Instead of using utility method in core lib, use method in both twirp clients

2025-04-19 12:39:47 +08:00 · 2025-03-07 06:01:25 -08:00 · 2025-03-07 06:01:25 -08:00 · 1cd2f8a538
commit 1cd2f8a538
parent 884aa17886
6 changed files with 61 additions and 37 deletions
--- a/packages/artifact/tests/artifactTwirpClient.test.ts
+++ b/packages/artifact/tests/artifactTwirpClient.test.ts
@ -30,24 +30,30 @@ describe('ArtifactHttpClient', () => {
    it('should mask signed_upload_url', () => {
      const response: CreateArtifactResponse = {
        ok: true,
-        signedUploadUrl: 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+        signedUploadUrl:
+          'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
      }

      client.maskSecretUrls(response)

      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith('Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
    })

    it('should mask signed_download_url', () => {
      const response: GetSignedArtifactURLResponse = {
-        signedUrl: 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+        signedUrl:
+          'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
      }

      client.maskSecretUrls(response)

      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith('Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
    })

    it('should not call setSecret if URLs are missing', () => {
@ -61,24 +67,30 @@ describe('ArtifactHttpClient', () => {
    it('should mask only the sensitive token part of signed_upload_url', () => {
      const response: CreateArtifactResponse = {
        ok: true,
-        signedUploadUrl: 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+        signedUploadUrl:
+          'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
      }

      client.maskSecretUrls(response)

      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith('Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
    })

    it('should mask only the sensitive token part of signed_download_url', () => {
      const response: GetSignedArtifactURLResponse = {
-        signedUrl: 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+        signedUrl:
+          'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
      }

      client.maskSecretUrls(response)

      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith('Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
    })
  })
 })
--- a/packages/artifact/src/internal/shared/artifact-twirp-client.ts
+++ b/packages/artifact/src/internal/shared/artifact-twirp-client.ts
@ -1,6 +1,6 @@
 import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client'
 import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
-import {setSecret, info, debug, maskSigUrl} from '@actions/core'
+import {setSecret, info, debug} from '@actions/core'
 import {ArtifactServiceClientJSON} from '../../generated'
 import {getResultsServiceUrl, getRuntimeToken} from './config'
 import {getUserAgentString} from './user-agent'
@ -74,14 +74,27 @@ export class ArtifactHttpClient implements Rpc {
    }
  }

+  /**
+   * Masks the `sig` parameter in a URL and sets it as a secret.
+   * @param url The URL containing the `sig` parameter.
+   * @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url').
+   */
+  maskSigUrl(url: string, urlType: string): void {
+    const sigMatch = url.match(/[?&]sig=([^&]+)/)
+    if (sigMatch) {
+      setSecret(sigMatch[1])
+      debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`)
+    }
+  }
+
  maskSecretUrls(
    body: CreateArtifactResponse | GetSignedArtifactURLResponse
  ): void {
    if ('signedUploadUrl' in body && body.signedUploadUrl) {
-      maskSigUrl(body.signedUploadUrl, 'signed_upload_url')
+      this.maskSigUrl(body.signedUploadUrl, 'signed_upload_url')
    }
    if ('signedUrl' in body && body.signedUrl) {
-      maskSigUrl(body.signedUrl, 'signed_url')
+      this.maskSigUrl(body.signedUrl, 'signed_url')
    }
  }

--- a/packages/cache/tests/cacheTwirpClient.test.ts
+++ b/packages/cache/tests/cacheTwirpClient.test.ts
@ -16,12 +16,12 @@ describe('CacheServiceClient', () => {

  beforeEach(() => {
    jest.clearAllMocks()
-    process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token' // <-- set the required env variable
+    process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token'
    client = new CacheServiceClient('test-agent')
  })

  afterEach(() => {
-    delete process.env['ACTIONS_RUNTIME_TOKEN'] // <-- clean up after tests
+    delete process.env['ACTIONS_RUNTIME_TOKEN']
  })

  describe('maskSecretUrls', () => {
@ -36,7 +36,7 @@ describe('CacheServiceClient', () => {

      expect(setSecret).toHaveBeenCalledWith('secret-token')
      expect(debug).toHaveBeenCalledWith(
-        'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
      )
    })

@ -52,7 +52,7 @@ describe('CacheServiceClient', () => {

      expect(setSecret).toHaveBeenCalledWith('secret-token')
      expect(debug).toHaveBeenCalledWith(
-        'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+        'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
      )
    })

@ -75,7 +75,7 @@ describe('CacheServiceClient', () => {

      expect(setSecret).toHaveBeenCalledWith('secret-token')
      expect(debug).toHaveBeenCalledWith(
-        'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
      )
    })

@ -91,7 +91,7 @@ describe('CacheServiceClient', () => {

      expect(setSecret).toHaveBeenCalledWith('secret-token')
      expect(debug).toHaveBeenCalledWith(
-        'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+        'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
      )
    })
  })
--- a/packages/cache/package.json
+++ b/packages/cache/package.json
@ -31,7 +31,8 @@
  "scripts": {
    "audit-moderate": "npm install && npm audit --json --audit-level=moderate > audit.json",
    "test": "echo \"Error: run tests from root\" && exit 1",
-    "tsc": "tsc"
+    "tsc": "tsc",
+    "clean": "rm -rf node_modules lib"
  },
  "bugs": {
    "url": "https://github.com/actions/toolkit/issues"
@ -46,6 +47,7 @@
    "@azure/ms-rest-js": "^2.6.0",
    "@azure/storage-blob": "^12.13.0",
    "@protobuf-ts/plugin": "^2.9.4",
+    "@types/node": "^22.13.9",
    "semver": "^6.3.1"
  },
  "devDependencies": {
--- a/packages/cache/src/internal/shared/cacheTwirpClient.ts
+++ b/packages/cache/src/internal/shared/cacheTwirpClient.ts
@ -1,4 +1,4 @@
-import {info, debug, maskSigUrl} from '@actions/core'
+import {info, debug, setSecret} from '@actions/core'
 import {getUserAgentString} from './user-agent'
 import {NetworkError, UsageError} from './errors'
 import {getCacheServiceURL} from '../config'
@ -153,14 +153,27 @@ export class CacheServiceClient implements Rpc {
    throw new Error(`Request failed`)
  }

+  /**
+   * Masks the `sig` parameter in a URL and sets it as a secret.
+   * @param url The URL containing the `sig` parameter.
+   * @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url').
+   */
+  maskSigUrl(url: string, urlType: string): void {
+    const sigMatch = url.match(/[?&]sig=([^&]+)/)
+    if (sigMatch) {
+      setSecret(sigMatch[1])
+      debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`)
+    }
+  }
+
  maskSecretUrls(
    body: CreateCacheEntryResponse | GetCacheEntryDownloadURLResponse
  ): void {
    if ('signedUploadUrl' in body && body.signedUploadUrl) {
-      maskSigUrl(body.signedUploadUrl, 'signedUploadUrl')
+      this.maskSigUrl(body.signedUploadUrl, 'signed_upload_url')
    }
    if ('signedDownloadUrl' in body && body.signedDownloadUrl) {
-      maskSigUrl(body.signedDownloadUrl, 'signedDownloadUrl')
+      this.maskSigUrl(body.signedDownloadUrl, 'signed_download_url')
    }
  }

--- a/packages/core/src/core.ts
+++ b/packages/core/src/core.ts
@ -391,19 +391,3 @@ export {toPosixPath, toWin32Path, toPlatformPath} from './path-utils'
 * Platform utilities exports
 */
 export * as platform from './platform'
-
-/**
- * Masks the `sig` parameter in a URL and sets it as a secret.
- * @param url The URL containing the `sig` parameter.
- * @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url').
- * @returns The URL with the `sig` parameter masked.
- */
-export function maskSigUrl(url: string, urlType: string): string {
-  const sigMatch = url.match(/[?&]sig=([^&]+)/)
-  if (sigMatch) {
-    setSecret(sigMatch[1])
-    debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`)
-    return url.replace(sigMatch[1], '***')
-  }
-  return url
-}