diff --git a/dist/restore-only/index.js b/dist/restore-only/index.js index 2427fc7..bd24321 100644 --- a/dist/restore-only/index.js +++ b/dist/restore-only/index.js @@ -39021,7 +39021,7 @@ module.exports = { version: packageJson.version } /***/ 4012: /***/ ((module) => { -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.1.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.2.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); /***/ }) @@ -43247,6 +43247,10 @@ const SystemTarPathOnWindows = `${process.env['SYSTEMDRIVE']}\\Windows\\System32 const TarFilename = 'cache.tar'; const constants_ManifestFilename = 'manifest.txt'; const CacheFileSizeLimit = 10 * Math.pow(1024, 3); // 10GiB per repository +// Prefix the cache backend embeds in a read-denial message (v2 twirp +// GetCacheEntryDownloadURL error or the GHES v1 `_apis/artifactcache` 403 body). +// Shared so cache.ts and cacheHttpClient.ts match the same contract value. +const CacheReadDeniedMessagePrefix = 'cache read denied:'; //# sourceMappingURL=constants.js.map ;// CONCATENATED MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js var cacheUtils_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { @@ -92912,6 +92916,24 @@ function config_getCacheServiceVersion() { return 'v1'; return process.env['ACTIONS_CACHE_SERVICE_V2'] ? 'v2' : 'v1'; } +// The cache-mode lattice: readable = {read, write}, writable = {write, +// write-only}, none = neither. +const KNOWN_CACHE_MODES = ['none', 'read', 'write', 'write-only']; +// The effective cache-mode exported by the runner, or '' when not set. +function config_getCacheMode() { + return (process.env['ACTIONS_CACHE_MODE'] || '').trim().toLowerCase(); +} +// Unset or unrecognized modes are permissive so behavior matches today. +function isCacheReadable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'read' || mode === 'write'; +} +function config_isCacheWritable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'write' || mode === 'write-only'; +} function getCacheServiceURL() { const version = config_getCacheServiceVersion(); // Based on the version of the cache service, we will determine which @@ -92961,6 +92983,7 @@ var cacheHttpClient_awaiter = (undefined && undefined.__awaiter) || function (th + function getCacheApiUrl(resource) { const baseUrl = getCacheServiceURL(); if (!baseUrl) { @@ -92988,6 +93011,7 @@ function createHttpClient() { } function getCacheEntry(keys, paths, options) { return cacheHttpClient_awaiter(this, void 0, void 0, function* () { + var _a; const httpClient = createHttpClient(); const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive); const resource = `cache?keys=${encodeURIComponent(keys.join(','))}&version=${version}`; @@ -93001,6 +93025,12 @@ function getCacheEntry(keys, paths, options) { return null; } if (!requestUtils_isSuccessStatusCode(response.statusCode)) { + // Only surface the receiver's body for a `cache read denied:` policy denial + // so callers can dispatch on it; keep the generic message otherwise. + const errorMessage = (_a = response.error) === null || _a === void 0 ? void 0 : _a.message; + if (errorMessage === null || errorMessage === void 0 ? void 0 : errorMessage.includes(CacheReadDeniedMessagePrefix)) { + throw new Error(errorMessage); + } throw new Error(`Cache service responded with ${response.statusCode}`); } const cacheResult = response.result; @@ -94262,6 +94292,7 @@ var cache_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar + class ValidationError extends Error { constructor(message) { super(message); @@ -94277,19 +94308,20 @@ class ReserveCacheError extends Error { } } /** - * Stable prefix the receiver writes into the cache reservation response when - * the issuer downgraded the cache token to read-only (for example, because + * Stable prefix the cache service writes into the cache reservation response + * when the issuer downgraded the cache token to read-only (for example, because * the run was triggered by an untrusted event). saveCacheV1 / saveCacheV2 - * dispatch on this prefix to re-classify the failure as a - * CacheWriteDeniedError so consumers (and the outer catch arm) can - * distinguish a policy denial from other reservation failures. + * dispatch on this prefix to re-classify the failure as a CacheWriteDeniedError + * so consumers and tests can distinguish a policy denial from other reservation + * failures. Internally it is logged as a non-fatal warning like other + * best-effort save failures. */ const CACHE_WRITE_DENIED_PREFIX = 'cache write denied:'; /** * Raised when the cache backend refuses to reserve a writable cache entry * because the JWT issued for this run was scoped read-only (for example, the * run was triggered by an event the repository administrator classified as - * untrusted). The receiver-supplied detail message always begins with + * untrusted). The service-supplied detail message always begins with * `cache write denied:` (the full error message includes additional context * like the cache key). * @@ -94305,6 +94337,19 @@ class CacheWriteDeniedError extends ReserveCacheError { Object.setPrototypeOf(this, CacheWriteDeniedError.prototype); } } +// Re-exported from constants so consumers keep referencing it here; the shared +// value also drives detection in cacheHttpClient without duplicating the string. +const CACHE_READ_DENIED_PREFIX = CacheReadDeniedMessagePrefix; +// Raised when the cache backend denies a download URL because the run's token +// has no readable cache scopes. Caching is best-effort, so restoreCache logs a +// warning and reports a cache miss rather than rethrowing this. +class CacheReadDeniedError extends Error { + constructor(message) { + super(message); + this.name = 'CacheReadDeniedError'; + Object.setPrototypeOf(this, CacheReadDeniedError.prototype); + } +} class FinalizeCacheError extends Error { constructor(message) { super(message); @@ -94359,6 +94404,12 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { const cacheServiceVersion = config_getCacheServiceVersion(); core_debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); + const cacheMode = config_getCacheMode(); + if (!isCacheReadable(cacheMode)) { + info(`Cache restore skipped: the effective cache-mode '${cacheMode}' does not permit reads.`); + core_debug(`Skipped restore for paths [${paths.join(', ')}] with primary key '${primaryKey}'.`); + return undefined; + } switch (cacheServiceVersion) { case 'v2': return yield restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsArchive); @@ -94380,6 +94431,7 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; restoreKeys = restoreKeys || []; const keys = [primaryKey, ...restoreKeys]; core_debug('Resolved Keys:'); @@ -94394,10 +94446,26 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { let archivePath = ''; try { // path are needed to compute version - const cacheEntry = yield getCacheEntry(keys, paths, { - compressionMethod, - enableCrossOsArchive - }); + let cacheEntry; + try { + cacheEntry = yield getCacheEntry(keys, paths, { + compressionMethod, + enableCrossOsArchive + }); + } + catch (error) { + // The v1 artifact cache service returns HTTP 403 with a + // `cache read denied:` body when the run's token has no readable cache + // scopes. getCacheEntry lives in a dependency-free internal module and + // cannot import CacheReadDeniedError without a circular dependency, so it + // only surfaces the raw denial message; we classify it into the typed + // error here so the outer catch and consumers can dispatch on it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!(cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.archiveLocation)) { // Cache not found return undefined; @@ -94426,7 +94494,9 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { } else { // warn on cache restore failure and continue build - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94461,6 +94531,7 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; // Override UploadOptions to force the use of Azure options = Object.assign(Object.assign({}, options), { useAzureSdk: true }); restoreKeys = restoreKeys || []; @@ -94482,7 +94553,20 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { restoreKeys, version: getCacheVersion(paths, compressionMethod, enableCrossOsArchive) }; - const response = yield twirpClient.GetCacheEntryDownloadURL(request); + let response; + try { + response = yield twirpClient.GetCacheEntryDownloadURL(request); + } + catch (error) { + // The receiver returns twirp PermissionDenied (403) when the run's token + // has no readable cache scopes. The client wraps that 403, so the stable + // prefix is embedded in the message rather than leading it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!response.ok) { core_debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; @@ -94517,8 +94601,10 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { throw error; } else { - // Supress all non-validation cache related errors because caching should be optional - // Log server errors (5xx) as errors, all other errors as warnings + // Suppress all non-validation cache related errors because caching should be optional + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94557,6 +94643,12 @@ function cache_saveCache(paths_1, key_1, options_1) { core.debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); checkKey(key); + const cacheMode = getCacheMode(); + if (!isCacheWritable(cacheMode)) { + core.info(`Cache save skipped: the effective cache-mode '${cacheMode}' does not permit writes.`); + core.debug(`Skipped save for paths [${paths.join(', ')}] with key '${key}'.`); + return -1; + } switch (cacheServiceVersion) { case 'v2': return yield saveCacheV2(paths, key, options, enableCrossOsArchive); @@ -94634,17 +94726,14 @@ function saveCacheV1(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - core.warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { core.info(`Failed to save: ${typedError.message}`); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94755,12 +94844,6 @@ function saveCacheV2(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - core.warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { core.info(`Failed to save: ${typedError.message}`); } @@ -94768,7 +94851,10 @@ function saveCacheV2(paths_1, key_1, options_1) { core.warning(typedError.message); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { diff --git a/dist/restore/index.js b/dist/restore/index.js index 0e363fc..c7cb184 100644 --- a/dist/restore/index.js +++ b/dist/restore/index.js @@ -39021,7 +39021,7 @@ module.exports = { version: packageJson.version } /***/ 4012: /***/ ((module) => { -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.1.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.2.