diff --git a/.github/assets/pixi-url-auth-test/Caddyfile b/.github/assets/pixi-url-auth-test/Caddyfile new file mode 100644 index 00000000..e85af890 --- /dev/null +++ b/.github/assets/pixi-url-auth-test/Caddyfile @@ -0,0 +1,7 @@ +:8080 { + @unauthorized not header Authorization "Bearer s3cr3tT0k3nABC123" + respond @unauthorized "Unauthorized: Invalid token" 401 + + root * ./assets + file_server +} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7d2d8018..d50258ed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: run: | set -euo pipefail latest_version="$(jq -r '.version' package.json)" - count_expected=17 + count_expected=18 count_actual="$(grep -c "setup-pixi@v$latest_version" README.md || true)" if [ "$count_actual" -ne "$count_expected" ]; then echo "::error file=README.md::Expected $count_expected mentions of \`setup-pixi@v$latest_version\` in README.md, but found $count_actual." diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 28857beb..4052f28a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -190,6 +190,47 @@ jobs: pixi-url: https://github.com/prefix-dev/pixi/releases/download/v0.14.0/pixi-x86_64-unknown-linux-musl - run: pixi --version | grep -q "pixi 0.14.0" + pixi-url-bearer-token: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Move pixi.toml + run: mv test/old-pixi-lockfiles/* . + - name: Setup caddy + run: | + set -euo pipefail + curl -Ls -o caddy.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.10.0/caddy_2.10.0_linux_amd64.tar.gz + tar -xzf caddy.tar.gz + chmod +x caddy + + mkdir -p assets + curl -Ls -o assets/pixi https://github.com/prefix-dev/pixi/releases/download/v0.14.0/pixi-x86_64-unknown-linux-musl + + cp .github/assets/pixi-url-auth-test/Caddyfile . + + ./caddy run --config Caddyfile & + - run: ps -aux | grep caddy + - name: Run with wrong token + uses: ./ + id: wrongtoken + with: + cache: false + pixi-url: http://localhost:8080/pixi + pixi-url-bearer-token: wrongtoken + continue-on-error: true + - name: Fail if wrong token did not fail + run: | + echo "Unexpected success!" + exit 1 + if: ${{ steps.wrongtoken.outcome != 'failure' }} + - name: Run with correct token + uses: ./ + with: + cache: false + pixi-url: http://localhost:8080/pixi + pixi-url-bearer-token: s3cr3tT0k3nABC123 + - run: pixi --version | grep -q "pixi 0.14.0" + custom-manifest-path: strategy: matrix: diff --git a/README.md b/README.md index 1ca28b78..99482dc1 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ GitHub Action to set up the [pixi](https://github.com/prefix-dev/pixi) package m ## Usage ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: pixi-version: v0.49.0 @@ -35,7 +35,7 @@ GitHub Action to set up the [pixi](https://github.com/prefix-dev/pixi) package m > [!WARNING] > Since pixi is not yet stable, the API of this action may change between minor versions. -> Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.10`) to avoid breaking changes. +> Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.11`) to avoid breaking changes. > You can automatically update the version of this action by using [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot). > > Put the following in your `.github/dependabot.yml` file to enable Dependabot for your GitHub Actions: @@ -74,7 +74,7 @@ In order to not exceed the [10 GB cache size limit](https://docs.github.com/en/a This can be done by setting the `cache-write` argument. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: cache: true cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }} @@ -119,7 +119,7 @@ test: environment: [py311, py312] steps: - uses: actions/checkout@v4 - - uses: prefix-dev/setup-pixi@v0.8.10 + - uses: prefix-dev/setup-pixi@v0.8.11 with: environments: ${{ matrix.environment }} ``` @@ -129,7 +129,7 @@ test: The following example will install both the `py311` and the `py312` environment on the runner. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: # separated by spaces environments: >- @@ -165,7 +165,7 @@ Specify the token using the `auth-token` input argument. This form of authentication (bearer token in the request headers) is mainly used at [prefix.dev](https://prefix.dev). ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: auth-host: prefix.dev auth-token: ${{ secrets.PREFIX_DEV_TOKEN }} @@ -177,7 +177,7 @@ Specify the username and password using the `auth-username` and `auth-password` This form of authentication (HTTP Basic Auth) is used in some enterprise environments with [artifactory](https://jfrog.com/artifactory) for example. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: auth-host: custom-artifactory.com auth-username: ${{ secrets.PIXI_USERNAME }} @@ -190,7 +190,7 @@ Specify the conda-token using the `auth-conda-token` input argument. This form of authentication (token is encoded in URL: `https://my-quetz-instance.com/t//get/custom-channel`) is used at [anaconda.org](https://anaconda.org) or with [quetz instances](https://github.com/mamba-org/quetz). ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: auth-host: anaconda.org # or my-quetz-instance.com auth-conda-token: ${{ secrets.CONDA_TOKEN }} @@ -202,7 +202,7 @@ Specify the S3 key pair using the `auth-access-key-id` and `auth-secret-access-k You can also specify the session token using the `auth-session-token` input argument. ```yaml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: auth-host: s3://my-s3-bucket auth-s3-access-key-id: ${{ secrets.ACCESS_KEY_ID }} @@ -274,7 +274,7 @@ To this end, `setup-pixi` adds all environment variables set when executing `pix As a result, all installed binaries can be accessed without having to call `pixi run`. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: activate-environment: true ``` @@ -282,7 +282,7 @@ As a result, all installed binaries can be accessed without having to call `pixi If you are installing multiple environments, you will need to specify the name of the environment that you want to be activated. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: environments: >- py311 @@ -299,7 +299,7 @@ You can specify whether `setup-pixi` should run `pixi install --frozen` or `pixi See the [official documentation](https://prefix.dev/docs/pixi/cli#install) for more information about the `--frozen` and `--locked` flags. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: locked: true # or @@ -318,7 +318,7 @@ The first one is the debug logging of the action itself. This can be enabled by running the action with the `RUNNER_DEBUG` environment variable set to `true`. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 env: RUNNER_DEBUG: true ``` @@ -336,7 +336,7 @@ The second type is the debug logging of the pixi executable. This can be specified by setting the `log-level` input. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: # one of `q`, `default`, `v`, `vv`, or `vvv`. log-level: vvv @@ -362,7 +362,7 @@ If nothing is specified, `post-cleanup` will default to `true`. On self-hosted runners, you also might want to alter the default pixi install location to a temporary location. You can use `pixi-bin-path: ${{ runner.temp }}/bin/pixi` to do this. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: post-cleanup: true # ${{ runner.temp }}\Scripts\pixi.exe on Windows @@ -378,7 +378,7 @@ You can also use a preinstalled local version of pixi on the runner by not setti This can be overwritten by setting the `manifest-path` input argument. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: manifest-path: pyproject.toml ``` @@ -388,11 +388,23 @@ This can be overwritten by setting the `manifest-path` input argument. If you only want to install pixi and not install the current project, you can use the `run-install` option. ```yml -- uses: prefix-dev/setup-pixi@v0.8.10 +- uses: prefix-dev/setup-pixi@v0.8.11 with: run-install: false ``` +### Download pixi from a custom URL + +You can also download pixi from a custom URL by setting the `pixi-url` input argument. +Optionally, you can combine this with the `pixi-url-bearer-token` input argument to authenticate the download request. + +```yml +- uses: prefix-dev/setup-pixi@v0.8.11 + with: + pixi-url: https://pixi-mirror.example.com/releases/download/v0.48.0/pixi-x86_64-unknown-linux-musl + pixi-url-bearer-token: ${{ secrets.PIXI_MIRROR_BEARER_TOKEN }} +``` + ## More examples If you want to see more examples, you can take a look at the [GitHub Workflows of this repository](.github/workflows/test.yml). diff --git a/action.yml b/action.yml index dfdf4fe6..9c8f361a 100644 --- a/action.yml +++ b/action.yml @@ -10,6 +10,8 @@ inputs: description: Version of pixi to install pixi-url: description: URL of pixi to install + pixi-url-bearer-token: + description: Bearer token to use for authentication when downloading pixi from a URL. log-level: description: | Log level for the pixi CLI. diff --git a/dist/index.js b/dist/index.js index 242ae676..62c51db3 100644 --- a/dist/index.js +++ b/dist/index.js @@ -68868,6 +68868,9 @@ var validateInputs = (inputs) => { if (inputs.pixiVersion && inputs.pixiUrl) { throw new Error("You need to specify either pixi-version or pixi-url"); } + if (inputs.pixiUrlBearerToken && !inputs.pixiUrl) { + throw new Error("You need to specify pixi-url when using pixi-url-bearer-token"); + } if (inputs.cacheKey !== void 0 && inputs.cache === false) { throw new Error("Cannot specify cache key without caching"); } @@ -68946,7 +68949,7 @@ var determinePixiInstallation = (pixiUrlOrVersionSet, pixiBinPath) => { }; var inferOptions = (inputs) => { const runInstall = inputs.runInstall ?? true; - const pixiSource = inputs.pixiVersion ? { version: inputs.pixiVersion } : inputs.pixiUrl ? { url: inputs.pixiUrl } : { version: "latest" }; + const pixiSource = inputs.pixiVersion ? { version: inputs.pixiVersion } : inputs.pixiUrl ? { url: inputs.pixiUrl, bearerToken: inputs.pixiUrlBearerToken } : { version: "latest" }; const { downloadPixi: downloadPixi2, pixiBinPath } = determinePixiInstallation( !!inputs.pixiVersion || !!inputs.pixiUrl, inputs.pixiBinPath @@ -69037,6 +69040,7 @@ var getOptions = () => { "pixi-version must either be `latest` or a version string matching `vX.Y.Z`." ), pixiUrl: parseOrUndefined("pixi-url", stringType().url()), + pixiUrlBearerToken: parseOrUndefined("pixi-url-bearer-token", stringType()), logLevel: parseOrUndefined( "log-level", logLevelSchema, @@ -69302,10 +69306,12 @@ var activateEnvironment = async (environment) => { // src/main.ts var downloadPixi = (source) => { const url2 = "version" in source ? getPixiUrlFromVersion(source.version) : source.url; + const auth = "bearerToken" in source && source.bearerToken ? `Bearer ${source.bearerToken}` : ""; return core5.group("Downloading Pixi", () => { core5.debug("Installing pixi"); core5.debug(`Downloading pixi from ${url2}`); - return import_promises2.default.mkdir(import_path3.default.dirname(options.pixiBinPath), { recursive: true }).then(() => (0, import_tool_cache.downloadTool)(url2, options.pixiBinPath)).then((_downloadPath) => import_promises2.default.chmod(options.pixiBinPath, 493)).then(() => { + core5.debug(`Using Bearer auth: ${auth ? "yes" : "no"}`); + return import_promises2.default.mkdir(import_path3.default.dirname(options.pixiBinPath), { recursive: true }).then(() => (0, import_tool_cache.downloadTool)(url2, options.pixiBinPath, auth)).then((_downloadPath) => import_promises2.default.chmod(options.pixiBinPath, 493)).then(() => { core5.info(`Pixi installed to ${options.pixiBinPath}`); }); }); diff --git a/dist/post.js b/dist/post.js index 312e4c18..5dac8a4d 100644 --- a/dist/post.js +++ b/dist/post.js @@ -24744,6 +24744,9 @@ var validateInputs = (inputs) => { if (inputs.pixiVersion && inputs.pixiUrl) { throw new Error("You need to specify either pixi-version or pixi-url"); } + if (inputs.pixiUrlBearerToken && !inputs.pixiUrl) { + throw new Error("You need to specify pixi-url when using pixi-url-bearer-token"); + } if (inputs.cacheKey !