version-check icon indicating copy to clipboard operation
version-check copied to clipboard
verified publisher icon EndBug

Token not being sent to GitHub's domain

Open khurrambilalaurecon opened this issue 3 years ago • 1 comments

Hello, I'm trying to use the action but it throws the error even though i'm providing the path to the file (file url and file name as well). My "package,json" file resides in "./client/package.json". I want to compare the version from local package.json against the release branch package.json file.

Error logs >>> Run EndBug/version-check@v[2] with: diff-search: true file-url: https://raw.githubusercontent.com/owner/my-repo/release/client/package.json file-name: /client/package.json token: *** static-checking: localIsNew github-api-url: https://api.github.com Searching for version update... Static-checking files... Package file name: "/client/package.json" Package file URL: "https://raw.githubusercontent.com/owner/my-repo/release/client/package.json" Error: Response code :404 (Not Found)

Here is the workflow file:

steps:
- name: Check out repository
  uses: actions/checkout@v2

- name: Package.json version check
  id: check
  uses: EndBug/version-check@v2
  with:
    diff-search: true
    file-url: https://raw.githubusercontent.com/${{ github.repository }}/${{ github.base_ref }}/client/package.json
    file-name: /client/package.json
    token: ${{ secrets.GITHUB_TOKEN }}
    static-checking: localIsNew

- name: Echo versions
  run: |
      echo "Version change found in commit ${{ steps.check.outputs.commit }}! New version: ${{ steps.check.outputs.version }} (${{ steps.check.outputs.type }})"

- name: Version Bump check enforced
  shell: pwsh
  if: steps.check.outputs.changed == 'false'
  run: |
    echo "No version change :/"
    echo "Please bump the application version before merging into release"
    exit 1
- name: Version bumped
  shell: pwsh
  if: steps.check.outputs.changed == 'true'
  run: |
    echo "Version bumped! Enjoy the new release :)"

khurrambilalaurecon avatar Jan 11 '23 04:01 khurrambilalaurecon

Oh ok, I get why this is happening

As of now, the action uses the token only when the before tag is used for the file-url input, in order to prevent sending the token to other websites. I guess I should also check whether the URL domain is GitHub's

Ref: a9162ce434ca54d1266cb34339c0abc6da1ca9ec

EndBug avatar Jan 11 '23 20:01 EndBug