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); /***/ }) @@ -43247,6 +43247,10 @@ const SystemTarPathOnWindows = `${process.env['SYSTEMDRIVE']}\\Windows\\System32 const TarFilename = 'cache.tar'; const constants_ManifestFilename = 'manifest.txt'; const CacheFileSizeLimit = 10 * Math.pow(1024, 3); // 10GiB per repository +// Prefix the cache backend embeds in a read-denial message (v2 twirp +// GetCacheEntryDownloadURL error or the GHES v1 `_apis/artifactcache` 403 body). +// Shared so cache.ts and cacheHttpClient.ts match the same contract value. +const CacheReadDeniedMessagePrefix = 'cache read denied:'; //# sourceMappingURL=constants.js.map ;// CONCATENATED MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js var cacheUtils_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { @@ -92912,6 +92916,24 @@ function config_getCacheServiceVersion() { return 'v1'; return process.env['ACTIONS_CACHE_SERVICE_V2'] ? 'v2' : 'v1'; } +// The cache-mode lattice: readable = {read, write}, writable = {write, +// write-only}, none = neither. +const KNOWN_CACHE_MODES = ['none', 'read', 'write', 'write-only']; +// The effective cache-mode exported by the runner, or '' when not set. +function config_getCacheMode() { + return (process.env['ACTIONS_CACHE_MODE'] || '').trim().toLowerCase(); +} +// Unset or unrecognized modes are permissive so behavior matches today. +function isCacheReadable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'read' || mode === 'write'; +} +function config_isCacheWritable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'write' || mode === 'write-only'; +} function getCacheServiceURL() { const version = config_getCacheServiceVersion(); // Based on the version of the cache service, we will determine which @@ -92961,6 +92983,7 @@ var cacheHttpClient_awaiter = (undefined && undefined.__awaiter) || function (th + function getCacheApiUrl(resource) { const baseUrl = getCacheServiceURL(); if (!baseUrl) { @@ -92988,6 +93011,7 @@ function createHttpClient() { } function getCacheEntry(keys, paths, options) { return cacheHttpClient_awaiter(this, void 0, void 0, function* () { + var _a; const httpClient = createHttpClient(); const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive); const resource = `cache?keys=${encodeURIComponent(keys.join(','))}&version=${version}`; @@ -93001,6 +93025,12 @@ function getCacheEntry(keys, paths, options) { return null; } if (!requestUtils_isSuccessStatusCode(response.statusCode)) { + // Only surface the receiver's body for a `cache read denied:` policy denial + // so callers can dispatch on it; keep the generic message otherwise. + const errorMessage = (_a = response.error) === null || _a === void 0 ? void 0 : _a.message; + if (errorMessage === null || errorMessage === void 0 ? void 0 : errorMessage.includes(CacheReadDeniedMessagePrefix)) { + throw new Error(errorMessage); + } throw new Error(`Cache service responded with ${response.statusCode}`); } const cacheResult = response.result; @@ -94262,6 +94292,7 @@ var cache_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar + class ValidationError extends Error { constructor(message) { super(message); @@ -94277,19 +94308,20 @@ class ReserveCacheError extends Error { } } /** - * Stable prefix the receiver writes into the cache reservation response when - * the issuer downgraded the cache token to read-only (for example, because + * Stable prefix the cache service writes into the cache reservation response + * when the issuer downgraded the cache token to read-only (for example, because * the run was triggered by an untrusted event). saveCacheV1 / saveCacheV2 - * dispatch on this prefix to re-classify the failure as a - * CacheWriteDeniedError so consumers (and the outer catch arm) can - * distinguish a policy denial from other reservation failures. + * dispatch on this prefix to re-classify the failure as a CacheWriteDeniedError + * so consumers and tests can distinguish a policy denial from other reservation + * failures. Internally it is logged as a non-fatal warning like other + * best-effort save failures. */ const CACHE_WRITE_DENIED_PREFIX = 'cache write denied:'; /** * Raised when the cache backend refuses to reserve a writable cache entry * because the JWT issued for this run was scoped read-only (for example, the * run was triggered by an event the repository administrator classified as - * untrusted). The receiver-supplied detail message always begins with + * untrusted). The service-supplied detail message always begins with * `cache write denied:` (the full error message includes additional context * like the cache key). * @@ -94305,6 +94337,19 @@ class CacheWriteDeniedError extends ReserveCacheError { Object.setPrototypeOf(this, CacheWriteDeniedError.prototype); } } +// Re-exported from constants so consumers keep referencing it here; the shared +// value also drives detection in cacheHttpClient without duplicating the string. +const CACHE_READ_DENIED_PREFIX = CacheReadDeniedMessagePrefix; +// Raised when the cache backend denies a download URL because the run's token +// has no readable cache scopes. Caching is best-effort, so restoreCache logs a +// warning and reports a cache miss rather than rethrowing this. +class CacheReadDeniedError extends Error { + constructor(message) { + super(message); + this.name = 'CacheReadDeniedError'; + Object.setPrototypeOf(this, CacheReadDeniedError.prototype); + } +} class FinalizeCacheError extends Error { constructor(message) { super(message); @@ -94359,6 +94404,12 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { const cacheServiceVersion = config_getCacheServiceVersion(); core_debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); + const cacheMode = config_getCacheMode(); + if (!isCacheReadable(cacheMode)) { + info(`Cache restore skipped: the effective cache-mode '${cacheMode}' does not permit reads.