# yaml-language-server: $schema=https://json.schemastore.org/github-action.json # permissions: # - (none required) # Setup action, no repository writes --- name: Node Setup description: 'Sets up Node.js environment with version detection and package manager configuration.' author: 'Ismo Vuorinen' branding: icon: server color: green inputs: default-version: description: 'Default Node.js version to use if no configuration file is found.' required: false default: '22' package-manager: description: 'Node.js package manager to use (npm, yarn, pnpm, bun, auto)' required: false default: 'auto' registry-url: description: 'Custom NPM registry URL' required: false default: 'https://registry.npmjs.org' token: description: 'Auth token for private registry' required: false node-mirror: description: 'Custom Node.js binary mirror' required: false force-version: description: 'Force specific Node.js version regardless of config files' required: false outputs: node-version: description: 'Installed Node.js version' value: ${{ steps.setup.outputs.node-version }} package-manager: description: 'Selected package manager' value: ${{ steps.package-manager-resolution.outputs.final-package-manager }} node-path: description: 'Path to Node.js installation' value: ${{ steps.final-outputs.outputs.node-path }} runs: using: composite steps: - name: Validate Inputs id: validate shell: bash env: DEFAULT_VERSION: ${{ inputs.default-version }} FORCE_VERSION: ${{ inputs.force-version }} PACKAGE_MANAGER: ${{ inputs.package-manager }} REGISTRY_URL: ${{ inputs.registry-url }} NODE_MIRROR: ${{ inputs.node-mirror }} AUTH_TOKEN: ${{ inputs.token }} run: | set -euo pipefail # Validate default-version format if [[ -n "$DEFAULT_VERSION" ]]; then if ! [[ "$DEFAULT_VERSION" =~ ^[0-9]+(\.[0-9]+(\.[0-9]+)?)?$ ]]; then echo "::error::Invalid default-version format: '$DEFAULT_VERSION'. Expected format: X or X.Y or X.Y.Z (e.g., 22, 20.9, 18.17.1)" exit 1 fi # Check for reasonable version range (prevent malicious inputs) major_version=$(echo "$DEFAULT_VERSION" | cut -d'.' -f1) if [ "$major_version" -lt 14 ] || [ "$major_version" -gt 30 ]; then echo "::error::Invalid default-version: '$DEFAULT_VERSION'. Node.js major version should be between 14 and 30" exit 1 fi fi # Validate force-version format if provided if [[ -n "$FORCE_VERSION" ]]; then if ! [[ "$FORCE_VERSION" =~ ^[0-9]+(\.[0-9]+(\.[0-9]+)?)?$ ]]; then echo "::error::Invalid force-version format: '$FORCE_VERSION'. Expected format: X or X.Y or X.Y.Z (e.g., 22, 20.9, 18.17.1)" exit 1 fi # Check for reasonable version range major_version=$(echo "$FORCE_VERSION" | cut -d'.' -f1) if [ "$major_version" -lt 14 ] || [ "$major_version" -gt 30 ]; then echo "::error::Invalid force-version: '$FORCE_VERSION'. Node.js major version should be between 14 and 30" exit 1 fi fi # Validate package-manager case "$PACKAGE_MANAGER" in "npm"|"yarn"|"pnpm"|"bun"|"auto") # Valid package managers ;; *) echo "::error::Invalid package-manager: '$PACKAGE_MANAGER'. Must be one of: npm, yarn, pnpm, bun, auto" exit 1 ;; esac # Validate registry-url format (basic URL validation) if [[ "$REGISTRY_URL" != "https://"* ]] && [[ "$REGISTRY_URL" != "http://"* ]]; then echo "::error::Invalid registry-url: '$REGISTRY_URL'. Must be a valid HTTP/HTTPS URL" exit 1 fi # Validate node-mirror format if provided if [[ -n "$NODE_MIRROR" ]]; then if [[ "$NODE_MIRROR" != "https://"* ]] && [[ "$NODE_MIRROR" != "http://"* ]]; then echo "::error::Invalid node-mirror: '$NODE_MIRROR'. Must be a valid HTTP/HTTPS URL" exit 1 fi fi # Validate auth token format if provided (basic check for NPM tokens) if [[ -n "$AUTH_TOKEN" ]]; then if [[ "$AUTH_TOKEN" == *";"* ]] || [[ "$AUTH_TOKEN" == *"&&"* ]] || [[ "$AUTH_TOKEN" == *"|"* ]]; then echo "::error::Invalid token format: command injection patterns not allowed" exit 1 fi fi echo "Input validation completed successfully" - name: Checkout Repository uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta with: token: ${{ inputs.token || github.token }} - name: Parse Node.js Version id: version uses: ivuorinen/actions/version-file-parser@0fa9a68f07a1260b321f814202658a6089a43d42 with: language: 'node' tool-versions-key: 'nodejs' dockerfile-image: 'node' version-file: '.nvmrc' validation-regex: '^[0-9]+(\.[0-9]+)*$' default-version: ${{ inputs.force-version != '' && inputs.force-version || inputs.default-version }} - name: Resolve Package Manager id: package-manager-resolution shell: bash env: INPUT_PM: ${{ inputs.package-manager }} DETECTED_PM: ${{ steps.version.outputs.package-manager }} run: | set -euo pipefail input_pm="$INPUT_PM" detected_pm="$DETECTED_PM" final_pm="" if [ "$input_pm" = "auto" ]; then if [ -n "$detected_pm" ]; then final_pm="$detected_pm" echo "Auto-detected package manager: $final_pm" else final_pm="npm" echo "No package manager detected, using default: $final_pm" fi else final_pm="$input_pm" echo "Using specified package manager: $final_pm" fi echo "final-package-manager=$final_pm" >> $GITHUB_OUTPUT echo "Final package manager: $final_pm" - name: Setup Node.js id: setup uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: ${{ steps.version.outputs.detected-version }} registry-url: ${{ inputs.registry-url }} - name: Enable Corepack id: corepack shell: bash run: | set -euo pipefail echo "Enabling Corepack for package manager management..." corepack enable echo "✅ Corepack enabled successfully" - name: Set Auth Token if: inputs.token != '' shell: bash env: TOKEN: ${{ inputs.token }} run: | # Sanitize token by removing newlines to prevent env var injection sanitized_token="$(echo "$TOKEN" | tr -d '\n\r')" printf 'NODE_AUTH_TOKEN=%s\n' "$sanitized_token" >> "$GITHUB_ENV" - name: Setup Package Manager shell: bash env: PACKAGE_MANAGER: ${{ steps.package-manager-resolution.outputs.final-package-manager }} run: | set -euo pipefail package_manager="$PACKAGE_MANAGER" echo "Setting up package manager: $package_manager" case "$package_manager" in "pnpm") echo "Installing PNPM via Corepack..." corepack prepare pnpm@latest --activate echo "✅ PNPM installed successfully" ;; "yarn") echo "Installing Yarn via Corepack..." corepack prepare yarn@stable --activate echo "✅ Yarn installed successfully" ;; "bun") # Bun installation handled by separate step below echo "Bun will be installed via official setup-bun action" ;; "npm") echo "Using built-in NPM" ;; *) echo "::warning::Unknown package manager: $package_manager, using NPM" ;; esac - name: Setup Bun if: steps.package-manager-resolution.outputs.final-package-manager == 'bun' uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2 with: bun-version: latest - name: Set Final Outputs id: final-outputs shell: bash run: | echo "node-path=$(which node)" >> $GITHUB_OUTPUT