actions/setup-node
2
0
Fork 0
mirror of https://gitea.com/actions/setup-node.git synced 2026-05-31 03:35:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: actions:main
Branches Tags
actions:main
actions:dependabot/npm_and_yarn/fast-xml-builder-1.2.0
actions:dependabot/npm_and_yarn/fast-xml-parser-5.7.1
actions:dependabot/npm_and_yarn/multi-fa4ce633fc
actions:dependabot/github_actions/pnpm/action-setup-6
actions:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.58.0
actions:copilot/research-node-auth-token-usage
actions:dependabot/npm_and_yarn/multi-954fefb278
actions:dependabot/npm_and_yarn/eslint-9.39.2
actions:dependabot/npm_and_yarn/jest-circus-30.2.0
actions:dependabot/npm_and_yarn/typescript-eslint/parser-8.46.2
actions:macos-15-x64-runner-test
actions:test-macos-x64-runner
actions:releases/v5
actions:releases/v3
actions:releases/v4
actions:Node-Test-app
actions:update-memoization
actions:update-temp-ditectory-creation
actions:releases/v2
actions:kotewar/update-actions-cache-version
actions:tiwarishub/cache-30
actions:thboop/node16upgrade
actions:servicing/v1
actions:malob/adr-caching-monorepos
actions:malob/update-readme
actions:v-mazhuk/automate-releasing-new-versions
actions:malob/cache-adr
actions:updates
actions:master
actions:v-malob/update-readme-v2
actions:releases/v1
actions:v6.4.0
actions:v6
actions:v6.3.0
actions:v6.2.0
actions:v6.1.0
actions:v6.0.0
actions:v5
actions:v5.0.0
actions:v3
actions:v3.9.1
actions:v3.9.0
actions:v4
actions:v4.4.0
actions:v4.3.0
actions:v4.2.0
actions:v4.1.0
actions:v4.0.4
actions:v4.0.3
actions:v4.0.2
actions:v4.0.1
actions:v4.0.0
actions:v3.8.2
actions:v3.8.1
actions:v3.8.0
actions:v3.7.0
actions:v2.5.2
actions:v2
actions:v3.6.0
actions:v3.5.1
actions:v3.5.0
actions:v3.4.1
actions:v3.4.0
actions:v3.3.0
actions:v3.2.0
actions:v3.1.1
actions:v3.1.0
actions:v3.0.0
actions:v2.5.1
actions:v2.5.0
actions:v2.4.1
actions:v2.4.0
actions:v2.3.2
actions:v1.4.6
actions:v1
actions:v1.4.5
actions:v2.3.1
actions:v2.3.0
actions:v2.2.0
actions:v2.1.5
actions:v2.1.4
actions:v2-beta
actions:v2.1.3
actions:v2.1.2
actions:v1.4.4
actions:v1.4.3
actions:v2.1.1
actions:v2.1.0
actions:v2.0.0
actions:v1.4.2
actions:v1.4.1
actions:v1.4.0
actions:v1.3.0
actions:v1.2.0
actions:v1.1.2
actions:v1.1.1
actions:v1.1.0
actions:v1.0.4
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
..
compare: actions:v6
Branches Tags
actions:main
actions:dependabot/npm_and_yarn/fast-xml-builder-1.2.0
actions:dependabot/npm_and_yarn/fast-xml-parser-5.7.1
actions:dependabot/npm_and_yarn/multi-fa4ce633fc
actions:dependabot/github_actions/pnpm/action-setup-6
actions:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.58.0
actions:copilot/research-node-auth-token-usage
actions:dependabot/npm_and_yarn/multi-954fefb278
actions:dependabot/npm_and_yarn/eslint-9.39.2
actions:dependabot/npm_and_yarn/jest-circus-30.2.0
actions:dependabot/npm_and_yarn/typescript-eslint/parser-8.46.2
actions:macos-15-x64-runner-test
actions:test-macos-x64-runner
actions:releases/v5
actions:releases/v3
actions:releases/v4
actions:Node-Test-app
actions:update-memoization
actions:update-temp-ditectory-creation
actions:releases/v2
actions:kotewar/update-actions-cache-version
actions:tiwarishub/cache-30
actions:thboop/node16upgrade
actions:servicing/v1
actions:malob/adr-caching-monorepos
actions:malob/update-readme
actions:v-mazhuk/automate-releasing-new-versions
actions:malob/cache-adr
actions:updates
actions:master
actions:v-malob/update-readme-v2
actions:releases/v1
actions:v6.4.0
actions:v6
actions:v6.3.0
actions:v6.2.0
actions:v6.1.0
actions:v6.0.0
actions:v5
actions:v5.0.0
actions:v3
actions:v3.9.1
actions:v3.9.0
actions:v4
actions:v4.4.0
actions:v4.3.0
actions:v4.2.0
actions:v4.1.0
actions:v4.0.4
actions:v4.0.3
actions:v4.0.2
actions:v4.0.1
actions:v4.0.0
actions:v3.8.2
actions:v3.8.1
actions:v3.8.0
actions:v3.7.0
actions:v2.5.2
actions:v2
actions:v3.6.0
actions:v3.5.1
actions:v3.5.0
actions:v3.4.1
actions:v3.4.0
actions:v3.3.0
actions:v3.2.0
actions:v3.1.1
actions:v3.1.0
actions:v3.0.0
actions:v2.5.1
actions:v2.5.0
actions:v2.4.1
actions:v2.4.0
actions:v2.3.2
actions:v1.4.6
actions:v1
actions:v1.4.5
actions:v2.3.1
actions:v2.3.0
actions:v2.2.0
actions:v2.1.5
actions:v2.1.4
actions:v2-beta
actions:v2.1.3
actions:v2.1.2
actions:v1.4.4
actions:v1.4.3
actions:v2.1.1
actions:v2.1.0
actions:v2.0.0
actions:v1.4.2
actions:v1.4.1
actions:v1.4.0
actions:v1.3.0
actions:v1.2.0
actions:v1.1.2
actions:v1.1.1
actions:v1.1.0
actions:v1.0.4
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0

