diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml index 87c0207..6001733 100644 --- a/.github/workflows/publish-immutable-actions.yml +++ b/.github/workflows/publish-immutable-actions.yml @@ -2,7 +2,7 @@ name: 'Publish Immutable Action Version' on: release: - types: [published] + types: [released] jobs: publish: diff --git a/.licenses/npm/@actions/cache.dep.yml b/.licenses/npm/@actions/cache.dep.yml index 3cfa1e1..f70b140 100644 --- a/.licenses/npm/@actions/cache.dep.yml +++ b/.licenses/npm/@actions/cache.dep.yml @@ -1,6 +1,6 @@ --- name: "@actions/cache" -version: 4.0.1 +version: 4.0.3 type: npm summary: Actions cache lib homepage: https://github.com/actions/toolkit/tree/main/packages/cache diff --git a/README.md b/README.md index 3f07f15..4fd0956 100644 --- a/README.md +++ b/README.md @@ -335,9 +335,23 @@ There are a number of community practices/workarounds to fulfill specific requir Please note that Windows environment variables (like `%LocalAppData%`) will NOT be expanded by this action. Instead, prefer using `~` in your paths which will expand to the HOME directory. For example, instead of `%LocalAppData%`, use `~\AppData\Local`. For a list of supported default environment variables, see the [Learn GitHub Actions: Variables](https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables) page. -## Contributing +## Note -We would love for you to contribute to `actions/cache`. Pull requests are welcome! Please see the [CONTRIBUTING.md](CONTRIBUTING.md) for more information. +Thank you for your interest in this GitHub repo, however, right now we are not taking contributions. + +We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in. + +We are taking the following steps to better direct requests related to GitHub Actions, including: + +1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions) + +2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report. + +3. Security Issues should be handled as per our [security.md](SECURITY.md). + +We will still provide security updates for this project and fix major breaking changes during this time. + +You are welcome to still raise bugs in this repo. ## License diff --git a/RELEASES.md b/RELEASES.md index 7b30131..b859f15 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -1,5 +1,13 @@ # Releases +### 4.2.3 + +- Bump `@actions/cache` to v4.0.3 (obfuscates SAS token in debug logs for cache entries) + +### 4.2.2 + +- Bump `@actions/cache` to v4.0.2 + ### 4.2.1 - Bump `@actions/cache` to v4.0.1 diff --git a/dist/restore-only/index.js b/dist/restore-only/index.js index 503d521..c42c938 100644 --- a/dist/restore-only/index.js +++ b/dist/restore-only/index.js @@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr }; const response = yield twirpClient.GetCacheEntryDownloadURL(request); if (!response.ok) { - core.debug(`Cache not found for keys: ${keys.join(', ')}`); + core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; } core.info(`Cache hit for: ${request.key}`); @@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) { key, version }; - const response = yield twirpClient.CreateCacheEntry(request); - if (!response.ok) { + let signedUploadUrl; + try { + const response = yield twirpClient.CreateCacheEntry(request); + if (!response.ok) { + throw new Error('Response was not ok'); + } + signedUploadUrl = response.signedUploadUrl; + } + catch (error) { + core.debug(`Failed to reserve cache: ${error}`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); } core.debug(`Attempting to upload cache located at: ${archivePath}`); - yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); + yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options); const finalizeRequest = { key, version, @@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299); const auth_1 = __nccwpck_require__(4552); const http_client_1 = __nccwpck_require__(4844); const cache_twirp_client_1 = __nccwpck_require__(1486); +const util_1 = __nccwpck_require__(7564); /** * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * @@ -2255,6 +2264,7 @@ class CacheServiceClient { (0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); const body = JSON.parse(rawBody); + (0, util_1.maskSecretUrls)(body); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); if (this.isSuccessStatusCode(statusCode)) { return { response, body }; @@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString; /***/ }), +/***/ 7564: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.maskSecretUrls = exports.maskSigUrl = void 0; +const core_1 = __nccwpck_require__(7484); +/** + * Masks the `sig` parameter in a URL and sets it as a secret. + * + * @param url - The URL containing the signature parameter to mask + * @remarks + * This function