diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index a8f5be4acb..6633406b70 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -32,7 +32,7 @@ jobs: run: npm run bootstrap - name: audit tools (without allow-list) - run: npm audit --audit-level=moderate + run: npm audit --audit-level=moderate --omit dev - name: audit packages run: npm run audit-all diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 3f69cb63ee..592f7707f3 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -1,5 +1,7 @@ name: Publish NPM +run-name: Publish NPM - ${{ github.event.inputs.package }} + on: workflow_dispatch: inputs: diff --git a/package-lock.json b/package-lock.json index 05b29a241e..4bc6fcf8ff 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4925,12 +4925,13 @@ } }, "node_modules/axios": { - "version": "1.6.2", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz", - "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==", + "version": "1.7.4", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.4.tgz", + "integrity": "sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw==", "dev": true, + "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.0", + "follow-redirects": "^1.15.6", "form-data": "^4.0.0", "proxy-from-env": "^1.1.0" } diff --git a/packages/attest/README.md b/packages/attest/README.md index 56e2adb535..8f004399a5 100644 --- a/packages/attest/README.md +++ b/packages/attest/README.md @@ -63,6 +63,8 @@ export type AttestOptions = { // Sigstore instance to use for signing. Must be one of "public-good" or // "github". sigstore?: 'public-good' | 'github' + // HTTP headers to include in request to attestations API. + headers?: {[header: string]: string | number | undefined} // Whether to skip writing the attestation to the GH attestations API. skipWrite?: boolean } @@ -113,6 +115,8 @@ export type AttestProvenanceOptions = { // Sigstore instance to use for signing. Must be one of "public-good" or // "github". sigstore?: 'public-good' | 'github' + // HTTP headers to include in request to attestations API. + headers?: {[header: string]: string | number | undefined} // Whether to skip writing the attestation to the GH attestations API. skipWrite?: boolean // Issuer URL responsible for minting the OIDC token from which the diff --git a/packages/attest/RELEASES.md b/packages/attest/RELEASES.md index 776cd2d6af..4e85ca3878 100644 --- a/packages/attest/RELEASES.md +++ b/packages/attest/RELEASES.md @@ -1,31 +1,40 @@ # @actions/attest Releases +### 1.4.1 + +- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805) + +### 1.4.0 + +- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790) +- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796) + ### 1.3.1 -- Fix bug with proxy support when retrieving JWKS for OIDC issuer +- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776) ### 1.3.0 -- Dynamic construction of Sigstore API URLs -- Switch to new GH provenance build type -- Fetch existing Rekor entry on 409 conflict error -- Bump @sigstore/bundle from 2.3.0 to 2.3.2 -- Bump @sigstore/sign from 2.3.0 to 2.3.2 +- Dynamic construction of Sigstore API URLs [#1735](https://github.com/actions/toolkit/pull/1735) +- Switch to new GH provenance build type [#1745](https://github.com/actions/toolkit/pull/1745) +- Fetch existing Rekor entry on 409 conflict error [#1759](https://github.com/actions/toolkit/pull/1759) +- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738) +- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738) ### 1.2.1 -- Retry request on attestation persistence failure +- Retry request on attestation persistence failure [#1725](https://github.com/actions/toolkit/pull/1725) ### 1.2.0 -- Generate attestations using the v0.3 Sigstore bundle format. -- Bump @sigstore/bundle from 2.2.0 to 2.3.0. -- Bump @sigstore/sign from 2.2.3 to 2.3.0. -- Remove dependency on make-fetch-happen +- Generate attestations using the v0.3 Sigstore bundle format [#1701](https://github.com/actions/toolkit/pull/1701) +- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701) +- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701) +- Remove dependency on make-fetch-happen [#1714](https://github.com/actions/toolkit/pull/1714) ### 1.1.0 -- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement. +- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693](https://github.com/actions/toolkit/pull/1693) ### 1.0.0 diff --git a/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap b/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap index 39a57c226b..4c199dae92 100644 --- a/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap +++ b/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap @@ -9,7 +9,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance "workflow": { "path": ".github/workflows/main.yml", "ref": "main", - "repository": "https://github.com/owner/repo", + "repository": "https://foo.ghe.com/owner/repo", }, }, "internalParameters": { @@ -25,16 +25,16 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance "digest": { "gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b", }, - "uri": "git+https://github.com/owner/repo@refs/heads/main", + "uri": "git+https://foo.ghe.com/owner/repo@refs/heads/main", }, ], }, "runDetails": { "builder": { - "id": "https://github.com/owner/workflows/.github/workflows/publish.yml@main", + "id": "https://foo.ghe.com/owner/workflows/.github/workflows/publish.yml@main", }, "metadata": { - "invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt", + "invocationId": "https://foo.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt", }, }, }, diff --git a/packages/attest/__tests__/provenance.test.ts b/packages/attest/__tests__/provenance.test.ts index 3d61fff9a4..4dbfef5827 100644 --- a/packages/attest/__tests__/provenance.test.ts +++ b/packages/attest/__tests__/provenance.test.ts @@ -8,7 +8,7 @@ import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance' describe('provenance functions', () => { const originalEnv = process.env - const issuer = 'https://example.com' + const issuer = 'https://token.actions.foo.ghe.com' const audience = 'nobody' const jwksPath = '/.well-known/jwks.json' const tokenPath = '/token' @@ -38,7 +38,7 @@ describe('provenance functions', () => { ...originalEnv, ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`, ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token', - GITHUB_SERVER_URL: 'https://github.com', + GITHUB_SERVER_URL: 'https://foo.ghe.com', GITHUB_REPOSITORY: claims.repository } @@ -68,7 +68,7 @@ describe('provenance functions', () => { describe('buildSLSAProvenancePredicate', () => { it('returns a provenance hydrated from an OIDC token', async () => { - const predicate = await buildSLSAProvenancePredicate(issuer) + const predicate = await buildSLSAProvenancePredicate() expect(predicate).toMatchSnapshot() }) }) @@ -96,9 +96,9 @@ describe('provenance functions', () => { }) describe('when using the github Sigstore instance', () => { - const {fulcioURL, tsaServerURL} = signingEndpoints('github') - beforeEach(async () => { + const {fulcioURL, tsaServerURL} = signingEndpoints('github') + // Mock Sigstore await mockFulcio({baseURL: fulcioURL, strict: false}) await mockTSA({baseURL: tsaServerURL}) @@ -118,8 +118,7 @@ describe('provenance functions', () => { subjectName, subjectDigest, token: 'token', - sigstore: 'github', - issuer + sigstore: 'github' }) expect(attestation).toBeDefined() @@ -146,8 +145,7 @@ describe('provenance functions', () => { const attestation = await attestProvenance({ subjectName, subjectDigest, - token: 'token', - issuer + token: 'token' }) expect(attestation).toBeDefined() @@ -183,8 +181,7 @@ describe('provenance functions', () => { subjectName, subjectDigest, token: 'token', - sigstore: 'public-good', - issuer + sigstore: 'public-good' }) expect(attestation).toBeDefined() @@ -211,8 +208,7 @@ describe('provenance functions', () => { const attestation = await attestProvenance({ subjectName, subjectDigest, - token: 'token', - issuer + token: 'token' }) expect(attestation).toBeDefined() @@ -238,8 +234,7 @@ describe('provenance functions', () => { subjectDigest, token: 'token', sigstore: 'public-good', - skipWrite: true, - issuer + skipWrite: true }) expect(attestation).toBeDefined() diff --git a/packages/attest/__tests__/store.test.ts b/packages/attest/__tests__/store.test.ts index 205e042717..5dd31c2f2f 100644 --- a/packages/attest/__tests__/store.test.ts +++ b/packages/attest/__tests__/store.test.ts @@ -5,6 +5,7 @@ describe('writeAttestation', () => { const originalEnv = process.env const attestation = {foo: 'bar '} const token = 'token' + const headers = {'X-GitHub-Foo': 'true'} const mockAgent = new MockAgent() setGlobalDispatcher(mockAgent) @@ -27,14 +28,16 @@ describe('writeAttestation', () => { .intercept({ path: '/repos/foo/bar/attestations', method: 