Skip to content

[pull] main from actions:main#7

Open
pull[bot] wants to merge 605 commits intoGraybar-codespace:mainfrom
actions:main
Open

[pull] main from actions:main#7
pull[bot] wants to merge 605 commits intoGraybar-codespace:mainfrom
actions:main

Conversation

@pull
Copy link

@pull pull bot commented Oct 15, 2024
edited
Loading

See Commits and Changes for more details.

Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

@sourcery-ai
Copy link

sourcery-ai bot commented Oct 15, 2024
edited
Loading

Reviewer's Guide by Sourcery

This pull request includes several significant changes across multiple packages in the actions/toolkit repository. The changes primarily focus on updating dependencies, improving error handling, enhancing security, and refactoring code for better performance and maintainability. Key updates include modifications to the artifact upload process, changes to OIDC token handling, improvements to the HTTP client, and updates to the glob and attest packages.

Class diagram for OIDC Token Handling

classDiagram
    class OIDCConfig {
        string issuer
        string jwks_uri
    }

    class ClaimSet {
        string iss
        string ref
        string sha
        string repository
        string event_name
        string job_workflow_ref
        string workflow_ref
        string repository_id
        string repository_owner_id
    }

    class OIDC {
        +getIDTokenClaims(issuer: string): Promise<ClaimSet>
        +decodeOIDCToken(token: string, issuer: string): Promise<JWTPayload>
        +getJWKS(issuer: string): Promise<JSONWebKeySet>
        +getIssuer(): string
    }

    OIDC --> OIDCConfig
    OIDC --> ClaimSet
Loading

Class diagram for HTTP Client Proxy Handling

classDiagram
    class DecodedURL {
        string username
        string password
        string href
    }

    class HttpClient {
        +getProxyUrl(reqUrl: URL): URL | undefined
        +getAgent(url: string): any
    }

    HttpClient --> DecodedURL
Loading

File-Level Changes

Change Details Files
Refactored artifact upload process
  • Updated chunk timeout logic
  • Implemented lazy stream to prevent issues with open file limits
  • Fixed a regression with symlinks not being automatically resolved
  • Improved error handling for upload progress stalling
 packages/artifact/__tests__/upload-artifact.test.ts
packages/artifact/src/internal/upload/blob-upload.ts
packages/artifact/src/internal/upload/upload-zip-specification.ts
packages/artifact/src/internal/upload/zip.ts
Enhanced OIDC token handling and attestation process
  • Updated OIDC token claim validation
  • Improved handling of enterprise-specific OIDC issuers
  • Added support for custom HTTP headers in attestation requests
  • Updated SLSA provenance predicate generation
 packages/attest/src/oidc.ts
packages/attest/src/provenance.ts
packages/attest/src/attest.ts
packages/attest/src/store.ts
Improved HTTP client functionality
  • Fixed handling of proxy usernames and passwords
  • Updated URL decoding for proxy authentication
  • Improved error handling for network requests
 packages/http-client/src/index.ts
packages/http-client/src/proxy.ts
Updated glob package with new features
  • Added option to exclude hidden files in glob searches
  • Improved handling of symlinks in glob results
 packages/glob/src/internal-glob-options.ts
packages/glob/src/internal-globber.ts
General dependency updates and security improvements
  • Updated various dependencies across packages
  • Replaced uuid package with native crypto.randomUUID()
  • Improved error messages and debugging information
 packages/artifact/RELEASES.md
packages/attest/RELEASES.md
packages/core/RELEASES.md
packages/glob/RELEASES.md
packages/http-client/RELEASES.md
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time. You can also use
    this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Oct 15, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, pull[bot]!). We assume it knows what it's doing!

@pull pull bot added the ⤵️ pull label Oct 15, 2024
danwkennedy and others added 27 commits September 24, 2025 20:21
@danwkennedy
Merge pull request #2136 from actions/dependabot/npm_and_yarn/package…
f2ba502 
…s/artifact/artifact-minor-patch-612b72ffd4

Bump the artifact-minor-patch group in /packages/artifact with 5 updates
@akashchi
lint
8444236
@danwkennedy
Merge pull request #2124 from akashchi/reject-on-download-failure
714f93a 
[ARTIFACT] Reject download promise if timeout was reached
@danwkennedy
Test: add a timeout test for downloading chunks from the stream
d26e942
@danwkennedy
Fix linting
9b08f07
@danwkennedy
Merge pull request #2133 from actions/danwkennedy/test-blob-stream-ti…
ddc5fa4 
…meout