== void 0 && inputs.cache === false) { throw new Error("Cannot specify cache key without caching"); } @@ -24822,7 +24825,7 @@ var determinePixiInstallation = (pixiUrlOrVersionSet, pixiBinPath) => { }; var inferOptions = (inputs) => { const runInstall = inputs.runInstall ?? true; - const pixiSource = inputs.pixiVersion ? { version: inputs.pixiVersion } : inputs.pixiUrl ? { url: inputs.pixiUrl } : { version: "latest" }; + const pixiSource = inputs.pixiVersion ? { version: inputs.pixiVersion } : inputs.pixiUrl ? { url: inputs.pixiUrl, bearerToken: inputs.pixiUrlBearerToken } : { version: "latest" }; const { downloadPixi, pixiBinPath } = determinePixiInstallation( !!inputs.pixiVersion || !!inputs.pixiUrl, inputs.pixiBinPath @@ -24913,6 +24916,7 @@ var getOptions = () => { "pixi-version must either be `latest` or a version string matching `vX.Y.Z`." ), pixiUrl: parseOrUndefined("pixi-url", stringType().url()), + pixiUrlBearerToken: parseOrUndefined("pixi-url-bearer-token", stringType()), logLevel: parseOrUndefined( "log-level", logLevelSchema, diff --git a/package.json b/package.json index b02098f0..eb174245 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "setup-pixi", - "version": "0.8.10", + "version": "0.8.11", "private": true, "description": "Action to set up the pixi package manager.", "scripts": { diff --git a/src/main.ts b/src/main.ts index 63b459de..5769cc6a 100644 --- a/src/main.ts +++ b/src/main.ts @@ -12,12 +12,14 @@ import { activateEnvironment } from './activate' const downloadPixi = (source: PixiSource) => { const url = 'version' in source ? getPixiUrlFromVersion(source.version) : source.url + const auth = 'bearerToken' in source && source.bearerToken ? `Bearer ${source.bearerToken}` : '' return core.group('Downloading Pixi', () => { core.debug('Installing pixi') core.debug(`Downloading pixi from ${url}`) + core.debug(`Using Bearer auth: ${auth ? 'yes' : 'no'}`) return fs .mkdir(path.dirname(options.pixiBinPath), { recursive: true }) - .then(() => downloadTool(url, options.pixiBinPath)) + .then(() => downloadTool(url, options.pixiBinPath, auth)) .then((_downloadPath) => fs.chmod(options.pixiBinPath, 0o755)) .then(() => { core.info(`Pixi installed to ${options.pixiBinPath}`) diff --git a/src/options.ts b/src/options.ts index ef036660..409446fc 100644 --- a/src/options.ts +++ b/src/options.ts @@ -11,6 +11,7 @@ import which from 'which' type Inputs = Readonly<{ pixiVersion?: string pixiUrl?: string + pixiUrlBearerToken?: string logLevel?: LogLevel manifestPath?: string runInstall?: boolean @@ -39,6 +40,7 @@ export type PixiSource = } | { url: string + bearerToken?: string } type Auth = { @@ -133,6 +135,9 @@ const validateInputs = (inputs: Inputs): void => { if (inputs.pixiVersion && inputs.pixiUrl) { throw new Error('You need to specify either pixi-version or pixi-url') } + if (inputs.pixiUrlBearerToken && !inputs.pixiUrl) { + throw new Error('You need to specify pixi-url when using pixi-url-bearer-token') + } if (inputs.cacheKey !== undefined && inputs.cache === false) { throw new Error('Cannot specify cache key without caching') } @@ -223,7 +228,7 @@ const inferOptions = (inputs: Inputs): Options => { const pixiSource = inputs.pixiVersion ? { version: inputs.pixiVersion } : inputs.pixiUrl - ? { url: inputs.pixiUrl } + ? { url: inputs.pixiUrl, bearerToken: inputs.pixiUrlBearerToken } : { version: 'latest' } const { downloadPixi, pixiBinPath } = determinePixiInstallation( @@ -340,6 +345,7 @@ const getOptions = () => { 'pixi-version must either be `latest` or a version string matching `vX.Y.Z`.' ), pixiUrl: parseOrUndefined('pixi-url', z.string().url()), + pixiUrlBearerToken: parseOrUndefined('pixi-url-bearer-token', z.string()), logLevel: parseOrUndefined( 'log-level', logLevelSchema,