e22b976180
Some of the assets use tools sourced from the npm software registry. Previously, the version of the tools used was not controlled. This was problematic because: - A different version of the tool may be used on the contributor's machine than on the CI runner, resulting in confusing failures. - The project is immediately subject to disruption or breakage resulting from a release of the tool. --- These tools were installed via either of the following methods: `npx <pkg>` This approach has the following behaviors of interest: https://docs.npmjs.com/cli/v8/commands/npx#description > If any requested packages are not present in the local project dependencies, then they are installed to a folder in the npm cache, which is added to the PATH environment variable in the executed process. > Package names provided without a specifier will be matched with whatever version exists in the local project. Package names with a specifier will only be considered a match if they have the exact same name and version as the local dependency. This means that the version used was: 1. Whatever happens to be present in the local cache 2. The latest available version if it is not already present `npm install --global <pkg>` The latest available version of the package is used. --- The new approach is to specify the version of the tools via the standard npm metadata files (package.json + package-lock.json). This approach was chosen over the `npx <pkg>@<version>` alternative for the following reasons: - Enables automated updates via Dependabot PRs - Enables automated vulnerability alerts - Separates dependency management from the asset contents (i.e., no need to mess with the taskfile or workflow on every update) - Matches how we are already managing Python dependencies (pyproject.toml + poetry.lock)
arduino/setup-task
A GitHub Actions action that makes the Task task runner / build tool available to use in your workflow.
Inputs
version
The version of Task to install.
Can be an exact version (e.g., 3.4.2) or a version range (e.g., 3.x).
Default: 3.x
repo-token
(Optional) GitHub access token used for GitHub API requests. Heavy usage of the action can result in workflow run failures caused by rate limiting. GitHub provides a more generous allowance for Authenticated API requests.
It will be convenient to use ${{ secrets.GITHUB_TOKEN }}.
Usage
To get the action's default version of Task just add this step:
- name: Install Task
uses: arduino/setup-task@v1
If you want to pin a major or minor version you can use the .x wildcard:
- name: Install Task
uses: arduino/setup-task@v1
with:
version: 2.x
To pin the exact version:
- name: Install Task
uses: arduino/setup-task@v1
with:
version: 2.6.1
Security
If you think you found a vulnerability or other security-related bug in this project, please read our security policy and report the bug to our Security Team 🛡️ Thank you!
e-mail contact: security@arduino.cc