From f53f8850d6eda6538739932c5ba9afa87d2abc56 Mon Sep 17 00:00:00 2001 From: priya-kinthali <147703874+priya-kinthali@users.noreply.github.com> Date: Tue, 13 Feb 2024 09:24:46 +0530 Subject: [PATCH 1/3] pushing raw api changes (#2) --- __tests__/install-python.test.ts | 58 ++++++++++++++++++++++++++++++++ dist/setup/index.js | 32 ++++++++++++++++-- src/install-python.ts | 26 +++++++++++++- 3 files changed, 113 insertions(+), 3 deletions(-) create mode 100644 __tests__/install-python.test.ts diff --git a/__tests__/install-python.test.ts b/__tests__/install-python.test.ts new file mode 100644 index 000000000..c3a6e7b46 --- /dev/null +++ b/__tests__/install-python.test.ts @@ -0,0 +1,58 @@ +import { + getManifest, + getManifestFromRepo, + getManifestFromURL +} from '../src/install-python'; +import * as httpm from '@actions/http-client'; +import * as tc from '@actions/tool-cache'; + +jest.mock('@actions/http-client'); +jest.mock('@actions/tool-cache'); + +const mockManifest = [{version: '1.0.0'}]; + +describe('getManifest', () => { + it('should return manifest from repo', async () => { + (tc.getManifestFromRepo as jest.Mock).mockResolvedValue(mockManifest); + const manifest = await getManifest(); + expect(manifest).toEqual(mockManifest); + }); + + it('should return manifest from URL if repo fetch fails', async () => { + (tc.getManifestFromRepo as jest.Mock).mockRejectedValue( + new Error('Fetch failed') + ); + (httpm.HttpClient.prototype.getJson as jest.Mock).mockResolvedValue({ + result: mockManifest + }); + const manifest = await getManifest(); + expect(manifest).toEqual(mockManifest); + }); +}); + +describe('getManifestFromRepo', () => { + it('should return manifest from repo', async () => { + (tc.getManifestFromRepo as jest.Mock).mockResolvedValue(mockManifest); + const manifest = await getManifestFromRepo(); + expect(manifest).toEqual(mockManifest); + }); +}); + +describe('getManifestFromURL', () => { + it('should return manifest from URL', async () => { + (httpm.HttpClient.prototype.getJson as jest.Mock).mockResolvedValue({ + result: mockManifest + }); + const manifest = await getManifestFromURL(); + expect(manifest).toEqual(mockManifest); + }); + + it('should throw error if unable to get manifest from URL', async () => { + (httpm.HttpClient.prototype.getJson as jest.Mock).mockResolvedValue({ + result: null + }); + await expect(getManifestFromURL()).rejects.toThrow( + 'Unable to get manifest from' + ); + }); +}); diff --git a/dist/setup/index.js b/dist/setup/index.js index dddc7eca0..7dbeff331 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -90923,11 +90923,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.installCpythonFromRelease = exports.getManifest = exports.findReleaseFromManifest = exports.MANIFEST_URL = void 0; +exports.installCpythonFromRelease = exports.getManifestFromURL = exports.getManifestFromRepo = exports.getManifest = exports.findReleaseFromManifest = exports.MANIFEST_URL = void 0; const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); const tc = __importStar(__nccwpck_require__(7784)); const exec = __importStar(__nccwpck_require__(1514)); +const httpm = __importStar(__nccwpck_require__(6255)); const utils_1 = __nccwpck_require__(1314); const TOKEN = core.getInput('token'); const AUTH = !TOKEN ? undefined : `token ${TOKEN}`; @@ -90946,10 +90947,37 @@ function findReleaseFromManifest(semanticVersionSpec, architecture, manifest) { } exports.findReleaseFromManifest = findReleaseFromManifest; function getManifest() { + return __awaiter(this, void 0, void 0, function* () { + try { + return yield getManifestFromRepo(); + } + catch (err) { + core.debug('Fetching the manifest via the API failed.'); + if (err instanceof Error) { + core.debug(err.message); + } + } + return yield getManifestFromURL(); + }); +} +exports.getManifest = getManifest; +function getManifestFromRepo() { core.debug(`Getting manifest from ${MANIFEST_REPO_OWNER}/${MANIFEST_REPO_NAME}@${MANIFEST_REPO_BRANCH}`); return tc.getManifestFromRepo(MANIFEST_REPO_OWNER, MANIFEST_REPO_NAME, AUTH, MANIFEST_REPO_BRANCH); } -exports.getManifest = getManifest; +exports.getManifestFromRepo = getManifestFromRepo; +function getManifestFromURL() { + return __awaiter(this, void 0, void 0, function* () { + core.debug('Falling back to fetching the manifest using raw URL.'); + const http = new httpm.HttpClient('tool-cache'); + const response = yield http.getJson(exports.MANIFEST_URL); + if (!response.result) { + throw new Error(`Unable to get manifest from ${exports.MANIFEST_URL}`); + } + return response.result; + }); +} +exports.getManifestFromURL = getManifestFromURL; function installPython(workingDirectory) { return __awaiter(this, void 0, void 0, function* () { const options = { diff --git a/src/install-python.ts b/src/install-python.ts index 2af61291d..3abdfde3e 100644 --- a/src/install-python.ts +++ b/src/install-python.ts @@ -2,6 +2,7 @@ import * as path from 'path'; import * as core from '@actions/core'; import * as tc from '@actions/tool-cache'; import * as exec from '@actions/exec'; +import * as httpm from '@actions/http-client'; import {ExecOptions} from '@actions/exec/lib/interfaces'; import {IS_WINDOWS, IS_LINUX} from './utils'; @@ -31,7 +32,19 @@ export async function findReleaseFromManifest( return foundRelease; } -export function getManifest(): Promise { +export async function getManifest(): Promise { + try { + return await getManifestFromRepo(); + } catch (err) { + core.debug('Fetching the manifest via the API failed.'); + if (err instanceof Error) { + core.debug(err.message); + } + } + return await getManifestFromURL(); +} + +export function getManifestFromRepo(): Promise { core.debug( `Getting manifest from ${MANIFEST_REPO_OWNER}/${MANIFEST_REPO_NAME}@${MANIFEST_REPO_BRANCH}` ); @@ -43,6 +56,17 @@ export function getManifest(): Promise { ); } +export async function getManifestFromURL(): Promise { + core.debug('Falling back to fetching the manifest using raw URL.'); + + const http: httpm.HttpClient = new httpm.HttpClient('tool-cache'); + const response = await http.getJson(MANIFEST_URL); + if (!response.result) { + throw new Error(`Unable to get manifest from ${MANIFEST_URL}`); + } + return response.result; +} + async function installPython(workingDirectory: string) { const options: ExecOptions = { cwd: workingDirectory, From 2755b0b91ac4f6051df3eea94ebf8cb7e463225f Mon Sep 17 00:00:00 2001 From: priya-kinthali Date: Tue, 26 Mar 2024 10:37:13 +0530 Subject: [PATCH 2/3] with check related to rawapi and documentation changes --- .github/workflows/e2e-tests.yml | 4 ++++ docs/advanced-usage.md | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 2d5fb55db..d1f4b446e 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -93,3 +93,7 @@ jobs: python-version: '<3.11' - name: Verify <3.11 run: python __tests__/verify-python.py 3.10 + - name: Test Raw Endpoint Access + run: | + curl -L https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json | jq empty + shell: bash diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 6ac80deb6..ec34700a0 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -594,6 +594,12 @@ Here are the steps you need to follow to avoid the rate limit: Requests should now be authenticated. To verify that you are getting the higher rate limit, you can call GitHub's [rate limit API](https://docs.github.com/en/rest/rate-limit) from within your workflow ([example](https://github.com/actions/setup-python/pull/443#issuecomment-1206776401)). +**Fallback Mechanism - Leverage the Raw API:** + +In addition to using a Personal Access Token (PAT), the action now leverages the raw API to retrieve the version-manifest.This approach does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token. + +This is particularly beneficial for GHES runners, which often share the same IP due to Network Address Translation (NAT), to avoid the quick exhaustion of the unauthenticated rate limit. + ### No access to github.com If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. From b9f407c7eaf0c10ce5be1aaa364a52e194df5836 Mon Sep 17 00:00:00 2001 From: priya-kinthali Date: Tue, 26 Mar 2024 10:53:56 +0530 Subject: [PATCH 3/3] documentation changes --- docs/advanced-usage.md | 28 +--------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index ec34700a0..398509e92 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -572,33 +572,7 @@ One quick way to grant access is to change the user and group of `/Users/runner/ ### Avoiding rate limit issues -`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that look like this: - - ##[error]API rate limit exceeded for YOUR_IP. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) - -To get a higher rate limit, you can [generate a personal access token (PAT) on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action. It is important to understand that this needs to be a token from github.com and _not_ from your GHES instance. If you or your colleagues do not yet have a github.com account, you might need to create one. - -Here are the steps you need to follow to avoid the rate limit: - -1. Create a PAT on any github.com account by using [this link](https://github.com/settings/tokens/new) after logging into github.com (not your Enterprise instance). This PAT does _not_ need any rights, so make sure all the boxes are unchecked. -2. Store this PAT in the repository / organization where you run your workflow, e.g. as `GH_GITHUB_COM_TOKEN`. You can do this by navigating to your repository -> **Settings** -> **Secrets** -> **Actions** -> **New repository secret**. -3. To use this functionality, you need to use any version newer than `v4.3`. Also, change _python-version_ as needed. - -```yml -- name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: 3.8 - token: ${{ secrets.GH_GITHUB_COM_TOKEN }} -``` - -Requests should now be authenticated. To verify that you are getting the higher rate limit, you can call GitHub's [rate limit API](https://docs.github.com/en/rest/rate-limit) from within your workflow ([example](https://github.com/actions/setup-python/pull/443#issuecomment-1206776401)). - -**Fallback Mechanism - Leverage the Raw API:** - -In addition to using a Personal Access Token (PAT), the action now leverages the raw API to retrieve the version-manifest.This approach does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token. - -This is particularly beneficial for GHES runners, which often share the same IP due to Network Address Translation (NAT), to avoid the quick exhaustion of the unauthenticated rate limit. +`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then the action leverages the `raw API` to retrieve the version-manifest. This approach does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token. This is particularly beneficial for GHES runners, which often share the same IP due to Network Address Translation (NAT), to avoid the quick exhaustion of the unauthenticated rate limit. ### No access to github.com If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information.