`); + core_debug(`Skipped restore for paths [${paths.join(', ')}] with primary key '${primaryKey}'.`); + return undefined; + } switch (cacheServiceVersion) { case 'v2': return yield restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsArchive); @@ -94380,6 +94431,7 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; restoreKeys = restoreKeys || []; const keys = [primaryKey, ...restoreKeys]; core_debug('Resolved Keys:'); @@ -94394,10 +94446,26 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { let archivePath = ''; try { // path are needed to compute version - const cacheEntry = yield getCacheEntry(keys, paths, { - compressionMethod, - enableCrossOsArchive - }); + let cacheEntry; + try { + cacheEntry = yield getCacheEntry(keys, paths, { + compressionMethod, + enableCrossOsArchive + }); + } + catch (error) { + // The v1 artifact cache service returns HTTP 403 with a + // `cache read denied:` body when the run's token has no readable cache + // scopes. getCacheEntry lives in a dependency-free internal module and + // cannot import CacheReadDeniedError without a circular dependency, so it + // only surfaces the raw denial message; we classify it into the typed + // error here so the outer catch and consumers can dispatch on it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!(cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.archiveLocation)) { // Cache not found return undefined; @@ -94426,7 +94494,9 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { } else { // warn on cache restore failure and continue build - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94461,6 +94531,7 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; // Override UploadOptions to force the use of Azure options = Object.assign(Object.assign({}, options), { useAzureSdk: true }); restoreKeys = restoreKeys || []; @@ -94482,7 +94553,20 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { restoreKeys, version: getCacheVersion(paths, compressionMethod, enableCrossOsArchive) }; - const response = yield twirpClient.GetCacheEntryDownloadURL(request); + let response; + try { + response = yield twirpClient.GetCacheEntryDownloadURL(request); + } + catch (error) { + // The receiver returns twirp PermissionDenied (403) when the run's token + // has no readable cache scopes. The client wraps that 403, so the stable + // prefix is embedded in the message rather than leading it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!response.ok) { core_debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; @@ -94517,8 +94601,10 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { throw error; } else { - // Supress all non-validation cache related errors because caching should be optional - // Log server errors (5xx) as errors, all other errors as warnings + // Suppress all non-validation cache related errors because caching should be optional + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94557,6 +94643,12 @@ function cache_saveCache(paths_1, key_1, options_1) { core.debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); checkKey(key); + const cacheMode = getCacheMode(); + if (!isCacheWritable(cacheMode)) { + core.info(`Cache save skipped: the effective cache-mode '${cacheMode}' does not permit writes.`); + core.debug(`Skipped save for paths [${paths.join(', ')}] with key '${key}'.`); + return -1; + } switch (cacheServiceVersion) { case 'v2': return yield saveCacheV2(paths, key, options, enableCrossOsArchive); @@ -94634,17 +94726,14 @@ function saveCacheV1(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - core.warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { core.info(`Failed to save: ${typedError.message}`); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94755,12 +94844,6 @@ function saveCacheV2(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - core.warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { core.info(`Failed to save: ${typedError.message}`); } @@ -94768,7 +94851,10 @@ function saveCacheV2(paths_1, key_1, options_1) { core.warning(typedError.message); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { diff --git a/dist/save-only/index.js b/dist/save-only/index.js index b3a8aa3..1b81de3 100644 --- a/dist/save-only/index.js +++ b/dist/save-only/index.js @@ -39021,7 +39021,7 @@ module.exports = { version: packageJson.version } /***/ 4012: /***/ ((module) => { -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.1.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.2.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); /***/ }) @@ -43254,6 +43254,10 @@ const SystemTarPathOnWindows = `${process.env['SYSTEMDRIVE']}\\Windows\\System32 const TarFilename = 'cache.tar'; const ManifestFilename = 'manifest.txt'; const CacheFileSizeLimit = 10 * Math.pow(1024, 3); // 10GiB per repository +// Prefix the cache backend embeds in a read-denial message (v2 twirp +// GetCacheEntryDownloadURL error or the GHES v1 `_apis/artifactcache` 403 body). +// Shared so cache.ts and cacheHttpClient.ts match the same contract value. +const constants_CacheReadDeniedMessagePrefix = 'cache read denied:'; //# sourceMappingURL=constants.js.map ;// CONCATENATED MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js var cacheUtils_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { @@ -92918,6 +92922,24 @@ function config_getCacheServiceVersion() { return 'v1'; return process.env['ACTIONS_CACHE_SERVICE_V2'] ? 