attempts to parse the provided URL and identify the 'sig' query parameter. + * If found, it registers both the raw and URL-encoded signature values as secrets using + * the Actions `setSecret` API, which prevents them from being displayed in logs. + * + * The function handles errors gracefully if URL parsing fails, logging them as debug messages. + * + * @example + * ```typescript + * // Mask a signature in an Azure SAS token URL + * maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01'); + * ``` + */ +function maskSigUrl(url) { + if (!url) + return; + try { + const parsedUrl = new URL(url); + const signature = parsedUrl.searchParams.get('sig'); + if (signature) { + (0, core_1.setSecret)(signature); + (0, core_1.setSecret)(encodeURIComponent(signature)); + } + } + catch (error) { + (0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`); + } +} +exports.maskSigUrl = maskSigUrl; +/** + * Masks sensitive information in URLs containing signature parameters. + * Currently supports masking 'sig' parameters in the 'signed_upload_url' + * and 'signed_download_url' properties of the provided object. + * + * @param body - The object should contain a signature + * @remarks + * This function extracts URLs from the object properties and calls maskSigUrl + * on each one to redact sensitive signature information. The function doesn't + * modify the original object; it only marks the signatures as secrets for + * logging purposes. + * + * @example + * ```typescript + * const responseBody = { + * signed_upload_url: 'https://blob.core.windows.net/?sig=abc123', + * signed_download_url: 'https://blob.core/windows.net/?sig=def456' + * }; + * maskSecretUrls(responseBody); + * ``` + */ +function maskSecretUrls(body) { + if (typeof body !== 'object' || body === null) { + (0, core_1.debug)('body is not an object or is null'); + return; + } + if ('signed_upload_url' in body && + typeof body.signed_upload_url === 'string') { + maskSigUrl(body.signed_upload_url); + } + if ('signed_download_url' in body && + typeof body.signed_download_url === 'string') { + maskSigUrl(body.signed_download_url); + } +} +exports.maskSecretUrls = maskSecretUrls; +//# sourceMappingURL=util.js.map + +/***/ }), + /***/ 5321: /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { @@ -65309,7 +65400,7 @@ module.exports = require("zlib"); /***/ ((module) => { "use strict"; -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); /***/ }), diff --git a/dist/restore/index.js b/dist/restore/index.js index 447c0c1..95f7849 100644 --- a/dist/restore/index.js +++ b/dist/restore/index.js @@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr }; const response = yield twirpClient.GetCacheEntryDownloadURL(request); if (!response.ok) { - core.debug(`Cache not found for keys: ${keys.join(', ')}`); + core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; } core.info(`Cache hit for: ${request.key}`); @@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) { key, version }; - const response = yield twirpClient.CreateCacheEntry(request); - if (!response.ok) { + let signedUploadUrl; + try { + const response = yield twirpClient.CreateCacheEntry(request); + if (!response.ok) { + throw new Error('Response was not ok'); + } + signedUploadUrl = response.signedUploadUrl; + } + catch (error) { + core.debug(`Failed to reserve cache: ${error}`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); } core.debug(`Attempting to upload cache located at: ${archivePath}`); - yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); + yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options); const finalizeRequest = { key, version, @@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299); const auth_1 = __nccwpck_require__(4552); const http_client_1 = __nccwpck_require__(4844); const cache_twirp_client_1 = __nccwpck_require__(1486); +const util_1 = __nccwpck_require__(7564); /** * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * @@ -2255,6 +2264,7 @@ class CacheServiceClient { (0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); const body = JSON.parse(rawBody); + (0, util_1.maskSecretUrls)(body); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); if (this.isSuccessStatusCode(statusCode)) { return { response, body }; @@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString; /***/ }), +/***/ 7564: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.maskSecretUrls = exports.maskSigUrl = void 0; +const core_1 = __nccwpck_require__(7484); +/** + * Masks the `sig` parameter in a URL and sets it as a secret. + * + * @param url - The URL containing the signature parameter to mask + * @remarks + * This function attempts to parse the provided URL and identify the 'sig' query parameter. + * If found, it registers both the raw and URL-encoded signature values as secrets using + * the Actions `setSecret` API, which prevents them from being displayed in logs. + * + * The function handles errors gracefully if URL parsing fails, logging them as debug messages. + * + * @example + * ```typescript + * // Mask a signature in an Azure SAS token URL + * maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01'); + * ``` + */ +function maskSigUrl(url) { + if (!url) + return; + try { + const parsedUrl = new URL(url); + const signature = parsedUrl.searchParams.get('sig'); + if (signature) { + (0, core_1.setSecret)(signature); + (0, core_1.setSecret)(encodeURIComponent(signature)); + } + } + catch (error) { + (0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`); + } +} +exports.maskSigUrl = maskSigUrl; +/** + * Masks sensitive information in URLs containing signature parameters. + * Currently supports masking 'sig' parameters in the 'signed_upload_url' + * and 'signed_download_url' properties of the provided object. + * + * @param body - The object should contain a signature + * @remarks + * This function extracts URLs from the object properties and calls maskSigUrl + * on each one to redact sensitive signature information. The function doesn't + * modify the original object; it only marks the signatures as secrets for + * logging purposes. + * + * @example + * ```typescript + * const responseBody = { + * signed_upload_url: 'https://blob.core.windows.net/?sig=abc123', + * signed_download_url: 'https://blob.core/windows.net/?sig=def456' + * }; + * maskSecretUrls(responseBody); + * ``` + */ +function maskSecretUrls(body) { + if (typeof body !== 'object' || body === null) { + (0, core_1.debug)('body is not an object or is null'); + return; + } + if ('signed_upload_url' in body && + typeof body.signed_upload_url === 'string') { + maskSigUrl(body.signed_upload_url); + } + if ('signed_download_url' in body && + typeof body.signed_download_url === 'string') { + maskSigUrl(body.signed_download_url); + } +} +exports.maskSecretUrls = maskSecretUrls; +//# sourceMappingURL=util.js.map + +/***/ }), + /***/ 5321: /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { @@ -65309,7 +65400,7 @@ module.exports = require("zlib"); /***/ ((module) => { "use strict"; -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); /***/ }), diff --git a/dist/save-only/index.js b/dist/save-only/index.js index 0ea80ab..1e1b222 100644 --- a/dist/save-only/index.js +++ b/dist/save-only/index.js @@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr }; const response = yield twirpClient.GetCacheEntryDownloadURL(request); if (!response.ok) { - core.debug(`Cache not found for keys: ${keys.join(', ')}`); + core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; } core.info(`Cache hit for: ${request.key}`); @@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) { key, version }; - const response = yield twirpClient.CreateCacheEntry(request); - if (!response.ok) { + let signedUploadUrl; + try { + const response = yield twirpClient.CreateCacheEntry(request); + if (!response.ok) { + throw new Error('Response was not ok'); + } + signedUploadUrl = response.signedUploadUrl; + } + catch (error) { + core.debug(`Failed to reserve cache: ${error}`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); } core.debug(`Attempting to upload cache located at: ${archivePath}`); - yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); + yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options); const finalizeRequest = { key, version, @@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299); const auth_1 = __nccwpck_require__(4552); const http_client_1 = __nccwpck_require__(4844); const cache_twirp_client_1 = __nccwpck_require__(1486); +const util_1 = __nccwpck_require__(7564); /** * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * @@ -2255,6 +2264,7 @@ class CacheServiceClient { (0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); const body = JSON.parse(rawBody); + (0, util_1.maskSecretUrls)(body); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); if (this.isSuccessStatusCode(statusCode)) { return { response, body }; @@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString; /***/ }), +/***/ 7564: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.maskSecretUrls = exports.maskSigUrl = void 0; +const core_1 = __nccwpck_require__(7484); +/** + * Masks the `sig` parameter in a URL and sets it as a secret. + * + * @param url - The URL containing the signature parameter to mask + * @remarks + * This function attempts to parse the provided URL and identify the 'sig' query parameter. + * If found, it registers both the raw and URL-encoded signature