which prevents them from being displayed in logs.
*
* The function handles errors gracefully if URL parsing fails, logging them as debug messages.
*
* @example
* ```typescript
* // Mask a signature in an Azure SAS token URL
* maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01');
* ```
*/
function maskSigUrl(url) {
if (!url)
return;
try {
const parsedUrl = new URL(url);
const signature = parsedUrl.searchParams.get('sig');
if (signature) {
(0, core_1.setSecret)(signature);
(0, core_1.setSecret)(encodeURIComponent(signature));
}
}
catch (error) {
(0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`);
}
}
exports.maskSigUrl = maskSigUrl;
/**
* Masks sensitive information in URLs containing signature parameters.
* Currently supports masking 'sig' parameters in the 'signed_upload_url'
* and 'signed_download_url' properties of the provided object.
*
* @param body - The object should contain a signature
* @remarks
* This function extracts URLs from the object properties and calls maskSigUrl
* on each one to redact sensitive signature information. The function doesn't
* modify the original object; it only marks the signatures as secrets for
* logging purposes.
*
* @example
* ```typescript
* const responseBody = {
* signed_upload_url: 'https://blob.core.windows.net/?sig=abc123',
* signed_download_url: 'https://blob.core/windows.net/?sig=def456'
* };
* maskSecretUrls(responseBody);
* ```
*/
function maskSecretUrls(body) {
if (typeof body !== 'object' || body === null) {
(0, core_1.debug)('body is not an object or is null');
return;
}
if ('signed_upload_url' in body &&
typeof body.signed_upload_url === 'string') {
maskSigUrl(body.signed_upload_url);
}
if ('signed_download_url' in body &&
typeof body.signed_download_url === 'string') {
maskSigUrl(body.signed_download_url);
}
}
exports.maskSecretUrls = maskSecretUrls;
//# sourceMappingURL=util.js.map
/***/ }),
/***/ 5321: /***/ 5321:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
@ -65309,7 +65400,7 @@ module.exports = require("zlib");
/***/ ((module) => { /***/ ((module) => {
"use strict"; "use strict";
module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}');
/***/ }), /***/ }),

97
dist/restore/index.js vendored
View File

@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr
}; };
const response = yield twirpClient.GetCacheEntryDownloadURL(request); const response = yield twirpClient.GetCacheEntryDownloadURL(request);
if (!response.ok) { if (!response.ok) {
core.debug(`Cache not found for keys: ${keys.join(', ')}`); core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`);
return undefined; return undefined;
} }
core.info(`Cache hit for: ${request.key}`); core.info(`Cache hit for: ${request.key}`);
@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
key, key,
version version
}; };
let signedUploadUrl;
try {
const response = yield twirpClient.CreateCacheEntry(request); const response = yield twirpClient.CreateCacheEntry(request);
if (!response.ok) { if (!response.ok) {
throw new Error('Response was not ok');
}
signedUploadUrl = response.signedUploadUrl;
}
catch (error) {
core.debug(`Failed to reserve cache: ${error}`);
throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`);
} }
core.debug(`Attempting to upload cache located at: ${archivePath}`); core.debug(`Attempting to upload cache located at: ${archivePath}`);
yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options);
const finalizeRequest = { const finalizeRequest = {
key, key,
version, version,
@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299);
const auth_1 = __nccwpck_require__(4552); const auth_1 = __nccwpck_require__(4552);
const http_client_1 = __nccwpck_require__(4844); const http_client_1 = __nccwpck_require__(4844);
const cache_twirp_client_1 = __nccwpck_require__(1486); const cache_twirp_client_1 = __nccwpck_require__(1486);
const util_1 = __nccwpck_require__(7564);
/** /**
* This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp.
* *
@ -2255,6 +2264,7 @@ class CacheServiceClient {
(0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`[Response] - ${response.message.statusCode}`);
(0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`);
const body = JSON.parse(rawBody); const body = JSON.parse(rawBody);
(0, util_1.maskSecretUrls)(body);
(0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`);
if (this.isSuccessStatusCode(statusCode)) { if (this.isSuccessStatusCode(statusCode)) {
return { response, body }; return { response, body };
@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString;
/***/ }), /***/ }),
/***/ 7564:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.maskSecretUrls = exports.maskSigUrl = void 0;
const core_1 = __nccwpck_require__(7484);
/**
* Masks the `sig` parameter in a URL and sets it as a secret.
*
* @param url - The URL containing the signature parameter to mask
* @remarks
* This function attempts to parse the provided URL and identify the 'sig' query parameter.
* If found, it registers both the raw and URL-encoded signature values as secrets using
* the Actions `setSecret` API, which prevents them from being displayed in logs.
*
* The function handles errors gracefully if URL parsing fails, logging them as debug messages.
*
* @example
* ```typescript
* // Mask a signature in an Azure SAS token URL
* maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01');
* ```
*/
function maskSigUrl(url) {
if (!url)
return;
try {
const parsedUrl = new URL(url);
const signature = parsedUrl.searchParams.get('sig');
if (signature) {
(0, core_1.setSecret)(signature);
(0, core_1.setSecret)(encodeURIComponent(signature));
}
}
catch (error) {
(0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`);
}
}
exports.maskSigUrl = maskSigUrl;
/**
* Masks sensitive information in URLs containing signature parameters.
* Currently supports masking 'sig' parameters in the 'signed_upload_url'
* and 'signed_download_url' properties of the provided object.
*
* @param body - The object should contain a signature
* @remarks
* This function extracts URLs from the object properties and calls maskSigUrl
* on each one to redact sensitive signature information. The function doesn't
* modify the original object; it only marks the signatures as secrets for
* logging purposes.
*
* @example
* ```typescript
* const responseBody = {
* signed_upload_url: 'https://blob.core.windows.net/?sig=abc123',
* signed_download_url: 'https://blob.core/windows.net/?sig=def456'
* };
* maskSecretUrls(responseBody);
* ```
*/
function maskSecretUrls(body) {
if (typeof body !== 'object' || body === null) {
(0, core_1.debug)('body is not an object or is null');
return;
}
if ('signed_upload_url' in body &&
typeof body.signed_upload_url === 'string') {
maskSigUrl(body.signed_upload_url);
}
if ('signed_download_url' in body &&
typeof body.signed_download_url === 'string') {
maskSigUrl(body.signed_download_url);
}
}
exports.maskSecretUrls = maskSecretUrls;
//# sourceMappingURL=util.js.map
/***/ }),
/***/ 5321: /***/ 5321:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
@ -65309,7 +65400,7 @@ module.exports = require("zlib");
/***/ ((module) => { /***/ ((module) => {
"use strict"; "use strict";
module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}');
/***/ }), /***/ }),

