Skip to content

Only use mirrorToken in getManifest if it's provided#1548

Open
deiga wants to merge 2 commits into
actions:mainfrom
F-Secure-web:fix/only-use-mirror-token-for-manifest-if-set
Open

Only use mirrorToken in getManifest if it's provided#1548
deiga wants to merge 2 commits into
actions:mainfrom
F-Secure-web:fix/only-use-mirror-token-for-manifest-if-set

Conversation

@deiga
Copy link
Copy Markdown

@deiga deiga commented May 11, 2026

Description:
When providing a mirror, but not a mirrorToken then getManifest will use the empty mirrorToken instead of any possible github token. This can lead to API Rate Limit exhaustion inadvertently.

The proposed fix is to only supply mirrorToken if it is actually set.

Related issue:
I couldn't find any directly related issues

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

@deiga deiga requested a review from a team as a code owner May 11, 2026 11:20
@noemiplatform
Copy link
Copy Markdown

noemiplatform commented May 17, 2026

no one should be allowed to make any changes

@priya-kinthali
Copy link
Copy Markdown
Contributor

priya-kinthali commented Jun 1, 2026

Hi @deiga 👋
Thanks for this contribution! It looks like the dist/ folder hasn't been updated with your changes. Could you please run npm run build and commit the resulting changes to dist/? This ensures the action picks up your source code updates. Thanks!

Copilot AI review requested due to automatic review settings June 1, 2026 19:13
@deiga
Copy link
Copy Markdown
Author

deiga commented Jun 1, 2026

Doh! 🤦
@priya-kinthali thanks for letting me know :)

Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR adjusts how authentication tokens are selected when downloading Node distributions and fetching the node-versions manifest, preferring the mirror token only when it’s explicitly present.

Changes:

  • Update tc.downloadTool auth selection to use mirrorToken only when both mirror and mirrorToken are set.
  • Update tc.getManifestFromRepo auth selection similarly.
  • Regenerate/update the compiled dist/setup/index.js to reflect the source change.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/distributions/official_builds/official_builds.ts Changes token selection logic for downloads and manifest fetches.
dist/setup/index.js Compiled output updated to match the source logic change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/distributions/official_builds/official_builds.ts
Comment on lines 84 to 90
downloadPath = await tc.downloadTool(
versionInfo.downloadUrl,
undefined,
this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth
this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth
);
Copy link
Copy Markdown
Author

@deiga deiga Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the current implementation it's not possible for versionInfo.downloadUrl to be a non-github host

Comment thread src/distributions/official_builds/official_builds.ts
Comment on lines 190 to 197
return tc.getManifestFromRepo(
'actions',
'node-versions',
this.nodeInfo.mirror ? this.nodeInfo.mirrorToken : this.nodeInfo.auth,
this.nodeInfo.mirror && this.nodeInfo.mirrorToken
? this.nodeInfo.mirrorToken
: this.nodeInfo.auth,
'main'
);
Copy link
Copy Markdown
Author

@deiga deiga Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO 2 call sites doesn't call for deduplication

deiga added 2 commits June 1, 2026 23:39
@deiga
Only use mirrorToken in getManifest if it's provided
2aa2c31 
Signed-off-by: Timo Sand <timo.sand@f-secure.com>
@deiga
npm run build
bf9e4b9 
Signed-off-by: Timo Sand <timo.sand@f-secure.com>
@deiga deiga force-pushed the fix/only-use-mirror-token-for-manifest-if-set branch from f1a144b to bf9e4b9 Compare June 1, 2026 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@meroamir99881-hue meroamir99881-hue meroamir99881-hue approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@deiga @noemiplatform @priya-kinthali @meroamir99881-hue @HarithaVattikuti