Merge 145e58d96c into 3041bf56c9

* feat: fallback to "raw" endpoint for manifest when rate limit is reached

* add information about raw access to the README

* prettier

* update cross-spawn to 7.0.6 to fix vulnerability

README.md

@@ -242,18 +242,14 @@ documentation.
 
 ## Using `setup-go` on GHES
 
-`setup-go` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Go
-distributions, `setup-go` downloads distributions from [`actions/go-versions`](https://github.com/actions/go-versions)
-on github.com (outside of the appliance). These calls to `actions/go-versions` are made via unauthenticated requests,
-which are limited
-to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If
-more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks
-like: `##[error]API rate limit exceeded for...`. After that error the action will try to download versions directly
-from https://storage.googleapis.com/golang, but it also can have rate limit so it's better to put token.
+`setup-go` comes pre-installed on the appliance with GHES if Actions is enabled.
+When dynamically downloading Go distributions, `setup-go` downloads distributions from [`actions/go-versions`](https://github.com/actions/go-versions) on github.com (outside of the appliance).
 
-To get a higher rate limit, you
-can [generate a personal access token on github.com](https://github.com/settings/tokens/new) and pass it as the `token`
-input for the action:
+These calls to `actions/go-versions` are made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting).
+If more requests are made within the time frame, then the action leverages the `raw API` to retrieve the version-manifest. This approach does not impose a rate limit and hence facilitates unrestricted consumption. This is particularly beneficial for GHES runners, which often share the same IP, to avoid the quick exhaustion of the unauthenticated rate limit.
+If that fails as well the action will try to download versions directly from https://storage.googleapis.com/golang.
+
+If that fails as well you can get a higher rate limit with [generating a personal access token on github.com](https://github.com/settings/tokens/new) and passing it as the `token` input to the action:
 
 ```yaml
 uses: actions/setup-go@v5
@@ -262,8 +258,7 @@ with:
   go-version: '1.18'
 ```
 
-If the runner is not able to access github.com, any Go versions requested during a workflow run must come from the
-runner's tool cache.
+If the runner is not able to access github.com, any Go versions requested during a workflow run must come from the runner's tool cache.
 See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)"
 for more information.
 

__tests__/setup-go.test.ts

@@ -7,6 +7,7 @@ import osm, {type} from 'os';
 import path from 'path';
 import * as main from '../src/main';
 import * as im from '../src/installer';
+import * as httpm from '@actions/http-client';
 
 import goJsonData from './data/golang-dl.json';
 import matchers from '../matchers.json';
@@ -46,6 +47,7 @@ describe('setup-go', () => {
   let execSpy: jest.SpyInstance;
   let getManifestSpy: jest.SpyInstance;
   let getAllVersionsSpy: jest.SpyInstance;
+  let httpmGetJsonSpy: jest.SpyInstance;
 
   beforeAll(async () => {
     process.env['GITHUB_ENV'] = ''; // Stub out Environment file functionality so we can verify it writes to standard out (toolkit is backwards compatible)
@@ -90,6 +92,9 @@ describe('setup-go', () => {
     getManifestSpy = jest.spyOn(tc, 'getManifestFromRepo');
     getAllVersionsSpy = jest.spyOn(im, 'getManifest');
 
+    // httm
+    httpmGetJsonSpy = jest.spyOn(httpm.HttpClient.prototype, 'getJson');
+
     // io
     whichSpy = jest.spyOn(io, 'which');
     existsSpy = jest.spyOn(fs, 'existsSync');
@@ -151,6 +156,21 @@ describe('setup-go', () => {
     );
   });
 
+  it('should return manifest from repo', async () => {
+    const manifest = await im.getManifest(undefined);
+    expect(manifest).toEqual(goTestManifest);
+  });
+
+  it('should return manifest from raw URL if repo fetch fails', async () => {
+    getManifestSpy.mockRejectedValue(new Error('Fetch failed'));
+    httpmGetJsonSpy.mockResolvedValue({
+      result: goTestManifest
+    });
+    const manifest = await im.getManifest(undefined);
+    expect(httpmGetJsonSpy).toHaveBeenCalled();
+    expect(manifest).toEqual(goTestManifest);
+  });
+
   it('can find 1.9 from manifest on linux', async () => {
     os.platform = 'linux';
     os.arch = 'x64';
@@ -265,7 +285,7 @@ describe('setup-go', () => {
     expect(logSpy).toHaveBeenCalledWith(`Setup go version spec 1.13.0`);
   });
 
-  it('does not export any variables for Go versions >=1.9', async () => {
+  it('does not export GOROOT for Go versions >=1.9', async () => {
     inputs['go-version'] = '1.13.0';
     inSpy.mockImplementation(name => inputs[name]);
 
@@ -278,7 +298,7 @@ describe('setup-go', () => {
     });
 
     await main.run();
-    expect(vars).toStrictEqual({});
+    expect(vars).not.toHaveProperty('GOROOT');
   });
 
   it('exports GOROOT for Go versions <1.9', async () => {
@@ -294,9 +314,7 @@ describe('setup-go', () => {
     });
 
     await main.run();
-    expect(vars).toStrictEqual({
-      GOROOT: toolPath
-    });
+    expect(vars).toHaveProperty('GOROOT', toolPath);
   });
 
   it('finds a version of go already in the cache', async () => {
@@ -790,6 +808,9 @@ describe('setup-go', () => {
       getManifestSpy.mockImplementation(() => {
         throw new Error('Unable to download manifest');
       });
+      httpmGetJsonSpy.mockRejectedValue(
+        new Error('Unable to download manifest from raw URL')
+      );
       getAllVersionsSpy.mockImplementationOnce(() => undefined);
 
       dlSpy.mockImplementation(async () => '/some/temp/path');
@@ -966,4 +987,68 @@ use .
       }
     );
   });
+
+  describe('go-version-file-toolchain', () => {
+    const goModContents = `module example.com/mymodule
+
+go 1.14
+
+toolchain go1.21.0
+
+require (
+	example.com/othermodule v1.2.3
+	example.com/thismodule v1.2.3
+	example.com/thatmodule v1.2.3
+)
+
+replace example.com/thatmodule => ../thatmodule
+exclude example.com/thismodule v1.3.0
+`;
+
+    const goWorkContents = `go 1.19
+
+toolchain go1.21.0
+
+use .
+
+`;
+
+    it('reads version from toolchain directive in go.mod', async () => {
+      inputs['go-version-file'] = 'go.mod';
+      existsSpy.mockImplementation(() => true);
+      readFileSpy.mockImplementation(() => Buffer.from(goModContents));
+
+      await main.run();
+
+      expect(logSpy).toHaveBeenCalledWith('Setup go version spec 1.21.0');
+      expect(logSpy).toHaveBeenCalledWith('Attempting to download 1.21.0...');
+      expect(logSpy).toHaveBeenCalledWith('matching 1.21.0...');
+    });
+
+    it('reads version from toolchain directive in go.work', async () => {
+      inputs['go-version-file'] = 'go.work';
+      existsSpy.mockImplementation(() => true);
+      readFileSpy.mockImplementation(() => Buffer.from(goWorkContents));
+
+      await main.run();
+
+      expect(logSpy).toHaveBeenCalledWith('Setup go version spec 1.21.0');
+      expect(logSpy).toHaveBeenCalledWith('Attempting to download 1.21.0...');
+      expect(logSpy).toHaveBeenCalledWith('matching 1.21.0...');
+    });
+  });
+
+  it('exports GOTOOLCHAIN and sets it in current process env', async () => {
+    inputs['go-version'] = '1.21.0';
+    inSpy.mockImplementation(name => inputs[name]);
+
+    const vars: {[key: string]: string} = {};
+    exportVarSpy.mockImplementation((name: string, val: string) => {
+      vars[name] = val;
+    });
+
+    await main.run();
+    expect(vars).toStrictEqual({GOTOOLCHAIN: 'local'});
+    expect(process.env).toHaveProperty('GOTOOLCHAIN', 'local');
+  });
 });

