Installer Action Node16 Deprecation Notice #806
Comments
|
Yes, we would welcome a PR. By other platforms, do you mean other OSs? |
|
@ramonpetgrave64 - Yes, I mean support for Windows and macOS. I see binaries are built for these platforms so I figured it would make sense to have the Action also support them. |
|
Alright, it could take a bit of work to get it to work for other OSs, but the node20 upgrade seems simple enough. You're welcome to test it on your fork and submit a PR. I'll be happy to merge. |
|
The Node20 upgrades had no issues (didn't even make changes to Is this intentional? I can address this as well with the OS support. Also the current Action appears to be using the |
|
Thanks for testing it out. I can't say for sure if it's intentional. But looking at Github's example, it seems like Regarding the ref, it will actually work if the user wants to install older versions of slsa-verifier.
|
This will only download the files to the location you specify but not actually cache them. They will only be moved into the hostedtoolcache once you call the The developer needs to use let cachePath = await tc.find(...) // returns path if found
if (!cachePath)
// download artifact
const downloadPath = await tc.downloadTool(...)
// verify download
// ...
// cache download for future use
// eg: /opt/hostedtoolcache/slsa-verifier/2.6.0/x64/slsa-verifier
cachePath = await tc.cacheFile(...) // returns path to cached directory
}
core.addPath(cachePath)
This is sort of true, but would not be the case for the new OSes we're adding support for and any of the additional fixes to the Action itself. Using something like eg: If someone wanted to use This is where I think a |
|
Are you sure those are not just for self-hosted runners? What I'd like to only ever cache from the direct download link. Thanks for clarifying about the ref. I'll invite @ianlewis to discuss. |
|
Based on my experience and testing, even on GH runners you will need to tell it to actually cache the files. There may be other things behind the scenes that GH does to speed up repeated downloads, but I don't believe this is part of the The debug logs during the The debug logs for Unless there is something else I'm missing I think this always needs to be explicitly called, but I don't think adding some logic to account for this is hard to do anyways. I've actually got all this added and tested in my fork, but I can easily yoink stuff out! |
|
Since performance seems perfectly fine with the cache not actually working, like you said, I'm for removing the cache code. I've also read some blogs about cache poisoning, so it seems like it's not worth the trouble. |
|
I think you're correct that performance is probably fine without it, but I think it would be nice to utilize it, especially for people who do use this on self-hosted runners (such as myself). Cache poisoning is definitely a good point though and not something I accounted for in my fork. I think a good balance for this would be to cache the binary, but not cache the signature data and always validate the binary regardless of being cached or not (including for the bootstrap binary). This should ensure that any tampering would be noticed by the user. This would at least reduce the total bandwidth necessary when a cache-hit does occur. Another option (which I have now) is to simply give the user a |
|
We could verify the provenance of the slsa-verifier binary that is retrieved from the cache (we do this anyway after download). This would also verify that it was the expected slsa-verifier version (preventing downgrade attacks etc). However, as stated, it's likely just downloading it each time has adequate performance. If |
|
Verifying the bin in cache is something I can add in and probably something I should have started with haha I'm not sure what else to say about the tool-cache - that repo is also not properly caching downloads since it is not calling the https://github.com/actions/toolkit/blob/main/packages/tool-cache/src/tool-cache.ts#L410 I updated my fork to deliberately skip the cache even if it's found to trigger the exact same I think it's fine to just discard the caching entirely if that's the route we want to go |
|
I agree the docs are not well written. I had originally hoped that it was caching the files on github's servers. But looking at the code it seems like I think we can should leave our use of |
|
@ramonpetgrave64 Any chance someone is going to look at that PR? Happy to make adjustments or reduce the scope of needed. |
|
@IAreKyleW00t , I've been away for a w while, and I've just taken a look at your PR. Yes, please reduce the scope of the PR for now. |
|
Sure thing, though I've lost interest in this and don't actually need those additional features or OSes for my needs, so I'll get it updated to Node20 and we can just move on. #811 is created with only the Node20 changes. |
This PR relates to the discussion from #806 regarding the Node16 deprecation notice. There are no changes to the `dist/` folder with the change to Node20 (used `v20.17.0`) - this is completely drop-in. Signed-off-by: Kyle Colantonio <k@yle.sh> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
|
@ramonpetgrave64 Before we close this out, since I have the other work already done, how would it be best to get those changes in? Do you want me to split up the changes into smaller PRs and just open them one at a time? |
|
@IAreKyleW00t Yes, and we really should have opened separate Issues for the other concerns. Would you open them or edit this issue's title and description? |
|
@ramonpetgrave64 Yes, I can open separate issues for these features/fixes since this was originally just for Node20. I'll split up the changes and open issues to address them as I'm ready |
I noticed that the installer Action is still using Node16 and throws a warning at users since it has been deprecated. Would it be possible to bump this to Node20? Looking at the code, I don't think you're doing anything funky that would be a problem with an upgrade.
Side-note, but somewhat related, I noticed the Action doesn't support other platforms even though slsa-verifier does, and is a bit dated in general. I would be happy to volunteer to give it some love and have things align with some newer standards/practices. 😄
The text was updated successfully, but these errors were encountered: