Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for custom download URL #88

Closed
wants to merge 1 commit into from
Closed

Add support for custom download URL #88

wants to merge 1 commit into from
+17 −11

Conversation

mamercad
Copy link

This would help folks with GHES, etc

@mamercad mamercad requested a review from eifinger as a code owner February 24, 2025 17:01
@mamercad mamercad force-pushed the mamercad/add-custom-download-url branch from 5d9c90f to 56cf771 Compare February 24, 2025 17:09
@eifinger
Copy link
Collaborator

Hi and thank you for your PR.

Can you please give a bit more information?

  • How exactly does this help GHES users?
  • What doesn't work currently?
  • What is etc?

Thank you

@mamercad
Copy link
Author

Hi and thank you for your PR.

Can you please give a bit more information?

  • How exactly does this help GHES users?
  • What doesn't work currently?
  • What is etc?

Thank you

We run GHES and we would do something like this:

custom-download-url: "https://github.internal.tld/${OWNER}/${REPO}/releases/download/${version}/${artifact}${extension}"

I don't know TypeScript, so, guessing through things in this PR.

@eifinger
Copy link
Collaborator

I still don't understand why this change is needed. If you want to download from your own source, why do you need this action instead of "curl-ing" your private url and add the matchers?

@mamercad mamercad closed this Feb 25, 2025
@mamercad
Copy link
Author

I still don't understand why this change is needed. If you want to download from your own source, why do you need this action instead of "curl-ing" your private url and add the matchers?

I don't know what you mean ... fine, closed.

@eifinger
Copy link
Collaborator

I am under the impression that you think I don't care and don't want to implement your changes.
On the contrary, I want to support you but I need to understand more in order to do that so that I can maintain this new feature once it is merged.

To give you some insight in what I am considering:

  • Is this URL on the same GHES instance hosting the action?
  • How do we test this given this we cannot host a GHES instance for testing?
  • Will this work with the different versions of the Octokit client?
  • Will this work with checksum validation?
  • What are the possible error scenarios and how do we handle each?

@mamercad
Copy link
Author

I am under the impression that you think I don't care and don't want to implement your changes. On the contrary, I want to support you but I need to understand more in order to do that so that I can maintain this new feature once it is merged.

I don't know much about this change that I'm trying to make here. What I'm getting from the security folks internally is something along the lines of "we don't want external dependencies like this" and what they're saying is "if custom-download-url could be our internal GHES that would help".

To give you some insight in what I am considering:

  • Is this URL on the same GHES instance hosting the action?

That's the idea.

  • How do we test this given this we cannot host a GHES instance for testing?

I don't know.

  • Will this work with the different versions of the Octokit client?

I don't know what Octokit is.

  • Will this work with checksum validation?

No idea.

  • What are the possible error scenarios and how do we handle each?

No idea.

@eifinger
Copy link
Collaborator

Your security folks probably want to shutdown down internet access for the runner and look into https://docs.github.com/en/enterprise-server@3.15/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access#populating-the-tool-cache-for-a-self-hosted-runner

That being said I am currently verifying where the action downloads the executable when running in a GHES context in astral-sh/setup-uv#268 (comment).

When we learn more in this issue it might be that the change you propose here isn't even needed. I currently assume that it tries to hit a version of the astral-sh/ruff repository "mirrored" on the GHES instance.

@mamercad
Copy link
Author

Your security folks probably want to shutdown down internet access for the runner and look into https://docs.github.com/en/enterprise-server@3.15/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access#populating-the-tool-cache-for-a-self-hosted-runner

We/they do this already.

That being said I am currently verifying where the action downloads the executable when running in a GHES context in astral-sh/setup-uv#268 (comment).

When we learn more in this issue it might be that the change you propose here isn't even needed. I currently assume that it tries to hit a version of the astral-sh/ruff repository "mirrored" on the GHES instance.

Yeah, I think that's the idea.

@eifinger
Copy link
Collaborator

For my understanding: It is easier for your security team to host ruff executables where they can be downloaded by this action rather than distributing them to the toolcaches on the hosted runners?

@mamercad
Copy link
Author

For my understanding: It is easier for your security team to host ruff executables where they can be downloaded by this action rather than distributing them to the toolcaches on the hosted runners?

Yes, I believe that's what they'd prefer.

@mamercad
Copy link
Author

For my understanding: It is easier for your security team to host ruff executables where they can be downloaded by this action rather than distributing them to the toolcaches on the hosted runners?

Yes, I believe that's what they'd prefer.

Also, I have a workaround (I'm currently just running ruff by way of pre-commit); and as such, I'm not sure I need this after all.

@eifinger
Copy link
Collaborator

For my understanding: It is easier for your security team to host ruff executables where they can be downloaded by this action rather than distributing them to the toolcaches on the hosted runners?

Yes, I believe that's what they'd prefer.

Also, I have a workaround (I'm currently just running ruff by way of pre-commit); and as such, I'm not sure I need this after all.

Thats also how I do it to make sure I am using the exact same config locally and on CI. Feel free to ping me if it turns out you do need this feature.

@mamercad
Copy link
Author

For my understanding: It is easier for your security team to host ruff executables where they can be downloaded by this action rather than distributing them to the toolcaches on the hosted runners?

Yes, I believe that's what they'd prefer.

Also, I have a workaround (I'm currently just running ruff by way of pre-commit); and as such, I'm not sure I need this after all.

Thats also how I do it to make sure I am using the exact same config locally and on CI. Feel free to ping me if it turns out you do need this feature.

Yeah, I do pre-commit locally and in CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eifinger eifinger Awaiting requested review from eifinger eifinger is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mamercad @eifinger