values as secrets using + * the Actions `setSecret` API, which prevents them from being displayed in logs. + * + * The function handles errors gracefully if URL parsing fails, logging them as debug messages. + * + * @example + * ```typescript + * // Mask a signature in an Azure SAS token URL + * maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01'); + * ``` + */ +function maskSigUrl(url) { + if (!url) + return; + try { + const parsedUrl = new URL(url); + const signature = parsedUrl.searchParams.get('sig'); + if (signature) { + (0, core_1.setSecret)(signature); + (0, core_1.setSecret)(encodeURIComponent(signature)); + } + } + catch (error) { + (0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`); + } +} +exports.maskSigUrl = maskSigUrl; +/** + * Masks sensitive information in URLs containing signature parameters. + * Currently supports masking 'sig' parameters in the 'signed_upload_url' + * and 'signed_download_url' properties of the provided object. + * + * @param body - The object should contain a signature + * @remarks + * This function extracts URLs from the object properties and calls maskSigUrl + * on each one to redact sensitive signature information. The function doesn't + * modify the original object; it only marks the signatures as secrets for + * logging purposes. + * + * @example + * ```typescript + * const responseBody = { + * signed_upload_url: 'https://blob.core.windows.net/?sig=abc123', + * signed_download_url: 'https://blob.core/windows.net/?sig=def456' + * }; + * maskSecretUrls(responseBody); + * ``` + */ +function maskSecretUrls(body) { + if (typeof body !== 'object' || body === null) { + (0, core_1.debug)('body is not an object or is null'); + return; + } + if ('signed_upload_url' in body && + typeof body.signed_upload_url === 'string') { + maskSigUrl(body.signed_upload_url); + } + if ('signed_download_url' in body && + typeof body.signed_download_url === 'string') { + maskSigUrl(body.signed_download_url); + } +} +exports.maskSecretUrls = maskSecretUrls; +//# sourceMappingURL=util.js.map + +/***/ }), + /***/ 5321: /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { @@ -65322,7 +65413,7 @@ module.exports = require("zlib"); /***/ ((module) => { "use strict"; -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); /***/ }), diff --git a/dist/save/index.js b/dist/save/index.js index bd33332..d288e0b 100644 --- a/dist/save/index.js +++ b/dist/save/index.js @@ -220,7 +220,7 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr }; const response = yield twirpClient.GetCacheEntryDownloadURL(request); if (!response.ok) { - core.debug(`Cache not found for keys: ${keys.join(', ')}`); + core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; } core.info(`Cache hit for: ${request.key}`); @@ -412,12 +412,20 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) { key, version }; - const response = yield twirpClient.CreateCacheEntry(request); - if (!response.ok) { + let signedUploadUrl; + try { + const response = yield twirpClient.CreateCacheEntry(request); + if (!response.ok) { + throw new Error('Response was not ok'); + } + signedUploadUrl = response.signedUploadUrl; + } + catch (error) { + core.debug(`Failed to reserve cache: ${error}`); throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`); } core.debug(`Attempting to upload cache located at: ${archivePath}`); - yield cacheHttpClient.saveCache(cacheId, archivePath, response.signedUploadUrl, options); + yield cacheHttpClient.saveCache(cacheId, archivePath, signedUploadUrl, options); const finalizeRequest = { key, version, @@ -2196,6 +2204,7 @@ const cacheUtils_1 = __nccwpck_require__(8299); const auth_1 = __nccwpck_require__(4552); const http_client_1 = __nccwpck_require__(4844); const cache_twirp_client_1 = __nccwpck_require__(1486); +const util_1 = __nccwpck_require__(7564); /** * This class is a wrapper around the CacheServiceClientJSON class generated by Twirp. * @@ -2255,6 +2264,7 @@ class CacheServiceClient { (0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); const body = JSON.parse(rawBody); + (0, util_1.maskSecretUrls)(body); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); if (this.isSuccessStatusCode(statusCode)) { return { response, body }; @@ -2436,6 +2446,87 @@ exports.getUserAgentString = getUserAgentString; /***/ }), +/***/ 7564: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.maskSecretUrls = exports.maskSigUrl = void 0; +const core_1 = __nccwpck_require__(7484); +/** + * Masks the `sig` parameter in a URL and sets it as a secret. + * + * @param url - The URL containing the signature parameter to mask + * @remarks + * This function attempts to parse the provided URL and identify the 'sig' query parameter. + * If