dist/setup/index.js

@@ -88259,6 +88259,10 @@ const sys = __importStar(__nccwpck_require__(5632));
 const fs_1 = __importDefault(__nccwpck_require__(7147));
 const os_1 = __importDefault(__nccwpck_require__(2037));
 const utils_1 = __nccwpck_require__(1314);
+const MANIFEST_REPO_OWNER = 'actions';
+const MANIFEST_REPO_NAME = 'go-versions';
+const MANIFEST_REPO_BRANCH = 'main';
+const MANIFEST_URL = `https://raw.githubusercontent.com/${MANIFEST_REPO_OWNER}/${MANIFEST_REPO_NAME}/${MANIFEST_REPO_BRANCH}/versions-manifest.json`;
 function getGo(versionSpec_1, checkLatest_1, auth_1) {
     return __awaiter(this, arguments, void 0, function* (versionSpec, checkLatest, auth, arch = os_1.default.arch()) {
         var _a;
@@ -88433,10 +88437,34 @@ function extractGoArchive(archivePath) {
 exports.extractGoArchive = extractGoArchive;
 function getManifest(auth) {
     return __awaiter(this, void 0, void 0, function* () {
-        return tc.getManifestFromRepo('actions', 'go-versions', auth, 'main');
+        try {
+            return yield getManifestFromRepo(auth);
+        }
+        catch (err) {
+            core.debug('Fetching the manifest via the API failed.');
+            if (err instanceof Error) {
+                core.debug(err.message);
+            }
+        }
+        return yield getManifestFromURL();
     });
 }
 exports.getManifest = getManifest;
+function getManifestFromRepo(auth) {
+    core.debug(`Getting manifest from ${MANIFEST_REPO_OWNER}/${MANIFEST_REPO_NAME}@${MANIFEST_REPO_BRANCH}`);
+    return tc.getManifestFromRepo(MANIFEST_REPO_OWNER, MANIFEST_REPO_NAME, auth, MANIFEST_REPO_BRANCH);
+}
+function getManifestFromURL() {
+    return __awaiter(this, void 0, void 0, function* () {
+        core.debug('Falling back to fetching the manifest using raw URL.');
+        const http = new httpm.HttpClient('tool-cache');
+        const response = yield http.getJson(MANIFEST_URL);
+        if (!response.result) {
+            throw new Error(`Unable to get manifest from ${MANIFEST_URL}`);
+        }
+        return response.result;
+    });
+}
 function getInfoFromManifest(versionSpec_1, stable_1, auth_1) {
     return __awaiter(this, arguments, void 0, function* (versionSpec, stable, auth, arch = os_1.default.arch(), manifest) {
         let info = null;
@@ -88549,8 +88577,14 @@ function parseGoVersionFile(versionFilePath) {
     const contents = fs_1.default.readFileSync(versionFilePath).toString();
     if (path.basename(versionFilePath) === 'go.mod' ||
         path.basename(versionFilePath) === 'go.work') {
-        const match = contents.match(/^go (\d+(\.\d+)*)/m);
-        return match ? match[1] : '';
+        // toolchain directive: https://go.dev/ref/mod#go-mod-file-toolchain
+        const matchToolchain = contents.match(/^toolchain go(\d+(\.\d+)*)/m);
+        if (matchToolchain) {
+            return matchToolchain[1];
+        }
+        // go directive: https://go.dev/ref/mod#go-mod-file-go
+        const matchGo = contents.match(/^go (\d+(\.\d+)*)/m);
+        return matchGo ? matchGo[1] : '';
     }
     return contents.trim();
 }
@@ -88653,6 +88687,7 @@ const os_1 = __importDefault(__nccwpck_require__(2037));
 function run() {
     return __awaiter(this, void 0, void 0, function* () {
         try {
+            setToolchain();
             //
             // versionSpec is optional.  If supplied, install / use from the tool cache
             // If not supplied then problem matchers will still be setup.  Useful for self-hosted.
@@ -88769,6 +88804,21 @@ function resolveVersionInput() {
     }
     return version;
 }
+function setToolchain() {
+    // docs: https://go.dev/doc/toolchain
+    // "local indicates the bundled Go toolchain (the one that shipped with the go command being run)"
+    // this is so any 'go' command is run with the selected Go version
+    // and doesn't trigger a toolchain download and run commands with that
+    // see e.g. issue #424
+    // and a similar discussion: https://github.com/docker-library/golang/issues/472
+    const toolchain = 'local';
+    const toolchainVar = 'GOTOOLCHAIN';
+    // set the value in process env so any `go` commands run as child-process
+    // don't cause toolchain downloads
+    process.env[toolchainVar] = toolchain;
+    // and in the runner env so e.g. a user running `go mod tidy` won't cause it
+    core.exportVariable(toolchainVar, toolchain);
+}
 
 
 /***/ }),

package-lock.json

@@ -2504,10 +2504,11 @@
       }
     },
     "node_modules/cross-spawn": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz",
-      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
         "path-key": "^3.1.0",
         "shebang-command": "^2.0.0",

src/installer.ts

@@ -8,6 +8,11 @@ import fs from 'fs';
 import os from 'os';
 import {StableReleaseAlias} from './utils';
 