View File

@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr
}; };
const response = yield twirpClient.GetCacheEntryDownloadURL(request); const response = yield twirpClient.GetCacheEntryDownloadURL(request);
if (!response.ok) { if (!response.ok) {
core.debug(`Cache not found for keys: ${keys.join(', ')}`); core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`);
return undefined; return undefined;
} }
core.info(`Cache hit for: ${request.key}`); core.info(`Cache hit for: ${request.key}`);
@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
key, key,
version version
}; };
let signedUploadUrl;
try {
const response = yield twirpClient.CreateCacheEntry(request); const response = yield twirpClient.CreateCacheEntry(request);
if (!response.ok) { if (!response.ok) {
throw new Error('Response was not ok');
}
signedUploadUrl = response.signedUploadUrl;
}
catch (error) {
core.debug(`Failed to reserve cache: ${error}`);
throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`);
} }
core.debug(`Attempting to upload cache located at: ${archivePath}`); core.debug(`Attempting to upload cache located at: ${archivePath}`);
yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options);
const finalizeRequest = { const finalizeRequest = {
key, key,
version, version,
@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299);
const auth_1 = __nccwpck_require__(4552); const auth_1 = __nccwpck_require__(4552);
const http_client_1 = __nccwpck_require__(4844); const http_client_1 = __nccwpck_require__(4844);
const cache_twirp_client_1 = __nccwpck_require__(1486); const cache_twirp_client_1 = __nccwpck_require__(1486);
const util_1 = __nccwpck_require__(7564);
/** /**
* This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp.
* *
@ -2255,6 +2264,7 @@ class CacheServiceClient {
(0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`[Response] - ${response.message.statusCode}`);
(0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`);
const body = JSON.parse(rawBody); const body = JSON.parse(rawBody);
(0, util_1.maskSecretUrls)(body);
(0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`);
if (this.isSuccessStatusCode(statusCode)) { if (this.isSuccessStatusCode(statusCode)) {
return { response, body }; return { response, body };
@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString;
/***/ }), /***/ }),
/***/ 7564:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.maskSecretUrls = exports.maskSigUrl = void 0;
const core_1 = __nccwpck_require__(7484);
/**
* Masks the `sig` parameter in a URL and sets it as a secret.
*
* @param url - The URL containing the signature parameter to mask
* @remarks
* This function attempts to parse the provided URL and identify the 'sig' query parameter.
* If found, it registers both the raw and URL-encoded signature values as secrets using
* the Actions `setSecret` API, which prevents them from being displayed in logs.
*
* The function handles errors gracefully if URL parsing fails, logging them as debug messages.
*
* @example
* ```typescript
* // Mask a signature in an Azure SAS token URL
* maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01');
* ```
*/
function maskSigUrl(url) {
if (!url)
return;
try {
const parsedUrl = new URL(url);
const signature = parsedUrl.searchParams.get('sig');
if (signature) {
(0, core_1.setSecret)(signature);
(0, core_1.setSecret)(encodeURIComponent(signature));
}
}
catch (error) {
(0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`);
}
}
exports.maskSigUrl = maskSigUrl;
/**
* Masks sensitive information in URLs containing signature parameters.
* Currently supports masking 'sig' parameters in the 'signed_upload_url'
* and 'signed_download_url' properties of the provided object.
*
* @param body - The object should contain a signature
* @remarks
* This function extracts URLs from the object properties and calls maskSigUrl
* on each one to redact sensitive signature information. The function doesn't
* modify the original object; it only marks the signatures as secrets for
* logging purposes.
*
* @example
* ```typescript
* const responseBody = {
* signed_upload_url: 'https://blob.core.windows.net/?sig=abc123',
* signed_download_url: 'https://blob.core/windows.net/?sig=def456'
* };
* maskSecretUrls(responseBody);
* ```
*/
function maskSecretUrls(body) {
if (typeof body !== 'object' || body === null) {
(0, core_1.debug)('body is not an object or is null');
return;
}
if ('signed_upload_url' in body &&
typeof body.signed_upload_url === 'string') {
maskSigUrl(body.signed_upload_url);
}
if ('signed_download_url' in body &&
typeof body.signed_download_url === 'string') {
maskSigUrl(body.signed_download_url);
}
}
exports.maskSecretUrls = maskSecretUrls;
//# sourceMappingURL=util.js.map
/***/ }),
/***/ 5321: /***/ 5321:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
@ -65322,7 +65413,7 @@ module.exports = require("zlib");
/***/ ((module) => { /***/ ((module) => {
"use strict"; "use strict";
module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}');
/***/ }), /***/ }),

97
dist/save/index.js vendored
View File

@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr
}; };
const response = yield twirpClient.GetCacheEntryDownloadURL(request); const response = yield twirpClient.GetCacheEntryDownloadURL(request);
if (!response.ok) { if (!response.ok) {
core.debug(`Cache not found for keys: ${keys.join(', ')}`); core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`);
return undefined; return undefined;
} }
core.info(`Cache hit for: ${request.key}`); core.info(`Cache hit for: ${request.key}`);
@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
key, key,
version version
}; };
let signedUploadUrl;
try {
const response = yield twirpClient.CreateCacheEntry(request); const response = yield twirpClient.CreateCacheEntry(request);
if (!response.ok) { if (!response.ok) {
throw new Error('Response was not ok');
}
signedUploadUrl = response.signedUploadUrl;
}
catch (error) {
core.debug(`Failed to reserve cache: ${error}`);
throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`);
} }
core.debug(`Attempting to upload cache located at: ${archivePath}`); core.debug(`Attempting to upload cache located at: ${archivePath}`);
yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options);
const finalizeRequest = { const finalizeRequest = {
key, key,
version, version,
@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299);
const auth_1 = __nccwpck_require__(4552); const auth_1 = __nccwpck_require__(4552);
const http_client_1 = __nccwpck_require__(4844); const http_client_1 = __nccwpck_require__(4844);
const cache_twirp_client_1 = __nccwpck_require__(1486); const cache_twirp_client_1 = __nccwpck_require__(1486);
const util_1 = __nccwpck_require__(7564);
/** /**
* This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp.
* *
@ -2255,6 +2264,7 @@ class CacheServiceClient {
(0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`[Response] - ${response.message.statusCode}`);
(0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`);
const body = JSON.parse(rawBody); const body = JSON.parse(rawBody);
(0, util_1.maskSecretUrls)(body);
(0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`);
if (this.isSuccessStatusCode(statusCode)) { if (this.isSuccessStatusCode(statusCode)) {
return { response, body }; return { response, body };
@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString;
/***/ }), /***/ }),
/***/ 7564:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.maskSecretUrls = exports.maskSigUrl = void 0;
const core_1 = __nccwpck_require__(7484);
/**
* Masks the `sig` parameter in a URL and sets it as a secret.
*
* @param url - The URL containing the signature parameter to mask
* @remarks
* This function attempts to parse the provided URL and identify the 'sig' query parameter.
* If found, it registers both the raw and URL-encoded signature values as secrets using
* the Actions `setSecret` API, which prevents them from being displayed in logs.
*
* The function handles errors gracefully if URL parsing fails, logging them as debug messages.
*
* @example
* ```typescript
* // Mask a signature in an Azure SAS token URL
* maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01');
* ```
*/
function maskSigUrl(url) {
if (!url)
return;
try {
const parsedUrl = new URL(url);
const signature = parsedUrl.searchParams.get('sig');
if (signature) {
(0, core_1.setSecret)(signature);
(0, core_1.setSecret)(encodeURIComponent(signature));
}
}
catch (error) {
(0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`);
}
}
exports.maskSigUrl = maskSigUrl;
/**
* Masks sensitive information in URLs containing signature parameters.
* Currently supports masking 'sig' parameters in the 'signed_upload_url'
* and 'signed_download_url' properties of the provided object.
*
* @param body - The object should contain a signature
* @remarks
* This function extracts URLs from the object properties and calls maskSigUrl
* on each one to redact sensitive signature information. The function doesn't
* modify the original object; it only marks the signatures as secrets for
* logging purposes.
*
* @example
* ```typescript
* const responseBody = {
* signed_upload_url: 'https://blob.core.windows.net/?sig=abc123',
* signed_download_url: 'https://blob.core/windows.net/?sig=def456'
* };
* maskSecretUrls(responseBody);
* ```
*/
function maskSecretUrls(body) {
if (typeof body !== 'object' || body === null) {
(0, core_1.debug)('body is not an object or is null');
return;
}
if ('signed_upload_url' in body &&
typeof body.signed_upload_url === 'string') {
maskSigUrl(body.signed_upload_url);
}
if ('signed_download_url' in body &&
typeof body.signed_download_url === 'string') {
maskSigUrl(body.signed_download_url);
}
}
exports.maskSecretUrls = maskSecretUrls;
//# sourceMappingURL=util.js.map
/***/ }),
/***/ 5321: /***/ 5321:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
@ -65322,7 +65413,7 @@ module.exports = require("zlib");
/***/ ((module) => { /***/ ((module) => {
"use strict"; "use strict";
module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}');
/***/ }), /***/ }),