'v2' : 'v1'; } +// The cache-mode lattice: readable = {read, write}, writable = {write, +// write-only}, none = neither. +const KNOWN_CACHE_MODES = ['none', 'read', 'write', 'write-only']; +// The effective cache-mode exported by the runner, or '' when not set. +function config_getCacheMode() { + return (process.env['ACTIONS_CACHE_MODE'] || '').trim().toLowerCase(); +} +// Unset or unrecognized modes are permissive so behavior matches today. +function config_isCacheReadable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'read' || mode === 'write'; +} +function isCacheWritable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'write' || mode === 'write-only'; +} function getCacheServiceURL() { const version = config_getCacheServiceVersion(); // Based on the version of the cache service, we will determine which @@ -92967,6 +92989,7 @@ var cacheHttpClient_awaiter = (undefined && undefined.__awaiter) || function (th + function getCacheApiUrl(resource) { const baseUrl = getCacheServiceURL(); if (!baseUrl) { @@ -92994,6 +93017,7 @@ function createHttpClient() { } function getCacheEntry(keys, paths, options) { return cacheHttpClient_awaiter(this, void 0, void 0, function* () { + var _a; const httpClient = createHttpClient(); const version = utils.getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive); const resource = `cache?keys=${encodeURIComponent(keys.join(','))}&version=${version}`; @@ -93007,6 +93031,12 @@ function getCacheEntry(keys, paths, options) { return null; } if (!isSuccessStatusCode(response.statusCode)) { + // Only surface the receiver's body for a `cache read denied:` policy denial + // so callers can dispatch on it; keep the generic message otherwise. + const errorMessage = (_a = response.error) === null || _a === void 0 ? void 0 : _a.message; + if (errorMessage === null || errorMessage === void 0 ? void 0 : errorMessage.includes(CacheReadDeniedMessagePrefix)) { + throw new Error(errorMessage); + } throw new Error(`Cache service responded with ${response.statusCode}`); } const cacheResult = response.result; @@ -94267,6 +94297,7 @@ var cache_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar + class ValidationError extends Error { constructor(message) { super(message); @@ -94282,19 +94313,20 @@ class ReserveCacheError extends Error { } } /** - * Stable prefix the receiver writes into the cache reservation response when - * the issuer downgraded the cache token to read-only (for example, because + * Stable prefix the cache service writes into the cache reservation response + * when the issuer downgraded the cache token to read-only (for example, because * the run was triggered by an untrusted event). saveCacheV1 / saveCacheV2 - * dispatch on this prefix to re-classify the failure as a - * CacheWriteDeniedError so consumers (and the outer catch arm) can - * distinguish a policy denial from other reservation failures. + * dispatch on this prefix to re-classify the failure as a CacheWriteDeniedError + * so consumers and tests can distinguish a policy denial from other reservation + * failures. Internally it is logged as a non-fatal warning like other + * best-effort save failures. */ const CACHE_WRITE_DENIED_PREFIX = 'cache write denied:'; /** * Raised when the cache backend refuses to reserve a writable cache entry * because the JWT issued for this run was scoped read-only (for example, the * run was triggered by an event the repository administrator classified as - * untrusted). The receiver-supplied detail message always begins with + * untrusted). The service-supplied detail message always begins with * `cache write denied:` (the full error message includes additional context * like the cache key). * @@ -94310,6 +94342,19 @@ class CacheWriteDeniedError extends ReserveCacheError { Object.setPrototypeOf(this, CacheWriteDeniedError.prototype); } } +// Re-exported from constants so consumers keep referencing it here; the shared +// value also drives detection in cacheHttpClient without duplicating the string. +const CACHE_READ_DENIED_PREFIX = (/* unused pure expression or super */ null && (CacheReadDeniedMessagePrefix)); +// Raised when the cache backend denies a download URL because the run's token +// has no readable cache scopes. Caching is best-effort, so restoreCache logs a +// warning and reports a cache miss rather than rethrowing this. +class CacheReadDeniedError extends Error { + constructor(message) { + super(message); + this.name = 'CacheReadDeniedError'; + Object.setPrototypeOf(this, CacheReadDeniedError.prototype); + } +} class FinalizeCacheError extends Error { constructor(message) { super(message); @@ -94364,6 +94409,12 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { const cacheServiceVersion = getCacheServiceVersion(); core.debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); + const cacheMode = getCacheMode(); + if (!isCacheReadable(cacheMode)) { + core.info(`Cache restore skipped: the effective cache-mode '${cacheMode}' does not permit reads.`); + core.debug(`Skipped restore for paths [${paths.join(', ')}] with primary key '${primaryKey}'.