actions/setup-uv
11
0
Fork 0
mirror of https://github.com/astral-sh/setup-uv.git synced 2026-05-14 22:20:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Limit GitHub tokens to github.com download URLs

Browse source
This commit is contained in:
Zsolt Dollenstein 2026-05-11 17:52:04 +01:00
parent 88aa608651
commit 2f9f369997
No known key found for this signature in database
3 changed files with 47 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

24
__tests__/download/download-version.test.ts
View file

@ -223,7 +223,7 @@ describe("download-version", () => {
);
});
it("does not rewrite non-GitHub URLs", async () => {
it("does not send the token to non-GitHub URLs from the default manifest", async () => {
mockGetArtifact.mockResolvedValue({
archiveFormat: "tar.gz",
checksum: "abc123",
@ -241,8 +241,30 @@ describe("download-version", () => {
expect(mockDownloadTool).toHaveBeenCalledWith(
"https://example.com/uv.tar.gz",
undefined,
undefined,
);
});
it("does not send the token to GitHub lookalike hosts", async () => {
mockGetArtifact.mockResolvedValue({
archiveFormat: "tar.gz",
checksum: "abc123",
downloadUrl: "https://github.com.evil.test/uv.tar.gz",
});
await downloadVersion(
"unknown-linux-gnu",
"x86_64",
"0.9.26",
undefined,
"token",
);
expect(mockDownloadTool).toHaveBeenCalledWith(
"https://github.com.evil.test/uv.tar.gz",
undefined,
undefined,
);
});
it("falls back to GitHub Releases when the mirror fails", async () => {