Add secret and signature masking for cache and artifact packages

packages/cache/__tests__/cacheTwirpClient.test.ts

@@ -0,0 +1,98 @@
+import {
+  CreateCacheEntryResponse,
+  GetCacheEntryDownloadURLResponse
+} from '../src/generated/results/api/v1/cache'
+import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient'
+import {setSecret, debug} from '@actions/core'
+
+jest.mock('@actions/core', () => ({
+  setSecret: jest.fn(),
+  info: jest.fn(),
+  debug: jest.fn()
+}))
+
+describe('CacheServiceClient', () => {
+  let client: CacheServiceClient
+
+  beforeEach(() => {
+    jest.clearAllMocks()
+    process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token' // <-- set the required env variable
+    client = new CacheServiceClient('test-agent')
+  })
+
+  afterEach(() => {
+    delete process.env['ACTIONS_RUNTIME_TOKEN'] // <-- clean up after tests
+  })
+
+  describe('maskSecretUrls', () => {
+    it('should mask signedUploadUrl', () => {
+      const response = {
+        ok: true,
+        signedUploadUrl:
+          'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+      } as CreateCacheEntryResponse
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
+    })
+
+    it('should mask signedDownloadUrl', () => {
+      const response = {
+        ok: true,
+        signedDownloadUrl:
+          'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token',
+        matchedKey: 'cache-key'
+      } as GetCacheEntryDownloadURLResponse
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
+    })
+
+    it('should not call setSecret if URLs are missing', () => {
+      const response = {ok: true} as CreateCacheEntryResponse
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).not.toHaveBeenCalled()
+    })
+
+    it('should mask only the sensitive token part of signedUploadUrl', () => {
+      const response = {
+        ok: true,
+        signedUploadUrl:
+          'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+      } as CreateCacheEntryResponse
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
+    })
+
+    it('should mask only the sensitive token part of signedDownloadUrl', () => {
+      const response = {
+        ok: true,
+        signedDownloadUrl:
+          'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token',
+        matchedKey: 'cache-key'
+      } as GetCacheEntryDownloadURLResponse
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith(
+        'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
+    })
+  })
+})

packages/cache/__tests__/saveCacheV2.test.ts

@@ -8,10 +8,16 @@ import * as tar from '../src/internal/tar'
 import {CacheServiceClientJSON} from '../src/generated/results/api/v1/cache.twirp-client'
 import * as cacheHttpClient from '../src/internal/cacheHttpClient'
 import {UploadOptions} from '../src/options'
+import {
+  CreateCacheEntryResponse,
+  GetCacheEntryDownloadURLResponse
+} from '../src/generated/results/api/v1/cache'
+import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient'
 
 let logDebugMock: jest.SpyInstance
 
 jest.mock('../src/internal/tar')
+jest.mock('@actions/core')
 
 const uploadFileMock = jest.fn()
 const blockBlobClientMock = jest.fn().mockImplementation(() => ({