`); + return undefined; + } switch (cacheServiceVersion) { case 'v2': return yield restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsArchive); @@ -94385,6 +94436,7 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; restoreKeys = restoreKeys || []; const keys = [primaryKey, ...restoreKeys]; core.debug('Resolved Keys:'); @@ -94399,10 +94451,26 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { let archivePath = ''; try { // path are needed to compute version - const cacheEntry = yield cacheHttpClient.getCacheEntry(keys, paths, { - compressionMethod, - enableCrossOsArchive - }); + let cacheEntry; + try { + cacheEntry = yield cacheHttpClient.getCacheEntry(keys, paths, { + compressionMethod, + enableCrossOsArchive + }); + } + catch (error) { + // The v1 artifact cache service returns HTTP 403 with a + // `cache read denied:` body when the run's token has no readable cache + // scopes. getCacheEntry lives in a dependency-free internal module and + // cannot import CacheReadDeniedError without a circular dependency, so it + // only surfaces the raw denial message; we classify it into the typed + // error here so the outer catch and consumers can dispatch on it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!(cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.archiveLocation)) { // Cache not found return undefined; @@ -94431,7 +94499,9 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { } else { // warn on cache restore failure and continue build - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94466,6 +94536,7 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; // Override UploadOptions to force the use of Azure options = Object.assign(Object.assign({}, options), { useAzureSdk: true }); restoreKeys = restoreKeys || []; @@ -94487,7 +94558,20 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { restoreKeys, version: utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive) }; - const response = yield twirpClient.GetCacheEntryDownloadURL(request); + let response; + try { + response = yield twirpClient.GetCacheEntryDownloadURL(request); + } + catch (error) { + // The receiver returns twirp PermissionDenied (403) when the run's token + // has no readable cache scopes. The client wraps that 403, so the stable + // prefix is embedded in the message rather than leading it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!response.ok) { core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; @@ -94522,8 +94606,10 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { throw error; } else { - // Supress all non-validation cache related errors because caching should be optional - // Log server errors (5xx) as errors, all other errors as warnings + // Suppress all non-validation cache related errors because caching should be optional + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94562,6 +94648,12 @@ function cache_saveCache(paths_1, key_1, options_1) { core_debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); checkKey(key); + const cacheMode = config_getCacheMode(); + if (!isCacheWritable(cacheMode)) { + info(`Cache save skipped: the effective cache-mode '${cacheMode}' does not permit writes.`); + core_debug(`Skipped save for paths [${paths.join(', ')}] with key '${key}'.`); + return -1; + } switch (cacheServiceVersion) { case 'v2': return yield saveCacheV2(paths, key, options, enableCrossOsArchive); @@ -94639,17 +94731,14 @@ function saveCacheV1(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { info(`Failed to save: ${typedError.message}`); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94760,12 +94849,6 @@ function saveCacheV2(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { info(`Failed to save: ${typedError.message}`); } @@ -94773,7 +94856,10 @@ function saveCacheV2(paths_1, key_1, options_1) { warning(typedError.message); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { diff --git a/dist/save/index.js b/dist/save/index.js index aedf78a..59f6659 100644 --- a/dist/save/index.js +++ b/dist/save/index.js @@ -39021,7 +39021,7 @@ module.exports = { version: packageJson.version } /***/ 4012: /***/ ((module) => { -module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.1.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); +module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"6.2.0","description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","type":"module","main":"lib/cache.js","types":"lib/cache.d.ts","exports":{".":{"types":"./lib/cache.d.ts","import":"./lib/cache.js"}},"directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc && cp src/internal/shared/package-version.cjs lib/internal/shared/"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^3.0.1","@actions/exec":"^3.0.0","@actions/glob":"^0.6.1","@actions/http-client":"^4.0.1","@actions/io":"^3.0.2","@azure/core-rest-pipeline":"^1.23.0","@azure/storage-blob":"^12.31.0","@protobuf-ts/runtime-rpc":"^2.11.1","semver":"^7.7.4"},"devDependencies":{"@protobuf-ts/plugin":"^2.11.1","@types/node":"^25.6.0","@types/semver":"^7.7.1","typescript":"^5.9.3"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}'); /***/ }) @@ -43254,6 +43254,10 @@ const SystemTarPathOnWindows = `${process.env['SYSTEMDRIVE']}\\Windows\\System32 const TarFilename = 'cache.tar'; const ManifestFilename = 'manifest.txt'; const CacheFileSizeLimit = 10 * Math.pow(1024, 3); // 10GiB per repository +// Prefix the cache backend embeds in a read-denial message (v2 twirp +// GetCacheEntryDownloadURL error or the GHES v1 `_apis/artifactcache` 403 body). +// Shared so cache.ts and cacheHttpClient.ts match the same contract value. +const constants_CacheReadDeniedMessagePrefix = 'cache read denied:'; //# sourceMappingURL=constants.js.map ;// CONCATENATED MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js var cacheUtils_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { @@ -92918,6 +92922,24 @@ function config_getCacheServiceVersion() { return 'v1'; return process.env['ACTIONS_CACHE_SERVICE_V2'] ? 