No commits in common. "main" and "v6" have entirely different histories.
main ... v6

5 changed files with 32 additions and 109 deletions
Show Stats Expand all files Collapse all files

1
README.md
View File

@ -249,7 +249,6 @@ If the runner is not able to access github.com, any Nodejs versions requested du
- [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm) - [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm)
- [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn) - [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn)
- [Using private packages](docs/advanced-usage.md#use-private-packages) - [Using private packages](docs/advanced-usage.md#use-private-packages)
- [Publishing to npm with Trusted Publisher (OIDC)](docs/advanced-usage.md#publishing-to-npm-with-trusted-publisher-oidc)
- [Using private mirror](docs/advanced-usage.md#use-private-mirror) - [Using private mirror](docs/advanced-usage.md#use-private-mirror)
## Recommended permissions ## Recommended permissions

21
__tests__/authutil.test.ts
View File

@ -118,27 +118,6 @@ describe('authutil tests', () => {
expect(process.env.NODE_AUTH_TOKEN).toEqual('foobar'); expect(process.env.NODE_AUTH_TOKEN).toEqual('foobar');
}); });
it('should not export NODE_AUTH_TOKEN if not set in environment', async () => {
const exportSpy = jest.spyOn(core, 'exportVariable');
delete process.env.NODE_AUTH_TOKEN;
await auth.configAuthentication('https://registry.npmjs.org/');
expect(fs.statSync(rcFile)).toBeDefined();
const rc = readRcFile(rcFile);
expect(rc['registry']).toBe('https://registry.npmjs.org/');
expect(exportSpy).not.toHaveBeenCalledWith(
'NODE_AUTH_TOKEN',
expect.anything()
);
});
it('should export NODE_AUTH_TOKEN if set to empty string', async () => {
const exportSpy = jest.spyOn(core, 'exportVariable');
process.env.NODE_AUTH_TOKEN = '';
await auth.configAuthentication('https://registry.npmjs.org/');
expect(fs.statSync(rcFile)).toBeDefined();
expect(exportSpy).toHaveBeenCalledWith('NODE_AUTH_TOKEN', '');
});
it('configAuthentication should overwrite non-scoped with non-scoped', async () => { it('configAuthentication should overwrite non-scoped with non-scoped', async () => {
fs.writeFileSync(rcFile, 'registry=NNN'); fs.writeFileSync(rcFile, 'registry=NNN');
await auth.configAuthentication('https://registry.npmjs.org/'); await auth.configAuthentication('https://registry.npmjs.org/');

6
dist/setup/index.js vendored
View File

@ -78875,10 +78875,8 @@ function writeRegistryToFile(registryUrl, fileLocation) {
newContents += `${authString}${os.EOL}${registryString}`; newContents += `${authString}${os.EOL}${registryString}`;
fs.writeFileSync(fileLocation, newContents); fs.writeFileSync(fileLocation, newContents);
core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation); core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation);
// Only export NODE_AUTH_TOKEN if explicitly provided by user // Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it
if (Object.prototype.hasOwnProperty.call(process.env, 'NODE_AUTH_TOKEN')) { core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX');
core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN);
}
} }

