feat: Add mirror and mirror-token inputs for custom Python distribution sources#1302
feat: Add mirror and mirror-token inputs for custom Python distribution sources#1302luhenry wants to merge 1 commit intoactions:mainfrom
mirror and mirror-token inputs for custom Python distribution sources#1302Conversation
…bution sources Users who need custom CPython builds (internal mirrors, GHES-hosted forks, special build configurations, compliance builds, air-gapped runners) could not previously point setup-python at anything other than actions/python-versions. Adds two new inputs: - `mirror`: base URL hosting versions-manifest.json and the Python distributions it references. Defaults to the existing https://raw.githubusercontent.com/actions/python-versions/main. - `mirror-token`: optional token used to authenticate requests to the mirror. If `mirror` is a raw.githubusercontent.com/{owner}/{repo}/{branch} URL, the manifest is fetched via the GitHub REST API (authenticated rate limit applies); otherwise the action falls back to a direct GET of {mirror}/versions-manifest.json. Token interaction ----------------- `token` is never forwarded to arbitrary hosts. Auth resolution is per-URL: 1. if mirror-token is set, use mirror-token 2. else if token is set AND the target host is github.com, *.github.com, or *.githubusercontent.com, use token 3. else send no auth Cases: Default (no inputs set) mirror = default raw.githubusercontent.com URL, mirror-token empty, token = github.token. → manifest API call and tarball downloads use `token`. Identical to prior behavior. Custom raw.githubusercontent.com mirror (e.g. personal fork) mirror-token empty, token = github.token. → manifest API call and tarball downloads use `token` (target hosts are GitHub-owned). Custom non-GitHub mirror, no mirror-token mirror-token empty, token = github.token. → manifest fetched via direct URL (no auth attached), tarball downloads use no auth. `token` is NOT forwarded to the custom host — this is the leak-prevention case. Custom non-GitHub mirror with mirror-token mirror-token set, token may be set. → manifest fetch and tarball downloads use `mirror-token`. Custom GitHub mirror with both tokens set mirror-token wins. Used for both the manifest API call and tarball downloads.
|
Relates to #1289 |
|
I've verified it works as expected with https://github.com/riseproject-dev/riscv-runner-sample/actions/runs/24014042747/job/70030253499 |
|
@gdams 👋 would you know who would be a good person to have a loot at that? That would greatly unblock riscv64 on github more generally. Thank you very much! |
I'll ask around internally, just to clarify is your question Python specific or more generally about the state of riscv64 native runners? |
|
Merging that PR would enable a feature which would unblock users like using |
2 participants
Description:
Users who need custom CPython builds (internal mirrors, GHES-hosted forks, special build configurations, compliance builds, air-gapped runners) could not previously point setup-python at anything other than actions/python-versions.
Adds two new inputs:
mirror: base URL hosting versions-manifest.json and the Python distributions it references. Defaults to the existing https://raw.githubusercontent.com/actions/python-versions/main.mirror-token: optional token used to authenticate requests to the mirror.If
mirroris ahttps://raw.githubusercontent.com/{owner}/{repo}/{branch}URL, the manifest is fetched via the GitHub REST API (authenticated rate limit applies); otherwise the action falls back to a direct GET of{mirror}/versions-manifest.json.This approach is largely inspired from how it's done in
actions/setup-nodeToken interaction
tokenis never forwarded to arbitrary hosts. Auth resolution is per-URL:mirror-tokenis set, usemirror-tokentokenis set AND the target host isgithub.com,*.github.com, or*.githubusercontent.com, usetokenCases:
Related issue:
Fixes #1288
Check list: