actions/setup-uv
2
0
Fork 0
mirror of https://github.com/astral-sh/setup-uv.git synced 2026-05-15 02:46:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Limit GitHub tokens to github.com download URLs (#878)

Browse Source 
This makes the Astral mirror slightly less special.
This commit is contained in:
Zsolt Dollenstein
2026-05-13 12:26:05 +01:00
committed by GitHub
parent 7568f55a9a
commit 853401723d
3 changed files with 47 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
__tests__/download/download-version.test.ts
View File

@@ -223,7 +223,7 @@ describe("download-version", () => {
);
});
it("does not rewrite non-GitHub URLs", async () => {
it("does not send the token to non-GitHub URLs from the default manifest", async () => {
mockGetArtifact.mockResolvedValue({
archiveFormat: "tar.gz",
checksum: "abc123",
@@ -241,8 +241,30 @@ describe("download-version", () => {
expect(mockDownloadTool).toHaveBeenCalledWith(
"https://example.com/uv.tar.gz",
undefined,
undefined,
);
});
it("does not send the token to GitHub lookalike hosts", async () => {
mockGetArtifact.mockResolvedValue({
archiveFormat: "tar.gz",
checksum: "abc123",
downloadUrl: "https://github.com.evil.test/uv.tar.gz",
});
await downloadVersion(
"unknown-linux-gnu",
"x86_64",
"0.9.26",
undefined,
"token",
);
expect(mockDownloadTool).toHaveBeenCalledWith(
"https://github.com.evil.test/uv.tar.gz",
undefined,
undefined,
);
});
it("falls back to GitHub Releases when the mirror fails", async () => {