'POST', - headers: {authorization: `token ${token}`}, + headers: {authorization: `token ${token}`, ...headers}, body: JSON.stringify({bundle: attestation}) }) .reply(201, {id: '123'}) }) it('persists the attestation', async () => { - await expect(writeAttestation(attestation, token)).resolves.toEqual('123') + await expect( + writeAttestation(attestation, token, {headers}) + ).resolves.toEqual('123') }) }) diff --git a/packages/attest/package-lock.json b/packages/attest/package-lock.json index b52d2a4e1e..17b728496e 100644 --- a/packages/attest/package-lock.json +++ b/packages/attest/package-lock.json @@ -1,17 +1,17 @@ { "name": "@actions/attest", - "version": "1.3.1", + "version": "1.4.1", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "@actions/attest", - "version": "1.3.1", + "version": "1.4.1", "license": "MIT", "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@actions/http-client": "^2.2.1", + "@actions/http-client": "^2.2.3", "@octokit/plugin-retry": "^6.0.1", "@sigstore/bundle": "^2.3.2", "@sigstore/sign": "^2.3.2", @@ -46,9 +46,9 @@ } }, "node_modules/@actions/http-client": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz", - "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", "dependencies": { "tunnel": "^0.0.6", "undici": "^5.25.4" @@ -1767,9 +1767,9 @@ } }, "@actions/http-client": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz", - "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", "requires": { "tunnel": "^0.0.6", "undici": "^5.25.4" diff --git a/packages/attest/package.json b/packages/attest/package.json index cf8e32af50..224e948ab8 100644 --- a/packages/attest/package.json +++ b/packages/attest/package.json @@ -1,6 +1,6 @@ { "name": "@actions/attest", - "version": "1.3.1", + "version": "1.4.1", "description": "Actions attestation lib", "keywords": [ "github", @@ -44,7 +44,7 @@ "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@actions/http-client": "^2.2.1", + "@actions/http-client": "^2.2.3", "@octokit/plugin-retry": "^6.0.1", "@sigstore/bundle": "^2.3.2", "@sigstore/sign": "^2.3.2", diff --git a/packages/attest/src/attest.ts b/packages/attest/src/attest.ts index 430f2413ec..85c6301386 100644 --- a/packages/attest/src/attest.ts +++ b/packages/attest/src/attest.ts @@ -28,6 +28,8 @@ export type AttestOptions = { // Sigstore instance to use for signing. Must be one of "public-good" or // "github". sigstore?: SigstoreInstance + // HTTP headers to include in request to attestations API. + headers?: {[header: string]: string | number | undefined} // Whether to skip writing the attestation to the GH attestations API. skipWrite?: boolean } @@ -61,7 +63,11 @@ export async function attest(options: AttestOptions): Promise { // Store the attestation let attestationID: string | undefined if (options.skipWrite !== true) { - attestationID = await writeAttestation(bundleToJSON(bundle), options.token) + attestationID = await writeAttestation( + bundleToJSON(bundle), + options.token, + {headers: options.headers} + ) } return toAttestation(bundle, attestationID) diff --git a/packages/attest/src/oidc.ts b/packages/attest/src/oidc.ts index 69e18d9718..f855469cc8 100644 --- a/packages/attest/src/oidc.ts +++ b/packages/attest/src/oidc.ts @@ -4,6 +4,11 @@ import * as jose from 'jose' const OIDC_AUDIENCE = 'nobody' +const VALID_SERVER_URLS = [ + 'https://github.com', + new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$') +] as const + const REQUIRED_CLAIMS = [ 'iss', 'ref', @@ -25,7 +30,8 @@ type OIDCConfig = { jwks_uri: string } -export const getIDTokenClaims = async (issuer: string): Promise => { +export const getIDTokenClaims = async (issuer?: string): Promise => { + issuer = issuer || getIssuer() try { const token = await getIDToken(OIDC_AUDIENCE) const claims = await decodeOIDCToken(token, issuer) @@ -82,3 +88,21 @@ function assertClaimSet(claims: jose.JWTPayload): asserts claims is ClaimSet { throw new Error(`Missing claims: ${missingClaims.join(', ')}`) } } + +// Derive the current OIDC issuer based on the server URL +function getIssuer(): string { + const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com' + + // Ensure the server URL is a valid GitHub server URL + if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) { + throw new Error(`Invalid server URL: ${serverURL}`) + } + + let host = new URL(serverURL).hostname + + if (host === 'github.com') { + host = 'githubusercontent.com' + } + + return `https://token.actions.${host}` +} diff --git a/packages/attest/src/provenance.ts b/packages/attest/src/provenance.ts index 0ef89e01cc..09aa64f707 100644 --- a/packages/attest/src/provenance.ts +++ b/packages/attest/src/provenance.ts @@ -5,8 +5,6 @@ import type {Attestation, Predicate} from './shared.types' const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1' const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1' -const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com' - export type AttestProvenanceOptions = Omit< AttestOptions, 'predicate' | 'predicateType' @@ -24,7 +22,7 @@ export type AttestProvenanceOptions = Omit< * @returns The SLSA provenance predicate. */ export const buildSLSAProvenancePredicate = async ( - issuer: string = DEFAULT_ISSUER + issuer?: string ): Promise => { const serverURL = process.env.GITHUB_SERVER_URL const claims = await getIDTokenClaims(issuer) diff --git a/packages/attest/src/store.ts b/packages/attest/src/store.ts index 20c7666deb..71fdf53ceb 100644 --- a/packages/attest/src/store.ts +++ b/packages/attest/src/store.ts @@ -1,11 +1,13 @@ import * as github from '@actions/github' import {retry} from '@octokit/plugin-retry' +import {RequestHeaders} from '@octokit/types' const CREATE_ATTESTATION_REQUEST = 'POST /repos/{owner}/{repo}/attestations' const DEFAULT_RETRY_COUNT = 5 export type WriteOptions = { retry?: number + headers?: RequestHeaders } /** * Writes an attestation to the repository's attestations endpoint. @@ -26,6 +28,7 @@ export const writeAttestation = async ( const response = await octokit.request(CREATE_ATTESTATION_REQUEST, { owner: github.context.repo.owner, repo: github.context.repo.repo, + headers: options.headers, data: {bundle: attestation} }) diff --git a/packages/glob/RELEASES.md b/packages/glob/RELEASES.md index 84aa06bedb..142cae8d9c 100644 --- a/packages/glob/RELEASES.md +++ b/packages/glob/RELEASES.md @@ -1,5 +1,8 @@ # @actions/glob Releases +### 0.5.0 +- Added `excludeHiddenFiles` option, which is disabled by default to preserve existing behavior [#1791: Add glob option to ignore hidden files](https://github.com/actions/toolkit/pull/1791) + ### 0.4.0 - Pass in the current workspace as a parameter to HashFiles [#1318](https://github.com/actions/toolkit/pull/1318) diff --git a/packages/glob/__tests__/internal-globber.test.ts b/packages/glob/__tests__/internal-globber.test.ts index 4ae670fe60..4b9d22ad13 100644 --- a/packages/glob/__tests__/internal-globber.test.ts +++ b/packages/glob/__tests__/internal-globber.test.ts @@ -708,7 +708,7 @@ describe('globber', () => { expect(itemPaths).toEqual([]) }) - it('returns hidden files', async () => { + it('returns hidden files by default', async () => { // Create the following layout: // // /.emptyFolder @@ -734,6 +734,26 @@ describe('globber', () => { ]) }) + it('ignores hidden files when excludeHiddenFiles is set', async () => { + // Create the following layout: + // + // /.emptyFolder + // /.file + // /.folder + // /.folder/file + const root = path.join(getTestTemp(), 'ignores-hidden-files') + await createHiddenDirectory(path.join(root, '.emptyFolder')) + await createHiddenDirectory(path.join(root, '.folder')) + await createHiddenFile(path.join(root, '.file'), 'test .file content') + await fs.writeFile( + path.join(root, '.folder', 'file'), + 'test .folder/file content' + ) + + const itemPaths = await glob(root, {excludeHiddenFiles: true}) + expect(itemPaths).toEqual([root]) + }) + it('returns normalized paths', async () => { // Create the following layout: // /hello/world.txt diff --git a/packages/glob/package-lock.json b/packages/glob/package-lock.json index 7b95425994..17817543d9 100644 --- a/packages/glob/package-lock.json +++ b/packages/glob/package-lock.json @@ -1,6 +1,6 @@ { "name": "@actions/glob", - "version": "0.4.0", + "version": "0.5.0", "lockfileVersion": 3, "requires": true, "description": "Actions glob lib", diff --git a/packages/glob/package.json b/packages/glob/package.json index 62e6bd2935..637f9c6ad8 100644 --- a/packages/glob/package.json +++ b/packages/glob/package.json @@ -1,6 +1,6 @@ { "name": "@actions/glob", - "version": "0.4.0", + "version": "0.5.0", "preview": true, "description": "Actions glob lib", "keywords": [ diff --git a/packages/glob/src/internal-glob-options-helper.ts b/packages/glob/src/internal-glob-options-helper.ts index c798b16510..f1dd5fe970 100644 --- a/packages/glob/src/internal-glob-options-helper.ts +++ b/packages/glob/src/internal-glob-options-helper.ts @@ -9,7 +9,8 @@ export function getOptions(copy?: GlobOptions): GlobOptions { followSymbolicLinks: true, implicitDescendants: true, matchDirectories: true, - omitBrokenSymbolicLinks: true + omitBrokenSymbolicLinks: true, + excludeHiddenFiles: false } if (copy) { @@ -32,6 +33,11 @@ export function getOptions(copy?: GlobOptions): GlobOptions { result.omitBrokenSymbolicLinks = copy.omitBrokenSymbolicLinks core.debug(`omitBrokenSymbolicLinks '${result.omitBrokenSymbolicLinks}'`) } + + if (typeof copy.excludeHiddenFiles === 'boolean') { + result.excludeHiddenFiles = copy.excludeHiddenFiles + core.debug(`excludeHiddenFiles '${result.excludeHiddenFiles}'`) + } } return result diff --git a/packages/glob/src/internal-glob-options.ts b/packages/glob/src/internal-glob-options.ts index ac1e93f177..8b721550d7 100644 --- a/packages/glob/src/internal-glob-options.ts +++ b/packages/glob/src/internal-glob-options.ts @@ -36,4 +36,13 @@ export interface GlobOptions { * @default true */ omitBrokenSymbolicLinks?: boolean + + /** + * Indicates whether to exclude hidden files (files and directories starting with a `.`). + * This does not apply to Windows files and directories with the hidden attribute unless + * they are also prefixed with a `.`. + * + * @default false + */ + excludeHiddenFiles?: boolean } diff --git a/packages/glob/src/internal-globber.ts b/packages/glob/src/internal-globber.ts index 3978d625bf..7f56b9b5c2 100644 --- a/packages/glob/src/internal-globber.ts +++ b/packages/glob/src/internal-globber.ts @@ -128,6 +128,11 @@ export class DefaultGlobber implements Globber { continue } + // Hidden file or directory? + if (options.excludeHiddenFiles && path.basename(item.path).match(/^\./)) { + continue + } + // Directory if (stats.isDirectory()) { // Matched diff --git a/packages/http-client/RELEASES.md b/packages/http-client/RELEASES.md index be4ce0857d..6d9ccf5d19 100644 --- a/packages/http-client/RELEASES.md +++ b/packages/http-client/RELEASES.md @@ -1,5 +1,14 @@ ## Releases +## 2.2.3 +- Fixed an issue where proxy username and password were not handled correctly [#1799](https://github.com/actions/toolkit/pull/1799) + +## 2.2.2 +- Better handling of url encoded usernames and passwords in proxy config [#1782](https://github.com/actions/toolkit/pull/1782) + +## 2.2.1 +- Make sure RequestOptions.keepAlive is applied properly on node20 runtime [#1572](https://github.com/actions/toolkit/pull/1572) + ## 2.2.0 - Add function to return proxy agent dispatcher for compatibility with latest octokit packages [#1547](https://github.com/actions/toolkit/pull/1547) diff --git a/packages/http-client/__tests__/basics.test.ts b/packages/http-client/__tests__/basics.test.ts index 1e715ce933..8d93abb3a2 100644 --- a/packages/http-client/__tests__/basics.test.ts +++ b/packages/http-client/__tests__/basics.test.ts @@ -37,7 +37,7 @@ describe('basics', () => { // "user-agent": "typed-test-client-tests" // }, // "origin": "173.95.152.44", - // "url": "https://postman-echo.com/get" + // "url": "http://postman-echo.com/get" // } it('does basic http get request', async () => { @@ -63,16 +63,17 @@ describe('basics', () => { expect(obj.headers['user-agent']).toBeFalsy() }) + /* TODO write a mock rather then relying on a third party it('does basic https get request', async () => { const res: httpm.HttpClientResponse = await _http.get( - 'https://postman-echo.com/get' + 'http://postman-echo.com/get' ) expect(res.message.statusCode).toBe(200) const body: string = await res.readBody() const obj = JSON.parse(body) - expect(obj.url).toBe('https://postman-echo.com/get') + expect(obj.url).toBe('http://postman-echo.com/get') }) - +*/ it('does basic http get request with default headers', async () => { const http: httpm.HttpClient = new httpm.HttpClient( 'http-client-tests', @@ -125,12 +126,12 @@ describe('basics', () => { it('pipes a get request', async () => { return new Promise(async resolve => { const file = fs.createWriteStream(sampleFilePath) - ;(await _http.get('https://postman-echo.com/get')).message + ;(await _http.get('http://postman-echo.com/get')).message .pipe(file) .on('close', () => { const body: string = fs.readFileSync(sampleFilePath).toString() const obj = JSON.parse(body) - expect(obj.url).toBe('https://postman-echo.com/get') + expect(obj.url).toBe('http://postman-echo.com/get') resolve() }) }) @@ -138,32 +139,32 @@ describe('basics', () => { it('does basic get request with redirects', async () => { const res: httpm.HttpClientResponse = await _http.get( - `https://postman-echo.com/redirect-to?url=${encodeURIComponent( - 'https://postman-echo.com/get' + `http://postman-echo.com/redirect-to?url=${encodeURIComponent( + 'http://postman-echo.com/get' )}` ) expect(res.message.statusCode).toBe(200) const body: string = await res.readBody() const obj = JSON.parse(body) - expect(obj.url).toBe('https://postman-echo.com/get') + expect(obj.url).toBe('http://postman-echo.com/get') }) it('does basic get request with redirects (303)', async () => { const res: httpm.HttpClientResponse = await _http.get( - `https://postman-echo.com/redirect-to?url=${encodeURIComponent( - 'https://postman-echo.com/get' + `http://postman-echo.com/redirect-to?url=${encodeURIComponent( + 'http://postman-echo.com/get' )}&status_code=303` ) expect(res.message.statusCode).toBe(200) const body: string = await res.readBody() const obj = JSON.parse(body) - expect(obj.url).toBe('https://postman-echo.com/get') + expect(obj.url).toBe('http://postman-echo.com/get') }) it('returns 404 for not found get request on redirect', async () => { const res: httpm.HttpClientResponse = await _http.get( - `https://postman-echo.com/redirect-to?url=${encodeURIComponent( - 'https://postman-echo.com/status/404' + `http://postman-echo.com/redirect-to?url=${encodeURIComponent( + 'http://postman-echo.com/status/404' )}&status_code=303` ) expect(res.message.statusCode).toBe(404) @@ -177,8 +178,8 @@ describe('basics', () => { {allowRedirects: false} ) const res: httpm.HttpClientResponse = await http.get( - `https://postman-echo.com/redirect-to?url=${encodeURIComponent( - 'https://postman-echo.com/get' + `http://postman-echo.com/redirect-to?url=${encodeURIComponent( + 'http://postman-echo.com/get' )}` ) expect(res.message.statusCode).toBe(302) @@ -191,8 +192,8 @@ describe('basics', () => { authorization: 'shhh' } const res: httpm.HttpClientResponse = await _http.get( - `https://postman-echo.com/redirect-to?url=${encodeURIComponent( - 'https://www.postman-echo.com/get' + `http://postman-echo.com/redirect-to?url=${encodeURIComponent( + 'http://www.postman-echo.com/get' )}`, headers ) @@ -204,7 +205,7 @@ describe('basics', () => { expect(obj.headers[httpm.Headers.Accept]).toBe('application/json') expect(obj.headers['Authorization']).toBeUndefined() expect(obj.headers['authorization']).toBeUndefined() - expect(obj.url).toBe('https://www.postman-echo.com/get') + expect(obj.url).toBe('http://www.postman-echo.com/get') }) it('does not pass Auth with diff hostname redirects', async () => { @@ -213,8 +214,8 @@ describe('basics', () => { Authorization: 'shhh' } const res: httpm.HttpClientResponse = await _http.get( - `https://postman-echo.com/redirect-to?url=${encodeURIComponent( - 'https://www.postman-echo.com/get' + `http://postman-echo.com/redirect-to?url=${encodeURIComponent( + 'http://www.postman-echo.com/get' )}`, headers ) @@ -226,7 +227,7 @@ describe('basics', () => { expect(obj.headers[httpm.Headers.Accept]).toBe('application/json') expect(obj.headers['Authorization']).toBeUndefined() expect(obj.headers['authorization']).toBeUndefined() - expect(obj.url).toBe('https://www.postman-echo.com/get') + expect(obj.url).toBe('http://www.postman-echo.com/get') }) it('does basic head request', async () => { @@ -289,11 +290,11 @@ describe('basics', () => { it('gets a json object', async () => { const jsonObj = await _http.getJson( - 'https://postman-echo.com/get' + 'http://postman-echo.com/get' ) expect(jsonObj.statusCode).toBe(200) expect(jsonObj.result).toBeDefined() - expect(jsonObj.result?.url).toBe('https://postman-echo.com/get') + expect(jsonObj.result?.url).toBe('http://postman-echo.com/get') expect(jsonObj.result?.headers[httpm.Headers.Accept]).toBe( httpm.MediaTypes.ApplicationJson ) @@ -304,7 +305,7 @@ describe('basics', () => { it('getting a non existent json object returns null', async () => { const jsonObj = await _http.getJson( - 'https://postman-echo.com/status/404' + 'http://postman-echo.com/status/404' ) expect(jsonObj.statusCode).toBe(404) expect(jsonObj.result).toBeNull() @@ -313,12 +314,12 @@ describe('basics', () => { it('posts a json object', async () => { const res = {name: 'foo'} const restRes = await _http.postJson( - 'https://postman-echo.com/post', + 