Currently we're using v1, and there have been some important changes since then.
In particular, the latest version, v2.14.6, contains an important security patch:
> The CodeQL CLI no longer supports the `SEMMLE_JAVA_ARGS` environment variable. All previous versions of the CodeQL CLI perform command substitution on the `SEMMLE_JAVA_ARGS` value (for example, replacing `'$(echo foo)'` with `'foo'`) when starting a new Java virtual machine, which, depending on the execution environment, may have security implications. Users are advised to check their environments for possible `SEMMLE_JAVA_ARGS` misuse.
See the [codeql-cli-binaries release notes](https://github.com/github/codeql-cli-binaries/releases/tag/v2.14.4) for full details.
* actions/artifact preparation for download-artifact v4
* Test matrix strategy
* Fix needs dependency
* Improve list artifact test
* Fix typo
* Fix variables
* Cleanup download-all interfaces
* Fix tsc error
* Simplify to just name instead of artifactName
* Simplify to id instead of ArtifactId
* PR cleanup
💡 See https://github.com/actions/toolkit/pull/1064 for a better diff!
https://github.com/actions/toolkit contains a variety of packages used for building actions. https://github.com/actions/http-client is one such package, but lives outside of the toolkit. Moving it inside of the toolkit will improve discoverability and reduce the number of repos we have to keep track of for maintenance tasks (such as github/c2c-actions-service#2937).
I checked with @bryanmacfarlane on the historical decision here. Apparently it was just inertia from before we released the toolkit as multiple packages.
The benefits here are:
- Have one fewer repo to keep track of
- Signal that this is an HTTP client meant for building actions, not for general use.
## Notes
- `@actions/http-client` will continue to be released as its own package.
- Bumping the package version to **2.0.0**. Since we're compiling in strict mode now, there are some breaking changes to the exported types. This is an improvement because the null-unsafe version of`http-client` is currently breaking the safety of null-safe consumers.
- I'm not updating the other packages to use the new version in this PR. I plan to do that in a follow-up. We'll hold off on publishing `http-client` v2 to NPM until that's done just in case other changes shake out of it.
Seems that folk are having issues with uploading 0-byte files from
Windows agents. This effectively removes the support for Windows for
uploading from named files that, due to `isFIFO` returning `false` on
Windows for named pipes created using MSYS2's `mkfifo` command, resorted
to checking if the file size is 0 - a common trait of named pipes.
See https://github.com/actions/upload-artifact/issues/281
Salman Muin Kayser Chishti
Daniel Kennedy
Bassem Dghaidi
Ryan Ghadimi
Josh Gross
Brian DeHamer
Thomas Boop
eggyhead
Konrad Pabjan
Rob Herley
Patrick Ellis
Tatyana Kostromskaya
Tatyana Kostromskaya
Vallie Joseph
Ferenc Hammerl
Sampark Sharma
Ferenc Hammerl
Brian Cristante
Zoran Regvart