actions/setup-uv
2
0
Fork 0
mirror of https://github.com/astral-sh/setup-uv.git synced 2026-05-15 02:46:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Limit GitHub tokens to github.com download URLs (#878)

Browse Source 
This makes the Astral mirror slightly less special.
This commit is contained in:
Zsolt Dollenstein
2026-05-13 12:26:05 +01:00
committed by GitHub
parent 7568f55a9a
commit 853401723d
3 changed files with 47 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
__tests__/download/download-version.test.ts
View File

@@ -223,7 +223,7 @@ describe("download-version", () => {
); );
}); });
it("does not rewrite non-GitHub URLs", async () => { it("does not send the token to non-GitHub URLs from the default manifest", async () => {
mockGetArtifact.mockResolvedValue({ mockGetArtifact.mockResolvedValue({
archiveFormat: "tar.gz", archiveFormat: "tar.gz",
checksum: "abc123", checksum: "abc123",
@@ -241,8 +241,30 @@ describe("download-version", () => {
expect(mockDownloadTool).toHaveBeenCalledWith( expect(mockDownloadTool).toHaveBeenCalledWith(
"https://example.com/uv.tar.gz", "https://example.com/uv.tar.gz",
undefined, undefined,
undefined,
);
});
it("does not send the token to GitHub lookalike hosts", async () => {
mockGetArtifact.mockResolvedValue({
archiveFormat: "tar.gz",
checksum: "abc123",
downloadUrl: "https://github.com.evil.test/uv.tar.gz",
});
await downloadVersion(
"unknown-linux-gnu",
"x86_64",
"0.9.26",
undefined,
"token", "token",
); );
expect(mockDownloadTool).toHaveBeenCalledWith(
"https://github.com.evil.test/uv.tar.gz",
undefined,
undefined,
);
}); });
it("falls back to GitHub Releases when the mirror fails", async () => { it("falls back to GitHub Releases when the mirror fails", async () => {

12
dist/setup/index.cjs generated vendored
View File

@@ -97007,7 +97007,6 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
const resolvedChecksum = manifestUrl === void 0 ? checksum : resolveChecksum(checksum, artifact.checksum); const resolvedChecksum = manifestUrl === void 0 ? checksum : resolveChecksum(checksum, artifact.checksum);
const mirrorUrl = rewriteToMirror(artifact.downloadUrl); const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
const downloadUrl = mirrorUrl ?? artifact.downloadUrl; const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
const downloadToken = mirrorUrl !== void 0 ? void 0 : githubToken;
try { try {
return await downloadArtifact( return await downloadArtifact(
downloadUrl, downloadUrl,
@@ -97016,7 +97015,7 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
arch3, arch3,
version3, version3,
resolvedChecksum, resolvedChecksum,
downloadToken githubTokenForUrl(downloadUrl, githubToken)
); );
} catch (err) { } catch (err) {
if (mirrorUrl === void 0) { if (mirrorUrl === void 0) {
@@ -97032,7 +97031,7 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
arch3, arch3,
version3, version3,
resolvedChecksum, resolvedChecksum,
githubToken githubTokenForUrl(artifact.downloadUrl, githubToken)
); );
} }
} }
@@ -97042,6 +97041,13 @@ function rewriteToMirror(url2) {
} }
return ASTRAL_MIRROR_PREFIX + url2.slice(GITHUB_RELEASES_PREFIX.length); return ASTRAL_MIRROR_PREFIX + url2.slice(GITHUB_RELEASES_PREFIX.length);
} }
function githubTokenForUrl(downloadUrl, githubToken) {
try {
return new URL(downloadUrl).origin === "https://github.com" ? githubToken : void 0;
} catch {
return void 0;
}
}
async function downloadArtifact(downloadUrl, artifactName, platform2, arch3, version3, checksum, githubToken) { async function downloadArtifact(downloadUrl, artifactName, platform2, arch3, version3, checksum, githubToken) {
info(`Downloading uv from "${downloadUrl}" ...`); info(`Downloading uv from "${downloadUrl}" ...`);
const downloadPath = await downloadTool( const downloadPath = await downloadTool(

19
src/download/download-version.ts
View File

@@ -54,8 +54,6 @@ export async function downloadVersion(
const mirrorUrl = rewriteToMirror(artifact.downloadUrl); const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
const downloadUrl = mirrorUrl ?? artifact.downloadUrl; const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
// Don't send the GitHub token to the Astral mirror.
const downloadToken = mirrorUrl !== undefined ? undefined : githubToken;
try { try {
return await downloadArtifact( return await downloadArtifact(
@@ -65,7 +63,7 @@ export async function downloadVersion(
arch, arch,
version, version,
resolvedChecksum, resolvedChecksum,
downloadToken, githubTokenForUrl(downloadUrl, githubToken),
); );
} catch (err) { } catch (err) {
if (mirrorUrl === undefined) { if (mirrorUrl === undefined) {
@@ -83,7 +81,7 @@ export async function downloadVersion(
arch, arch,
version, version,
resolvedChecksum, resolvedChecksum,
githubToken, githubTokenForUrl(artifact.downloadUrl, githubToken),
); );
} }
} }
@@ -100,6 +98,19 @@ export function rewriteToMirror(url: string): string | undefined {
return ASTRAL_MIRROR_PREFIX + url.slice(GITHUB_RELEASES_PREFIX.length); return ASTRAL_MIRROR_PREFIX + url.slice(GITHUB_RELEASES_PREFIX.length);
} }
function githubTokenForUrl(
downloadUrl: string,
githubToken: string,
): string | undefined {
try {
return new URL(downloadUrl).origin === "https://github.com"
? githubToken
: undefined;
} catch {
return undefined;
}
}
async function downloadArtifact( async function downloadArtifact(
downloadUrl: string, downloadUrl: string,
artifactName: string, artifactName: string,