104
docs/advanced-usage.md
View File

@ -329,51 +329,36 @@ steps:
- run: npm test - run: npm test
``` ```
**Restore-only cache** **Restore-Only Cache**
You can restore caches without saving new entries, which helps reduce cache writes and storage usage in read-only cache workflows.
```yaml ```yaml
steps: ## In some workflows, you may want to restore a cache without saving it. This can help reduce cache writes and storage usage in workflows that only need to read from cache
- uses: actions/checkout@v6 jobs:
# - uses: pnpm/action-setup@v6 build:
# with: runs-on: ubuntu-latest
# version: 10 steps:
- uses: actions/checkout@v6
- name: Setup Node.js # Restore Node.js modules cache (restore-only)
uses: actions/setup-node@v6 - name: Restore Node modules cache
with: uses: actions/cache@v5
node-version: '24' id: cache-node-modules
with:
- name: Normalize runner architecture path: ~/.npm
shell: bash key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
run: echo "ARCH=$(echo '${{ runner.arch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV restore-keys: |
${{ runner.os }}-node-
- name: Output of cache path # Setup Node.js
id: cachepath - name: Setup Node.js
shell: bash uses: actions/setup-node@v6
run: echo "path=$(npm config get cache)" >> $GITHUB_OUTPUT with:
# run: echo "path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT node-version: '24'
# For yarn workflow, output of yarn cache dir (v1) or yarn config get cacheFolder (v2+) # Install dependencies
# run: echo "path=$(yarn cache dir)" >> $GITHUB_OUTPUT - run: npm install
- name: Restore Node cache
uses: actions/cache/restore@v5
with:
path: ${{ steps.cachepath.outputs.path }}
key: node-cache-${{ runner.os }}-${{ env.ARCH }}-npm-${{ hashFiles('**/package-lock.json') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-yarn-${{ hashFiles('**/yarn.lock') }}
# key: node-cache-${{ runner.os }}-${{ env.ARCH }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
- run: npm ci
# - run: yarn install --frozen-lockfile # optional, --immutable
# - run: pnpm install
``` ```
> **Note**: Uncomment the commands relevant to your project's package manager.
> For more details related to cache scenarios, please refer [actions/cache/restore](https://github.com/actions/cache/tree/main/restore#only-restore-cache). > For more details related to cache scenarios, please refer [Node npm](https://github.com/actions/cache/blob/main/examples.md#node---npm).
## Multiple operating systems and architectures ## Multiple Operating Systems and Architectures
```yaml ```yaml
jobs: jobs:
@ -490,45 +475,6 @@ To access private GitHub Packages within the same organization, go to "Manage Ac
Please refer to the [Ensuring workflow access to your package - Configuring a package's access control and visibility](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) for more details. Please refer to the [Ensuring workflow access to your package - Configuring a package's access control and visibility](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) for more details.
## Publishing to npm with Trusted Publisher (OIDC)
npm supports Trusted Publishers, enabling packages to be published from GitHub Actions using OpenID Connect (OIDC) instead of long-lived npm tokens. This improves security by replacing static credentials with short-lived tokens, reducing the risk of credential leakage and simplifying authentication in CI/CD workflows.
### Requirements
Trusted publishing requires a compatible npm version:
* **npm ≥ 11.5.1 (required)**
* **Node.js 24 or newer (recommended)** — includes a compatible npm version by default
> If npm is below 11.5.1, publishing will fail even if OIDC permissions are correctly configured.
You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used).
### Example workflow
```yaml
permissions:
contents: read
id-token: write # Required for OIDC
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- run: npm ci
- run: npm run build --if-present
- run: npm publish
```
> **Note**: If the Trusted Publisher configuration (GitHub owner/repo/workflow file, and optional environment) does not match the workflow run identity exactly, publishing may fail with **E404 Not Found** even if the package exists on npm.
For more details, see the [npm Trusted Publishers documentation](https://docs.npmjs.com/trusted-publishers) and the [GitHub Actions OpenID Connect (OIDC) overview](https://docs.github.com/en/actions/concepts/security/openid-connect).
## Use private mirror ## Use private mirror
It is possible to use a private mirror hosting Node.js binaries. This mirror must be a full mirror of the official Node.js distribution. It is possible to use a private mirror hosting Node.js binaries. This mirror must be a full mirror of the official Node.js distribution.

9
src/authutil.ts
View File

@ -46,8 +46,9 @@ function writeRegistryToFile(registryUrl: string, fileLocation: string) {
newContents += `${authString}${os.EOL}${registryString}`; newContents += `${authString}${os.EOL}${registryString}`;
fs.writeFileSync(fileLocation, newContents); fs.writeFileSync(fileLocation, newContents);
core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation); core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation);
// Only export NODE_AUTH_TOKEN if explicitly provided by user // Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it
if (Object.prototype.hasOwnProperty.call(process.env, 'NODE_AUTH_TOKEN')) { core.exportVariable(
core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN); 'NODE_AUTH_TOKEN',
} process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX'
);
} }