Serve sensitive runtime token from an HTTP service instead of injecti…

…ng into environment variables

README.md

@@ -1,11 +1,11 @@
-## google/wireit@setup-github-actions-caching/v1
+## google/wireit@setup-github-actions-caching/v2
 
 This branch contains a GitHub action that users can use to automatically enable
 Wireit's GitHub Actions caching mode and expose the required environment
 variables.
 
 ```yaml
-- uses: google/wireit@setup-github-actions-caching/v1
+- uses: google/wireit@setup-github-actions-caching/v2
 ```
 
 See [google/wireit](https://github.com/google/wireit#github-actions-caching) for

action.yml

@@ -1,6 +1,6 @@
 name: 'wireit-setup-github-actions-caching'
 author: 'Google LLC'
-description: "Enables Wireit's GitHub Actions caching mode and exposes required environment variables"
+description: 'Enables Wireit's GitHub Actions caching mode and exposes required environment variables'
 runs:
   using: 'node20'
-  main: 'index.js'
+  main: 'main.js'

custodian.js

@@ -0,0 +1,66 @@
+/**
+ * @license
+ * Copyright 2024 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { writeFileSync } from "node:fs";
+import http from "node:http";
+import packageJson from "./package.json" with { type: "json" };
+
+const response = JSON.stringify({
+  version: packageJson.version,
+  caching: {
+    // These environment variables are automatically provided to invoked
+    // workflows like this one, but not to regular "run" steps, so we need to
+    // serve them for subsequent Wireit processes.
+    github: {
+      // URL for the GitHub Actions cache service.
+      ACTIONS_CACHE_URL: process.env.ACTIONS_CACHE_URL,
+      // A secret token for authenticating to the GitHub Actions cache service.
+      ACTIONS_RUNTIME_TOKEN: process.env.ACTIONS_RUNTIME_TOKEN,
+    },
+  },
+});
+
+const server = http.createServer((_, res) => {
+  res.writeHead(200, { "Content-Type": "application/json" });
+  res.end(response);
+});
+
+function randIntInclusive(min, max) {
+  return Math.floor(Math.random() * (max - min + 1) + min);
+}
+
+let port;
+const MAX_TRIES = 4;
+for (let i = 0; port === undefined && i < MAX_TRIES; i++) {
+  await new Promise((resolve) => {
+    const candidate = randIntInclusive(49152, 65535);
+    console.log(`[custodian] Trying port ${candidate}`);
+    server.once("error", resolve);
+    server.listen(candidate, () => {
+      port = candidate;
+      resolve();
+    });
+  });
+}
+
+if (port) {
+  console.log(`[custodian] Listening on port ${port}`);
+  // Writing to this file sets environment variables for all subsequent steps in
+  // the user's workflow. Reference:
+  // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable
+  writeFileSync(
+    process.env.GITHUB_ENV,
+    `
+WIREIT_CACHE=github
+WIREIT_CACHE_GITHUB_CUSTODIAN_PORT=${port}
+`
+  );
+  process.send(0);
+} else {
+  console.error("[custodian] Could not find a free port");
+  process.send(1, () => process.exit(1));
+}
+

main.js

@@ -0,0 +1,19 @@
+/**
+ * @license
+ * Copyright 2024 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { fork } from "node:child_process";
+import { join } from "node:path";
+
+console.log("[main] Launching background custodian service");
+const server = fork(join(import.meta.dirname, "custodian.js"), {
+  detached: true,
+  stdio: "inherit",
+});
+
+server.on("message", (status) => {
+  console.log("[main] Received status from custodian service", status);
+  process.exit(status);
+});

package.json

@@ -1,4 +1,5 @@
 {
+  "version": "2.0.0",
   "private": true,
   "type": "module"
 }