+const MANIFEST_REPO_OWNER = 'actions';
+const MANIFEST_REPO_NAME = 'go-versions';
+const MANIFEST_REPO_BRANCH = 'main';
+const MANIFEST_URL = `https://raw.githubusercontent.com/${MANIFEST_REPO_OWNER}/${MANIFEST_REPO_NAME}/${MANIFEST_REPO_BRANCH}/versions-manifest.json`;
+
 type InstallationType = 'dist' | 'manifest';
 
 export interface IGoVersionFile {
@@ -274,8 +279,43 @@ export async function extractGoArchive(archivePath: string): Promise<string> {
   return extPath;
 }
 
-export async function getManifest(auth: string | undefined) {
-  return tc.getManifestFromRepo('actions', 'go-versions', auth, 'main');
+export async function getManifest(
+  auth: string | undefined
+): Promise<tc.IToolRelease[]> {
+  try {
+    return await getManifestFromRepo(auth);
+  } catch (err) {
+    core.debug('Fetching the manifest via the API failed.');
+    if (err instanceof Error) {
+      core.debug(err.message);
+    }
+  }
+  return await getManifestFromURL();
+}
+
+function getManifestFromRepo(
+  auth: string | undefined
+): Promise<tc.IToolRelease[]> {
+  core.debug(
+    `Getting manifest from ${MANIFEST_REPO_OWNER}/${MANIFEST_REPO_NAME}@${MANIFEST_REPO_BRANCH}`
+  );
+  return tc.getManifestFromRepo(
+    MANIFEST_REPO_OWNER,
+    MANIFEST_REPO_NAME,
+    auth,
+    MANIFEST_REPO_BRANCH
+  );
+}
+
+async function getManifestFromURL(): Promise<tc.IToolRelease[]> {
+  core.debug('Falling back to fetching the manifest using raw URL.');
+
+  const http: httpm.HttpClient = new httpm.HttpClient('tool-cache');
+  const response = await http.getJson<tc.IToolRelease[]>(MANIFEST_URL);
+  if (!response.result) {
+    throw new Error(`Unable to get manifest from ${MANIFEST_URL}`);
+  }
+  return response.result;
 }
 
 export async function getInfoFromManifest(
@@ -424,8 +464,15 @@ export function parseGoVersionFile(versionFilePath: string): string {
     path.basename(versionFilePath) === 'go.mod' ||
     path.basename(versionFilePath) === 'go.work'
   ) {
-    const match = contents.match(/^go (\d+(\.\d+)*)/m);
-    return match ? match[1] : '';
+    // toolchain directive: https://go.dev/ref/mod#go-mod-file-toolchain
+    const matchToolchain = contents.match(/^toolchain go(\d+(\.\d+)*)/m);
+    if (matchToolchain) {
+      return matchToolchain[1];
+    }
+
+    // go directive: https://go.dev/ref/mod#go-mod-file-go
+    const matchGo = contents.match(/^go (\d+(\.\d+)*)/m);
+    return matchGo ? matchGo[1] : '';
   }
 
   return contents.trim();

src/main.ts

@@ -11,6 +11,7 @@ import os from 'os';
 
 export async function run() {
   try {
+    setToolchain();
     //
     // versionSpec is optional.  If supplied, install / use from the tool cache
     // If not supplied then problem matchers will still be setup.  Useful for self-hosted.
@@ -160,3 +161,20 @@ function resolveVersionInput(): string {
 
   return version;
 }
+
+function setToolchain() {
+  // docs: https://go.dev/doc/toolchain
+  // "local indicates the bundled Go toolchain (the one that shipped with the go command being run)"
+  // this is so any 'go' command is run with the selected Go version
+  // and doesn't trigger a toolchain download and run commands with that
+  // see e.g. issue #424
+  // and a similar discussion: https://github.com/docker-library/golang/issues/472
+  const toolchain = 'local';
+  const toolchainVar = 'GOTOOLCHAIN';
+
+  // set the value in process env so any `go` commands run as child-process
+  // don't cause toolchain downloads
+  process.env[toolchainVar] = toolchain;
+  // and in the runner env so e.g. a user running `go mod tidy` won't cause it
+  core.exportVariable(toolchainVar, toolchain);
+}