found, it registers both the raw and URL-encoded signature values as secrets using + * the Actions `setSecret` API, which prevents them from being displayed in logs. + * + * The function handles errors gracefully if URL parsing fails, logging them as debug messages. + * + * @example + * ```typescript + * // Mask a signature in an Azure SAS token URL + * maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01'); + * ``` + */ +function maskSigUrl(url) { + if (!url) + return; + try { + const parsedUrl = new URL(url); + const signature = parsedUrl.searchParams.get('sig'); + if (signature) { + (0, core_1.setSecret)(signature); + (0, core_1.setSecret)(encodeURIComponent(signature)); + } + } + catch (error) { + (0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`); + } +} +exports.maskSigUrl = maskSigUrl; +/** + * Masks sensitive information in URLs containing signature parameters. + * Currently supports masking 'sig' parameters in the 'signed_upload_url' + * and 'signed_download_url' properties of the provided object. + * + * @param body - The object should contain a signature + * @remarks + * This function extracts URLs from the object properties and calls maskSigUrl + * on each one to redact sensitive signature information. The function doesn't + * modify the original object; it only marks the signatures as secrets for + * logging purposes. + * + * @example + * ```typescript + * const responseBody = { + * signed_upload_url: 'https://blob.core.windows.net/?sig=abc123', + * signed_download_url: 'https://blob.core/windows.net/?sig=def456' + * }; + * maskSecretUrls(responseBody); + * ``` + */ +function maskSecretUrls(body) { + if (typeof body !== 'object' || body === null) { + (0, core_1.debug)('body is not an object or is null'); + return; + } + if ('signed_upload_url' in body && + typeof body.signed_upload_url === 'string') { + maskSigUrl(body.signed_upload_url); + } + if ('signed_download_url' in body && + typeof body.signed_download_url === 'string') { + maskSigUrl(body.signed_download_url); + } +} +exports.maskSecretUrls = maskSecretUrls; +//# sourceMappingURL=util.js.map + +/***/ }), + /***/ 5321: /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { @@ -65322,7 +65413,7 @@ module.exports = require("zlib"); /***/ ((module) => { "use strict"; -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.1","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"4.0.3","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^1.11.1","@actions/exec":"^1.0.1","@actions/glob":"^0.1.0","@actions/http-client":"^2.1.1","@actions/io":"^1.0.1","@azure/abort-controller":"^1.1.0","@azure/ms-rest-js":"^2.6.0","@azure/storage-blob":"^12.13.0","@protobuf-ts/plugin":"^2.9.4","semver":"^6.3.1"},"devDependencies":{"@types/node":"^22.13.9","@types/semver":"^6.0.0","typescript":"^5.2.2"}}'); /***/ }), diff --git a/package-lock.json b/package-lock.json index f55b78d..7eb7333 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,15 +1,15 @@ { "name": "cache", - "version": "4.2.1", + "version": "4.2.3", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "cache", - "version": "4.2.1", + "version": "4.2.3", "license": "MIT", "dependencies": { - "@actions/cache": "^4.0.1", + "@actions/cache": "^4.0.3", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/io": "^1.1.3" @@ -36,9 +36,9 @@ } }, "node_modules/@actions/cache": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.1.tgz", - "integrity": "sha512-u2NrTo95PDmk145wrr+fMhrvpF0hfPmD6cLkR7NozvNHqanR0BmRHBzEe1yiGZFFEHbu6/e6EOEX7qoM7fWVTA==", + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.3.tgz", + "integrity": "sha512-SvrqFtYJ7I48A/uXNkoJrnukx5weQv1fGquhs3+4nkByZThBH109KTIqj5x/cGV7JGNvb8dLPVywUOqX1fjiXg==", "license": "MIT", "dependencies": { "@actions/core": "^1.11.1", @@ -9600,9 +9600,9 @@ }, "dependencies": { "@actions/cache": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.1.tgz", - "integrity": "sha512-u2NrTo95PDmk145wrr+fMhrvpF0hfPmD6cLkR7NozvNHqanR0BmRHBzEe1yiGZFFEHbu6/e6EOEX7qoM7fWVTA==", + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.3.tgz", + "integrity": "sha512-SvrqFtYJ7I48A/uXNkoJrnukx5weQv1fGquhs3+4nkByZThBH109KTIqj5x/cGV7JGNvb8dLPVywUOqX1fjiXg==", "requires": { "@actions/core": "^1.11.1", "@actions/exec": "^1.0.1", diff --git a/package.json b/package.json index 3db4afb..45a8816 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "cache", - "version": "4.2.1", + "version": "4.2.3", "private": true, "description": "Cache dependencies and build outputs", "main": "dist/restore/index.js", @@ -23,7 +23,7 @@ "author": "GitHub", "license": "MIT", "dependencies": { - "@actions/cache": "^4.0.1", + "@actions/cache": "^4.0.3", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/io": "^1.1.3"