'v2' : 'v1'; } +// The cache-mode lattice: readable = {read, write}, writable = {write, +// write-only}, none = neither. +const KNOWN_CACHE_MODES = ['none', 'read', 'write', 'write-only']; +// The effective cache-mode exported by the runner, or '' when not set. +function config_getCacheMode() { + return (process.env['ACTIONS_CACHE_MODE'] || '').trim().toLowerCase(); +} +// Unset or unrecognized modes are permissive so behavior matches today. +function config_isCacheReadable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'read' || mode === 'write'; +} +function isCacheWritable(mode) { + if (!KNOWN_CACHE_MODES.includes(mode)) + return true; + return mode === 'write' || mode === 'write-only'; +} function getCacheServiceURL() { const version = config_getCacheServiceVersion(); // Based on the version of the cache service, we will determine which @@ -92967,6 +92989,7 @@ var cacheHttpClient_awaiter = (undefined && undefined.__awaiter) || function (th + function getCacheApiUrl(resource) { const baseUrl = getCacheServiceURL(); if (!baseUrl) { @@ -92994,6 +93017,7 @@ function createHttpClient() { } function getCacheEntry(keys, paths, options) { return cacheHttpClient_awaiter(this, void 0, void 0, function* () { + var _a; const httpClient = createHttpClient(); const version = utils.getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive); const resource = `cache?keys=${encodeURIComponent(keys.join(','))}&version=${version}`; @@ -93007,6 +93031,12 @@ function getCacheEntry(keys, paths, options) { return null; } if (!isSuccessStatusCode(response.statusCode)) { + // Only surface the receiver's body for a `cache read denied:` policy denial + // so callers can dispatch on it; keep the generic message otherwise. + const errorMessage = (_a = response.error) === null || _a === void 0 ? void 0 : _a.message; + if (errorMessage === null || errorMessage === void 0 ? void 0 : errorMessage.includes(CacheReadDeniedMessagePrefix)) { + throw new Error(errorMessage); + } throw new Error(`Cache service responded with ${response.statusCode}`); } const cacheResult = response.result; @@ -94267,6 +94297,7 @@ var cache_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar + class ValidationError extends Error { constructor(message) { super(message); @@ -94282,19 +94313,20 @@ class ReserveCacheError extends Error { } } /** - * Stable prefix the receiver writes into the cache reservation response when - * the issuer downgraded the cache token to read-only (for example, because + * Stable prefix the cache service writes into the cache reservation response + * when the issuer downgraded the cache token to read-only (for example, because * the run was triggered by an untrusted event). saveCacheV1 / saveCacheV2 - * dispatch on this prefix to re-classify the failure as a - * CacheWriteDeniedError so consumers (and the outer catch arm) can - * distinguish a policy denial from other reservation failures. + * dispatch on this prefix to re-classify the failure as a CacheWriteDeniedError + * so consumers and tests can distinguish a policy denial from other reservation + * failures. Internally it is logged as a non-fatal warning like other + * best-effort save failures. */ const CACHE_WRITE_DENIED_PREFIX = 'cache write denied:'; /** * Raised when the cache backend refuses to reserve a writable cache entry * because the JWT issued for this run was scoped read-only (for example, the * run was triggered by an event the repository administrator classified as - * untrusted). The receiver-supplied detail message always begins with + * untrusted). The service-supplied detail message always begins with * `cache write denied:` (the full error message includes additional context * like the cache key). * @@ -94310,6 +94342,19 @@ class CacheWriteDeniedError extends ReserveCacheError { Object.setPrototypeOf(this, CacheWriteDeniedError.prototype); } } +// Re-exported from constants so consumers keep referencing it here; the shared +// value also drives detection in cacheHttpClient without duplicating the string. +const CACHE_READ_DENIED_PREFIX = (/* unused pure expression or super */ null && (CacheReadDeniedMessagePrefix)); +// Raised when the cache backend denies a download URL because the run's token +// has no readable cache scopes. Caching is best-effort, so restoreCache logs a +// warning and reports a cache miss rather than rethrowing this. +class CacheReadDeniedError extends Error { + constructor(message) { + super(message); + this.name = 'CacheReadDeniedError'; + Object.setPrototypeOf(this, CacheReadDeniedError.prototype); + } +} class FinalizeCacheError extends Error { constructor(message) { super(message); @@ -94364,6 +94409,12 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { const cacheServiceVersion = getCacheServiceVersion(); core.debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); + const cacheMode = getCacheMode(); + if (!isCacheReadable(cacheMode)) { + core.info(`Cache restore skipped: the effective cache-mode '${cacheMode}' does not permit reads.`); + core.debug(`Skipped restore for paths [${paths.join(', ')}] with primary key '${primaryKey}'.