Skip to content

elevate GITHUB_TOKEN to packages feed credential #1603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brettfo merged 2 commits into from
Jan 27, 2026
+534 −6
Merged

elevate GITHUB_TOKEN to packages feed credential #1603

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2808ab4
enforce binary file
brettfo Jan 22, 2026
c69d6a8
elevate GITHUB_TOKEN to packages credential
brettfo Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitattributes
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
dist/** -diff linguist-generated=true
dist/** -diff linguist-generated=true
*.exe binary
240 changes: 238 additions & 2 deletions __tests__/main.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import * as core from '@actions/core'
import {Context} from '@actions/github/lib/context'
import {
ApiClient,
Credential,
JobDetails,
CredentialFetchingError,
JobDetailsFetchingError
Expand All @@ -11,7 +12,7 @@ import {Updater} from '../src/updater'
import {ImageService, MetricReporter} from '../src/image-service'
import {updaterImageName} from '../src/docker-tags'
import * as inputs from '../src/inputs'
import {run, credentialsFromEnv} from '../src/main'
import {run, credentialsFromEnv, getPackagesCredential} from '../src/main'

import {eventFixturePath} from './helpers'

Expand Down Expand Up @@ -139,7 +140,8 @@ describe('run', () => {
'allowed-updates': [],
'credentials-metadata': [],
id: '1',
experiments: {}
experiments: {},
source: {repo: 'test-org/test-repo'}
})

const pullSpy = jest
Expand Down Expand Up @@ -820,3 +822,237 @@ describe('credentialsFromEnv', () => {
expect(setSecretSpy).not.toHaveBeenCalledWith('https://foo')
})
})

describe('getPackagesCredential', () => {
const experimentName = 'automatic_github_packages_auth'
const alternateExperimentName = experimentName.replace(/_/g, '-')
function createJobDetails(
packageManager: string,
experiments: {[key: string]: boolean},
credentialsMetadata: Credential[] = []
): JobDetails {
return {
'package-manager': packageManager,
'allowed-updates': [],
'credentials-metadata': credentialsMetadata,
id: '1',
experiments,
source: {repo: 'test-org/test-repo'}
}
}

beforeEach(() => {
process.env.GITHUB_TOKEN = 'test-token'
})

afterEach(() => {
delete process.env.GITHUB_TOKEN
})

describe('when the package manager is unsupported', () => {
it('returns null', () => {
const details = createJobDetails('unsupported-package-manager', {
[experimentName]: true
})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})

describe('when the package manager is bundler', () => {
describe('when automatic package auth is enabled', () => {
it('creates a GitHub packages credential', () => {
const details = createJobDetails('bundler', {[experimentName]: true})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toEqual({
type: 'rubygems_server',
host: 'rubygems.pkg.github.com',
token: 'test-actor:test-token'
})
})

it('does not create a duplicate credential', () => {
const existingCred: Credential = {
type: 'rubygems_server',
host: 'rubygems.pkg.github.com',
token: 'some-other-actor:some-other-token'
}
const details = createJobDetails('bundler', {[experimentName]: true}, [
existingCred
])
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})
})

describe('when the package manager is docker', () => {
describe('when automatic package auth is enabled', () => {
it('creates a GitHub packages credential', () => {
const details = createJobDetails('docker', {[experimentName]: true})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toEqual({
type: 'docker_registry',
registry: 'ghcr.io',
username: 'test-actor',
password: 'test-token'
})
})

it('does not create a duplicate credential', () => {
const existingCred: Credential = {
type: 'docker_registry',
registry: 'ghcr.io',
username: 'some-other-actor',
password: 'some-other-token'
}
const details = createJobDetails('docker', {[experimentName]: true}, [
existingCred
])
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})
})

describe('when the package manager is maven', () => {
describe('when automatic package auth is enabled', () => {
it('creates a GitHub packages credential', () => {
const details = createJobDetails('maven', {[experimentName]: true})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toEqual({
type: 'maven_repository',
url: 'https://maven.pkg.github.com/test-org',
username: 'test-actor',
password: 'test-token'
})
})

it('does not create a duplicate credential with no trailing slash', () => {
const existingCred: Credential = {
type: 'maven_repository',
url: 'https://maven.pkg.github.com/TEST-ORG',
username: 'some-other-actor',
password: 'some-other-token'
}
const details = createJobDetails('maven', {[experimentName]: true}, [
existingCred
])
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})

it('does not create a duplicate credential with a trailing slash', () => {
const existingCred: Credential = {
type: 'maven_repository',
url: 'https://maven.pkg.github.com/TEST-ORG/',
username: 'some-other-actor',
password: 'some-other-token'
}
const details = createJobDetails('maven', {[experimentName]: true}, [
existingCred
])
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})
})

describe('when the package manager is npm_and_yarn', () => {
describe('when automatic package auth is enabled', () => {
it('creates a GitHub packages credential', () => {
const details = createJobDetails('npm_and_yarn', {
[experimentName]: true
})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toEqual({
type: 'npm_registry',
registry: 'npm.pkg.github.com',
token: 'test-actor:test-token'
})
})

it('does not create a duplicate credential', () => {
const existingCred: Credential = {
type: 'npm_registry',
registry: 'npm.pkg.github.com',
token: 'some-other-actor:some-other-token'
}
const details = createJobDetails(
'npm_and_yarn',
{[experimentName]: true},
[existingCred]
)
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})
})

describe('when the package manager is nuget', () => {
describe('when automatic package auth is not set', () => {
it('returns null', () => {
const details = createJobDetails('nuget', {})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})

describe('when automatic package auth is disabled', () => {
it('returns null', () => {
const details = createJobDetails('nuget', {[experimentName]: false})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})

describe('when GITHUB_TOKEN is not set', () => {
it('returns null', () => {
delete process.env.GITHUB_TOKEN
const details = createJobDetails('nuget', {[experimentName]: true})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})

describe('when automatic package auth is enabled', () => {
it('creates a GitHub packages credential', () => {
const details = createJobDetails('nuget', {[experimentName]: true})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toEqual({
type: 'nuget_feed',
url: 'https://nuget.pkg.github.com/test-org/index.json',
username: 'test-actor',
password: 'test-token'
})
})

it('creates a GitHub packages credential with alternate experiment name', () => {
const details = createJobDetails('nuget', {
[alternateExperimentName]: true
})
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toEqual({
type: 'nuget_feed',
url: 'https://nuget.pkg.github.com/test-org/index.json',
username: 'test-actor',
password: 'test-token'
})
})

it('does not create a duplicate credential', () => {
const existingCred: Credential = {
type: 'nuget_feed',
url: 'https://nuget.pkg.github.com/TEST-ORG/index.json',
username: 'some-other-actor',
password: 'some-other-token'
}
const details = createJobDetails('nuget', {[experimentName]: true}, [
existingCred
])
const cred = getPackagesCredential(details, 'test-actor')
expect(cred).toBeNull()
})
})
})
})
3 changes: 2 additions & 1 deletion __tests__/updater-builder-integration.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ integration('UpdaterBuilder', () => {
'credentials-metadata': [],
id: '1',
'package-manager': 'npm_and_yarn',
experiments: {}
experiments: {},
source: {repo: 'test-org/test-repo'}
}

beforeAll(async () => {
Expand Down
Loading
Loading