Test: add a timeout test for downloading chunks from the stream
@salmanmkc
update with dist updates
33a9b6c
@GhadimiR @salmanmkc
remove cache size limit
308e05b
@GhadimiR @salmanmkc
new error state, tests to cover
36f30e6
@GhadimiR @salmanmkc
lint
d1c1fc4
@GhadimiR @salmanmkc
no need to resolve
0c907a4
@Link- @salmanmkc
Prepapre cache v4.1.0 release
59c7ebd
@danwkennedy @salmanmkc
Dependabot: add support for /packages/artifact and `/packages/cache
f9bdf6a
@danwkennedy @salmanmkc
Update the group names
ad4afee
@dependabot @salmanmkc
Bump the artifact-minor-patch group in /packages/artifact with 5 updates
2874e3a 
Bumps the artifact-minor-patch group in /packages/artifact with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.0` | `1.11.1` |
| [@azure/storage-blob](https://github.com/Azure/azure-sdk-for-js) | `12.15.0` | `12.28.0` |
| [@protobuf-ts/plugin](https://github.com/timostamm/protobuf-ts/tree/HEAD/packages/plugin) | `2.9.1` | `2.11.1` |
| [typedoc](https://github.com/TypeStrong/TypeDoc) | `0.25.4` | `0.28.13` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.2.2` | `5.9.2` |

Updates `@actions/core` from 1.10.0 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@azure/storage-blob` from 12.15.0 to 12.28.0
- [Release notes](https://github.com/Azure/azure-sdk-for-js/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-js/blob/main/documentation/Changelog-for-next-generation.md)
- [Commits](https://github.com/Azure/azure-sdk-for-js/compare/@azure/storage-blob_12.15.0...@azure/storage-blob_12.28.0)

Updates `@protobuf-ts/plugin` from 2.9.1 to 2.11.1
- [Release notes](https://github.com/timostamm/protobuf-ts/releases)
- [Commits](https://github.com/timostamm/protobuf-ts/commits/v2.11.1/packages/plugin)

Updates `typedoc` from 0.25.4 to 0.28.13
- [Release notes](https://github.com/TypeStrong/TypeDoc/releases)
- [Changelog](https://github.com/TypeStrong/typedoc/blob/master/CHANGELOG.md)
- [Commits](TypeStrong/typedoc@v0.25.4...v0.28.13)

Updates `typescript` from 5.2.2 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](microsoft/TypeScript@v5.2.2...v5.9.2)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: artifact-minor-patch
- dependency-name: "@azure/storage-blob"
  dependency-version: 12.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: artifact-minor-patch
- dependency-name: "@protobuf-ts/plugin"
  dependency-version: 2.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: artifact-minor-patch
- dependency-name: typedoc
  dependency-version: 0.28.13
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: artifact-minor-patch
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: artifact-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@danwkennedy @salmanmkc
Take a direct dependency on @azure/core-http
ee5d897
@danwkennedy @salmanmkc
fix: only mock the cpus() function on the os module instead of th…
9b4ee21 
…e whole module
@salmanmkc
update some version numbers, will revise in a bit
d44f9b8
@salmanmkc
Update workflows and documentation to use the latest versions of firs…
8024983 
…t party actions that are available (checkout, setup-node, github-script)

=
@salmanmkc
Keep attest at the same version
fb5ae2a
@salmanmkc
Remove the need to update packages/core
44b9401
@salmanmkc
Update package versions
d5af54e
@salmanmkc
package json
347c887
@salmanmkc
remove node 18
a8d1fb0
@salmanmkc
override for node-fetch
88a490d
@salmanmkc
Update HTTP tests to use HTTPS for postman-echo.com
b5befc6
@salmanmkc
Update tests to use HTTPS for postman-echo.com and adjust proxy envir…
57cd003 
…onment variable
danwkennedy and others added 30 commits January 28, 2026 13:33
@danwkennedy
@actions/io: convert to ESM module
5501ba0
@danwkennedy
Add release notes
9e060cb
@danwkennedy
@actions/io: export lib/io-util
758b556
@danwkennedy
@actions/io: update lock file version
a6e9f4b
@danwkennedy
@actions/exec: convert to ESM module
0fc1805
@danwkennedy
Bump @actions/io to 3.0.2
c9c663b
@danwkennedy
@actions/core: convert to ESM module
ed3ea3b
@danwkennedy
@actions/artifact: convert to an ESM module (#2266)
5793b08 
* `@actions/artifact`: convert to an ESM module