`); + return undefined; + } switch (cacheServiceVersion) { case 'v2': return yield restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsArchive); @@ -94385,6 +94436,7 @@ function restoreCache(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; restoreKeys = restoreKeys || []; const keys = [primaryKey, ...restoreKeys]; core.debug('Resolved Keys:'); @@ -94399,10 +94451,26 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { let archivePath = ''; try { // path are needed to compute version - const cacheEntry = yield cacheHttpClient.getCacheEntry(keys, paths, { - compressionMethod, - enableCrossOsArchive - }); + let cacheEntry; + try { + cacheEntry = yield cacheHttpClient.getCacheEntry(keys, paths, { + compressionMethod, + enableCrossOsArchive + }); + } + catch (error) { + // The v1 artifact cache service returns HTTP 403 with a + // `cache read denied:` body when the run's token has no readable cache + // scopes. getCacheEntry lives in a dependency-free internal module and + // cannot import CacheReadDeniedError without a circular dependency, so it + // only surfaces the raw denial message; we classify it into the typed + // error here so the outer catch and consumers can dispatch on it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!(cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.archiveLocation)) { // Cache not found return undefined; @@ -94431,7 +94499,9 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { } else { // warn on cache restore failure and continue build - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94466,6 +94536,7 @@ function restoreCacheV1(paths_1, primaryKey_1, restoreKeys_1, options_1) { */ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { return cache_awaiter(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { + var _a; // Override UploadOptions to force the use of Azure options = Object.assign(Object.assign({}, options), { useAzureSdk: true }); restoreKeys = restoreKeys || []; @@ -94487,7 +94558,20 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { restoreKeys, version: utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive) }; - const response = yield twirpClient.GetCacheEntryDownloadURL(request); + let response; + try { + response = yield twirpClient.GetCacheEntryDownloadURL(request); + } + catch (error) { + // The receiver returns twirp PermissionDenied (403) when the run's token + // has no readable cache scopes. The client wraps that 403, so the stable + // prefix is embedded in the message rather than leading it. + const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : ''; + if (errorMessage.includes(CACHE_READ_DENIED_PREFIX)) { + throw new CacheReadDeniedError(errorMessage); + } + throw error; + } if (!response.ok) { core.debug(`Cache not found for version ${request.version} of keys: ${keys.join(', ')}`); return undefined; @@ -94522,8 +94606,10 @@ function restoreCacheV2(paths_1, primaryKey_1, restoreKeys_1, options_1) { throw error; } else { - // Supress all non-validation cache related errors because caching should be optional - // Log server errors (5xx) as errors, all other errors as warnings + // Suppress all non-validation cache related errors because caching should be optional + // Log server errors (5xx) as errors, all other errors as warnings. + // A read denied by policy (CacheReadDeniedError) is not an HttpClientError + // so it falls here and is warned, treated as a cache miss. if (typedError instanceof HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94562,6 +94648,12 @@ function cache_saveCache(paths_1, key_1, options_1) { core_debug(`Cache service version: ${cacheServiceVersion}`); checkPaths(paths); checkKey(key); + const cacheMode = config_getCacheMode(); + if (!isCacheWritable(cacheMode)) { + info(`Cache save skipped: the effective cache-mode '${cacheMode}' does not permit writes.`); + core_debug(`Skipped save for paths [${paths.join(', ')}] with key '${key}'.`); + return -1; + } switch (cacheServiceVersion) { case 'v2': return yield saveCacheV2(paths, key, options, enableCrossOsArchive); @@ -94639,17 +94731,14 @@ function saveCacheV1(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { info(`Failed to save: ${typedError.message}`); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { @@ -94760,12 +94849,6 @@ function saveCacheV2(paths_1, key_1, options_1) { if (typedError.name === ValidationError.name) { throw error; } - else if (typedError.name === CacheWriteDeniedError.name) { - // Cache write was denied by policy (read-only token). Surface to the - // customer at warning level so it is visible in the workflow log - // without failing the run. - warning(`Failed to save: ${typedError.message}`); - } else if (typedError.name === ReserveCacheError.name) { info(`Failed to save: ${typedError.message}`); } @@ -94773,7 +94856,10 @@ function saveCacheV2(paths_1, key_1, options_1) { warning(typedError.message); } else { - // Log server errors (5xx) as errors, all other errors as warnings + // Log server errors (5xx) as errors, all other errors as warnings. + // A write denied by policy (CacheWriteDeniedError) is not an + // HttpClientError and its name does not match the ReserveCacheError arm, + // so it falls here and is warned without failing the run. if (typedError instanceof lib_HttpClientError && typeof typedError.statusCode === 'number' && typedError.statusCode >= 500) { diff --git a/package.json b/package.json index b409614..e7266ae 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,7 @@ "author": "GitHub", "license": "MIT", "dependencies": { - "@actions/cache": "^6.1.0", + "@actions/cache": "^6.2.0", "@actions/core": "^3.0.1", "@actions/exec": "^3.0.0", "@actions/io": "^3.0.2"