'http://postman-echo.com/post', res ) expect(restRes.statusCode).toBe(200) expect(restRes.result).toBeDefined() - expect(restRes.result?.url).toBe('https://postman-echo.com/post') + expect(restRes.result?.url).toBe('http://postman-echo.com/post') expect(restRes.result?.json.name).toBe('foo') expect(restRes.result?.headers[httpm.Headers.Accept]).toBe( httpm.MediaTypes.ApplicationJson @@ -334,12 +335,12 @@ describe('basics', () => { it('puts a json object', async () => { const res = {name: 'foo'} const restRes = await _http.putJson( - 'https://postman-echo.com/put', + 'http://postman-echo.com/put', res ) expect(restRes.statusCode).toBe(200) expect(restRes.result).toBeDefined() - expect(restRes.result?.url).toBe('https://postman-echo.com/put') + expect(restRes.result?.url).toBe('http://postman-echo.com/put') expect(restRes.result?.json.name).toBe('foo') expect(restRes.result?.headers[httpm.Headers.Accept]).toBe( @@ -356,12 +357,12 @@ describe('basics', () => { it('patch a json object', async () => { const res = {name: 'foo'} const restRes = await _http.patchJson( - 'https://postman-echo.com/patch', + 'http://postman-echo.com/patch', res ) expect(restRes.statusCode).toBe(200) expect(restRes.result).toBeDefined() - expect(restRes.result?.url).toBe('https://postman-echo.com/patch') + expect(restRes.result?.url).toBe('http://postman-echo.com/patch') expect(restRes.result?.json.name).toBe('foo') expect(restRes.result?.headers[httpm.Headers.Accept]).toBe( httpm.MediaTypes.ApplicationJson diff --git a/packages/http-client/__tests__/headers.test.ts b/packages/http-client/__tests__/headers.test.ts index c1ca0ec319..887d93332f 100644 --- a/packages/http-client/__tests__/headers.test.ts +++ b/packages/http-client/__tests__/headers.test.ts @@ -12,7 +12,7 @@ describe('headers', () => { it('preserves existing headers on getJson', async () => { const additionalHeaders = {[httpm.Headers.Accept]: 'foo'} let jsonObj = await _http.getJson( - 'https://postman-echo.com/get', + 'http://postman-echo.com/get', additionalHeaders ) expect(jsonObj.result.headers[httpm.Headers.Accept]).toBe('foo') @@ -26,7 +26,7 @@ describe('headers', () => { [httpm.Headers.Accept]: 'baz' } } - jsonObj = await httpWithHeaders.getJson('https://postman-echo.com/get') + jsonObj = await httpWithHeaders.getJson('http://postman-echo.com/get') expect(jsonObj.result.headers[httpm.Headers.Accept]).toBe('baz') expect(jsonObj.headers[httpm.Headers.ContentType]).toContain( httpm.MediaTypes.ApplicationJson @@ -36,7 +36,7 @@ describe('headers', () => { it('preserves existing headers on postJson', async () => { const additionalHeaders = {[httpm.Headers.Accept]: 'foo'} let jsonObj = await _http.postJson( - 'https://postman-echo.com/post', + 'http://postman-echo.com/post', {}, additionalHeaders ) @@ -52,7 +52,7 @@ describe('headers', () => { } } jsonObj = await httpWithHeaders.postJson( - 'https://postman-echo.com/post', + 'http://postman-echo.com/post', {} ) expect(jsonObj.result.headers[httpm.Headers.Accept]).toBe('baz') @@ -64,7 +64,7 @@ describe('headers', () => { it('preserves existing headers on putJson', async () => { const additionalHeaders = {[httpm.Headers.Accept]: 'foo'} let jsonObj = await _http.putJson( - 'https://postman-echo.com/put', + 'http://postman-echo.com/put', {}, additionalHeaders ) @@ -80,7 +80,7 @@ describe('headers', () => { } } jsonObj = await httpWithHeaders.putJson( - 'https://postman-echo.com/put', + 'http://postman-echo.com/put', {} ) expect(jsonObj.result.headers[httpm.Headers.Accept]).toBe('baz') @@ -92,7 +92,7 @@ describe('headers', () => { it('preserves existing headers on patchJson', async () => { const additionalHeaders = {[httpm.Headers.Accept]: 'foo'} let jsonObj = await _http.patchJson( - 'https://postman-echo.com/patch', + 'http://postman-echo.com/patch', {}, additionalHeaders ) @@ -108,7 +108,7 @@ describe('headers', () => { } } jsonObj = await httpWithHeaders.patchJson( - 'https://postman-echo.com/patch', + 'http://postman-echo.com/patch', {} ) expect(jsonObj.result.headers[httpm.Headers.Accept]).toBe('baz') diff --git a/packages/http-client/__tests__/proxy.test.ts b/packages/http-client/__tests__/proxy.test.ts index c921b4bc00..fe29b6b125 100644 --- a/packages/http-client/__tests__/proxy.test.ts +++ b/packages/http-client/__tests__/proxy.test.ts @@ -222,30 +222,33 @@ describe('proxy', () => { expect(_proxyConnects).toHaveLength(0) }) + // TODO