18
package-lock.json generated
View File

@ -1,15 +1,15 @@
{ {
"name": "cache", "name": "cache",
"version": "4.2.1", "version": "4.2.3",
"lockfileVersion": 2, "lockfileVersion": 2,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "cache", "name": "cache",
"version": "4.2.1", "version": "4.2.3",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/cache": "^4.0.1", "@actions/cache": "^4.0.3",
"@actions/core": "^1.11.1", "@actions/core": "^1.11.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"@actions/io": "^1.1.3" "@actions/io": "^1.1.3"
@ -36,9 +36,9 @@
} }
}, },
"node_modules/@actions/cache": { "node_modules/@actions/cache": {
"version": "4.0.1", "version": "4.0.3",
"resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.1.tgz", "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.3.tgz",
"integrity": "sha512-u2NrTo95PDmk145wrr+fMhrvpF0hfPmD6cLkR7NozvNHqanR0BmRHBzEe1yiGZFFEHbu6/e6EOEX7qoM7fWVTA==", "integrity": "sha512-SvrqFtYJ7I48A/uXNkoJrnukx5weQv1fGquhs3+4nkByZThBH109KTIqj5x/cGV7JGNvb8dLPVywUOqX1fjiXg==",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "^1.11.1", "@actions/core": "^1.11.1",
@ -9600,9 +9600,9 @@
}, },
"dependencies": { "dependencies": {
"@actions/cache": { "@actions/cache": {
"version": "4.0.1", "version": "4.0.3",
"resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.1.tgz", "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.3.tgz",
"integrity": "sha512-u2NrTo95PDmk145wrr+fMhrvpF0hfPmD6cLkR7NozvNHqanR0BmRHBzEe1yiGZFFEHbu6/e6EOEX7qoM7fWVTA==", "integrity": "sha512-SvrqFtYJ7I48A/uXNkoJrnukx5weQv1fGquhs3+4nkByZThBH109KTIqj5x/cGV7JGNvb8dLPVywUOqX1fjiXg==",
"requires": { "requires": {
"@actions/core": "^1.11.1", "@actions/core": "^1.11.1",
"@actions/exec": "^1.0.1", "@actions/exec": "^1.0.1",

View File

@ -1,6 +1,6 @@
{ {
"name": "cache", "name": "cache",
"version": "4.2.1", "version": "4.2.3",
"private": true, "private": true,
"description": "Cache dependencies and build outputs", "description": "Cache dependencies and build outputs",
"main": "dist/restore/index.js", "main": "dist/restore/index.js",
@ -23,7 +23,7 @@
"author": "GitHub", "author": "GitHub",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/cache": "^4.0.1", "@actions/cache": "^4.0.3",
"@actions/core": "^1.11.1", "@actions/core": "^1.11.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"@actions/io": "^1.1.3" "@actions/io": "^1.1.3"