* Update the package-lock.json

* Undo the GHES ignores

* Fix the reference to `@actions/http-client` in the lock file

* Bump `@actions/core` to `3.0.0`

* Remove `jest.config.cjs`

* Import `OctoKitOptions` from `@octokit/core/types`

* Pull the package version from `package.json`

* Workaround getting the package version for the user-agent

* Fix the `archiver` import

* Fix linting
@danwkennedy
@actions/glob: convert to an ESM module (#2273)
7a0147b 
* `@actions/glob`: convert to an ESM module

* Update packages/glob/RELEASES.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@danwkennedy
@actions/tool-cache: convert to an ESM module (#2274)
9d912b1 
* `@actions/tool-cache`: convert to an ESM module

* Fix jest config

* Downgrade `nock` since it's conflicting with `@actions/attest`'s version
@danwkennedy
@actions/glob: fix minimatch imports (#2276)
b48854e
@danwkennedy
@actions/cache: convert to an ESM module (#2275)
ae29a27 
* `@actions/cache`: convert to an ESM module

* Update the fixture to ESM syntax

* Update the cache workflows

* Bump `@actions/glob` to `0.6.1`

* Fix awaiting in the cache unit tests

* Fix a type issues in contracts

* Export the `DownloadOptions`/`UploadOptions` like before

* More cache test fixes

* Make the cache units tests better

* Add some more logging

* Add retries to restore-cache.mjs
@danwkennedy
@actions/attest: convert to an ESM module (#2278)
0be0a6e
@dependabot
chore(deps): bump tar from 7.5.6 to 7.5.7 in /packages/attest
1c20378 
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.6 to 7.5.7.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.6...v7.5.7)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@tingx2wang
Merge pull request #2268 from actions/dependabot/npm_and_yarn/package…
ffae274 
…s/attest/tar-7.5.7

chore(deps): bump tar from 7.5.6 to 7.5.7 in /packages/attest
@danwkennedy
Artifact download: don't unzip non-zip artifacts (#2253)
975fcbd 
* Download artifact: don't extract the downloaded file if the content-type isn't a zip

* Remove unused `import`

* Add support for specifying whether to skip decompressing

* Prevent path traversal attacks

* Fix indenting

* Update packages/artifact/__tests__/download-artifact.test.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Parse the mime type out of the content-type header

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix some linting issues

* Swap `zip` for `application/zip-compressed`

* Test: negative check for malicious paths

* Increase the timeout on one of the tests

* Check the URL path for `.zip` to see if we can auto-decompress

* Fix linting issue

* Bump the package version and add release notes

* Remove `launch.json`

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@danwkennedy
Releases: use ubuntu-latest instead of macos-latest-large (#2284)
5203b67
@dependabot
chore(deps): bump fast-xml-parser in /packages/artifact (#2285)
8351a5d 
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.3 to 5.3.4.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.3...v5.3.4)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.3.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@danwkennedy
fix(tests): close sockets to remove a Jest warning about resources ou…
8c90e22 
…tliving their tests (#2279)
@danwkennedy
Artifact upload: support uploading single un-zipped files (#2256)
6fe3c0f 
* Artifact upload: support uploading single un-zipped files

* Fix linters

* Fix lint again

* Fix tests

* Check for 0 sized artifact lists

* Add some more stream tests and handle an upload failure gracefully

* Add CI tests for non-zipped artifacts

* Add an html report to test rendering in the browser

* Fix linting issue

* Artifact: bump the version and add release notes

* Fix Windows tests

* Fix linting

* stream: switch the error details to error type

* Refactor the validation logic in `uploadArtifact` a bit

* Added more details about how the name parameter is handled
@bdehamer
custom user-agent string for attestation API reqs
27e5a95 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer
Merge pull request #2320 from actions/bdehamer/attest-orchestration-id
605cc18 
custom user-agent string for attestation API reqs
@bdehamer
new user-agent string for storage record API reqs
7987771 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer
Update packages/attest/src/artifactMetadata.ts
69f29a1 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bdehamer
Merge pull request #2321 from actions/bdehamer/storage-record-orchest…
91d76be 
…ration-id

Custom user-agent string for storage record API reqs
@zaataylor
Update error message
49c3d09
@zaataylor
Update UsageError in cache
bd4fb08
@zaataylor
Merge pull request #2323 from actions/zaataylor-update-artifact-stora…
85466c0 
…ge-err-msg

Update artifact storage error message
@dependabot
chore(deps): bump tar from 7.5.7 to 7.5.10 in /packages/attest
89f01c9 
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.10.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.7...v7.5.10)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@malancas
Merge pull request #2337 from actions/dependabot/npm_and_yarn/package…
6fd292e 
…s/attest/tar-7.5.10

chore(deps): bump tar from 7.5.7 to 7.5.10 in /packages/attest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.