mock this out so we don't rely on a third party + /* it('HttpClient does basic https get request through proxy', async () => { process.env['https_proxy'] = _proxyUrl const httpClient = new httpm.HttpClient() const res: httpm.HttpClientResponse = await httpClient.get( - 'https://postman-echo.com/get' + 'http://postman-echo.com/get' ) expect(res.message.statusCode).toBe(200) const body: string = await res.readBody() const obj = JSON.parse(body) - expect(obj.url).toBe('https://postman-echo.com/get') + expect(obj.url).toBe('http://postman-echo.com/get') expect(_proxyConnects).toEqual(['postman-echo.com:443']) }) + */ - it('HttpClient does basic https get request when bypass proxy', async () => { - process.env['https_proxy'] = _proxyUrl + it('HttpClient does basic http get request when bypass proxy', async () => { + process.env['http_proxy'] = _proxyUrl process.env['no_proxy'] = 'postman-echo.com' const httpClient = new httpm.HttpClient() const res: httpm.HttpClientResponse = await httpClient.get( - 'https://postman-echo.com/get' + 'http://postman-echo.com/get' ) expect(res.message.statusCode).toBe(200) const body: string = await res.readBody() const obj = JSON.parse(body) - expect(obj.url).toBe('https://postman-echo.com/get') + expect(obj.url).toBe('http://postman-echo.com/get') expect(_proxyConnects).toHaveLength(0) }) @@ -304,6 +307,18 @@ describe('proxy', () => { console.log(agent) expect(agent instanceof ProxyAgent).toBe(true) }) + + it('proxyAuth is set in tunnel agent when authentication is provided with URIencoding', async () => { + process.env['https_proxy'] = + 'http://user%40github.com:p%40ssword@127.0.0.1:8080' + const httpClient = new httpm.HttpClient() + const agent: any = httpClient.getAgent('https://some-url') + // eslint-disable-next-line no-console + console.log(agent) + expect(agent.proxyOptions.host).toBe('127.0.0.1') + expect(agent.proxyOptions.port).toBe('8080') + expect(agent.proxyOptions.proxyAuth).toBe('user@github.com:p@ssword') + }) }) function _clearVars(): void { diff --git a/packages/http-client/package-lock.json b/packages/http-client/package-lock.json index 52038ad373..823b38b785 100644 --- a/packages/http-client/package-lock.json +++ b/packages/http-client/package-lock.json @@ -1,6 +1,6 @@ { "name": "@actions/http-client", - "version": "2.2.1", + "version": "2.2.3", "lockfileVersion": 2, "requires": true, "packages": { diff --git a/packages/http-client/package.json b/packages/http-client/package.json index 0ae89c34bb..3960a83a5f 100644 --- a/packages/http-client/package.json +++ b/packages/http-client/package.json @@ -1,6 +1,6 @@ { "name": "@actions/http-client", - "version": "2.2.1", + "version": "2.2.3", "description": "Actions Http Client", "keywords": [ "github", diff --git a/packages/http-client/src/index.ts b/packages/http-client/src/index.ts index 6f575f7d13..6ee9ae43a5 100644 --- a/packages/http-client/src/index.ts +++ b/packages/http-client/src/index.ts @@ -726,7 +726,9 @@ export class HttpClient { uri: proxyUrl.href, pipelining: !this._keepAlive ? 0 : 1, ...((proxyUrl.username || proxyUrl.password) && { - token: `${proxyUrl.username}:${proxyUrl.password}` + token: `Basic ${Buffer.from( + `${proxyUrl.username}:${proxyUrl.password}` + ).toString('base64')}` }) }) this._proxyAgentDispatcher = proxyAgent diff --git a/packages/http-client/src/proxy.ts b/packages/http-client/src/proxy.ts index 32afce6a21..3a9c6834ec 100644 --- a/packages/http-client/src/proxy.ts +++ b/packages/http-client/src/proxy.ts @@ -15,10 +15,10 @@ export function getProxyUrl(reqUrl: URL): URL | undefined { if (proxyVar) { try { - return new URL(proxyVar) + return new DecodedURL(proxyVar) } catch { if (!proxyVar.startsWith('http://') && !proxyVar.startsWith('https://')) - return new URL(`http://${proxyVar}`) + return new DecodedURL(`http://${proxyVar}`) } } else { return undefined @@ -87,3 +87,22 @@ function isLoopbackAddress(host: string): boolean { hostLower.startsWith('[0:0:0:0:0:0:0:1]') ) } + +class DecodedURL extends URL { + private _decodedUsername: string + private _decodedPassword: string + + constructor(url: string | URL, base?: string | URL) { + super(url, base) + this._decodedUsername = decodeURIComponent(super.username) + this._decodedPassword = decodeURIComponent(super.password) + } + + get username(): string { + return this._decodedUsername + } + + get password(): string { + return this._decodedPassword + } +}