actions/setup-java
1
0
Fork 0
mirror of https://github.com/actions/setup-java.git synced 2026-06-17 00:45:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
b88f84c41e
setup-java/src/cleanup-java.ts
Salman Chishti 974f2a8de3 feat: add cache-write input for read-only cache mode 
Add a 'cache-write' input (default: true) that controls whether the cache
is saved at the end of the workflow. When set to 'false', the action will
restore cached dependencies but skip saving, providing a read-only cache
mode.

This is useful for preventing cache poisoning attacks from untrusted PR
builds while still benefiting from cached dependencies.
2026-03-09 05:35:59 -07:00

67 lines
2.0 KiB
TypeScript
Raw Blame History

import * as core from '@actions/core';
import * as gpg from './gpg';
import * as constants from './constants';
import {isJobStatusSuccess} from './util';
import {save} from './cache';
async function removePrivateKeyFromKeychain() {
if (core.getInput(constants.INPUT_GPG_PRIVATE_KEY, {required: false})) {
core.info('Removing private key from keychain');
try {
const keyFingerprint = core.getState(
constants.STATE_GPG_PRIVATE_KEY_FINGERPRINT
);
await gpg.deleteKey(keyFingerprint);
} catch (error) {
core.setFailed(
`Failed to remove private key due to: ${(error as Error).message}`
);
}
}
}
/**
* Check given input and run a save process for the specified package manager
* @returns Promise that will be resolved when the save process finishes
*/
async function saveCache() {
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return Promise.resolve();
}
const jobStatus = isJobStatusSuccess();
const cache = core.getInput(constants.INPUT_CACHE);
return jobStatus && cache ? save(cache) : Promise.resolve();
}
/**
* The save process is best-effort, and it should not make the workflow fail
* even though this process throws an error.
* @param promise the promise to ignore error from
* @returns Promise that will ignore error reported by the given promise
*/
async function ignoreError(promise: Promise<void>) {
return new Promise(resolve => {
promise
.catch(error => {
core.warning(error);
resolve(void 0);
})
.then(resolve);
});
}
export async function run() {
await removePrivateKeyFromKeychain();
await ignoreError(saveCache());
}
if (require.main === module) {
run();
} else {
// https://nodejs.org/api/modules.html#modules_accessing_the_main_module
core.info('the script is loaded as a module, so skipping the execution');
}
Reference in New Issue View Git Blame Copy Permalink