Skip to content

Verify downloaded archives #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tcely wants to merge 48 commits into
base: main
Choose a base branch
from
Open

Verify downloaded archives #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
254ee61
Remove bun.lock
tcely Mar 14, 2026
68f6c7a
Create filesystem-cache.ts
tcely Mar 14, 2026
a440ee1
Create response-storage.ts
tcely Mar 14, 2026
22419e8
Create url.ts
tcely Mar 14, 2026
084e26c
Update download-url.ts
tcely Mar 14, 2026
6af7174
Update download-url.spec.ts
tcely Mar 14, 2026
fc77a15
Create github-api.ts
tcely Mar 14, 2026
02836b5
Create github-asset.ts
tcely Mar 14, 2026
135f29c
Update utils.ts
tcely Mar 14, 2026
a073967
Create quick-checksum.ts
tcely Mar 14, 2026
afc25dd
Create signing-key.ts
tcely Mar 14, 2026
c25a3ba
Create manifest.ts
tcely Mar 14, 2026
44bbd27
Create verify.ts
tcely Mar 14, 2026
39c3384
Update action.ts
tcely Mar 14, 2026
cb80bdc
Update dependencies
tcely Mar 14, 2026
8c28d41
Adjust build script for openpgp
tcely Mar 14, 2026
12545bd
Update test.yml
tcely Mar 14, 2026
ed0aa9a
Patch node_modules
tcely Mar 14, 2026
5a08652
Add output: `bun-download-checksum`
tcely Mar 14, 2026
1b9e70c
Create atomic-write.ts
tcely Mar 14, 2026
9aded43
Tests for atomic-write.ts
tcely Mar 14, 2026
5c3a85c
Update bunfig.ts
tcely Mar 14, 2026
4dc8175
Update filesystem-cache.ts
tcely Mar 14, 2026
f507129
Tests for filesystem-cache.ts
tcely Mar 14, 2026
bc1dace
Create download-bun.ts
tcely Mar 14, 2026
9cbe777
Review and update the manifest verification
tcely Mar 14, 2026
ecb6dc0
Migrate functions
tcely Mar 14, 2026
00e5cc9
Save the cache state along with the binary
tcely Mar 14, 2026
0056e30
Update cache using ETag
tcely Mar 14, 2026
82fc4cb
Tests for response-storage.ts
tcely Mar 14, 2026
2be0e70
Create bundled.spec.ts
tcely Mar 14, 2026
7612c7b
Setup preload for bun test
tcely Mar 14, 2026
2094357
Remove a duplicate function
tcely Mar 14, 2026
fdada7b
Adjust scripts
tcely Mar 14, 2026
372f34d
Add the `redactUrlForLogs` function
tcely Mar 14, 2026
4f1ce51
Use `redactUrlForLogs`
tcely Mar 14, 2026
82d68e7
`isGitHub(url)` rejects invalid URLs
tcely Mar 14, 2026
a1d7c45
debug logging for signing key failures
tcely Mar 14, 2026
3b56265
Pass a derived error in `downloadLog`
tcely Mar 14, 2026
3cbcb5b
Try to revive legacy cached responses
tcely Mar 14, 2026
337ee85
Move StoredResponse interface before functions
tcely Mar 14, 2026
59f5637
escape ts error
tcely Mar 14, 2026
5b522d1
Create extract-bun.ts
tcely Mar 15, 2026
5018e2b
Migrate and improve `extractBun`
tcely Mar 15, 2026
86bb306
debugging tests
tcely Mar 15, 2026
4c26bf9
Update both lock files
tcely Mar 15, 2026
7d54eaf
bun run build
tcely Mar 15, 2026
bdae7ab
Update .github/workflows/test.yml
tcely Mar 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .github/workflows/format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,14 @@ jobs:
uses: ./

- name: 📦 Install Dependencies
run: bun install
run: |
mkdir -p dist
bun run bun_as:npm
bun run bun_as:npx
echo "$(realpath -e dist)" >> "${GITHUB_PATH}"
PATH="${PATH}:$(realpath -e dist)"
test -s bun.lock || bun run 'modules:lock'
bun install --frozen-lockfile

- name: 🧹 Format
run: |
Expand Down
49 changes: 43 additions & 6 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,14 @@ jobs:
no-cache: true

- name: Install dependencies
run: bun install
run: |
mkdir -p dist
bun run bun_as:npm
bun run bun_as:npx
echo "$(realpath -e dist)" >> "${GITHUB_PATH}"
PATH="${PATH}:$(realpath -e dist)"
test -s bun.lock || bun run 'modules:lock'
bun install --frozen-lockfile

- name: Run tests
run: bun test --coverage
Expand Down Expand Up @@ -225,14 +232,33 @@ jobs:
- windows-latest

steps:
- name: Normalize runner details
id: normalized
shell: bash
run: |
runner_arch="$(case '${{ runner.arch }}' in
(X64) printf x64 ;;
(ARM64) printf aarch64 ;;
(*) echo "Unsupported runner.arch: ${{ runner.arch }}" >&2; exit 1 ;;
esac)"
runner_os="$(case '${{ runner.os }}' in
(macOS) printf darwin ;;
(Linux) printf linux ;;
(Windows) printf windows ;;
(*) echo "Unsupported runner.os: ${{ runner.os }}" >&2; exit 1 ;;
esac)"
printf >> "${GITHUB_OUTPUT}" -- '%s=%s\n' \
runner_arch "${runner_arch}" \
runner_os "${runner_os}"

- name: 📥 Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: 🛠️ Setup Bun
uses: ./
id: setup_bun
with:
bun-download-url: "https://github.com/oven-sh/bun/releases/latest/download/bun-${{runner.os == 'macOS' && 'darwin' || runner.os}}-${{ runner.arch == 'X64' && 'x64' || 'aarch64' }}.zip"
bun-download-url: "https://github.com/oven-sh/bun/releases/latest/download/bun-${{ steps.normalized.outputs.runner_os }}-${{ steps.normalized.outputs.runner_arch }}.zip"

- name: ▶️ Run Bun
id: run_bun
Expand Down Expand Up @@ -261,24 +287,35 @@ jobs:
https://registry.npmjs.org
@types:https://registry.yarnpkg.com

- name: 🔎 Display registry configurations
run: cat -v bunfig.toml

- name: ▶️ Install from default registry
shell: bash
run: |
output=$(bun add is-odd --verbose --force 2>&1)
status=0
output=$(bun add is-odd --verbose --force 2>&1) || status=$?

if echo "$output" | grep -q "HTTP/1.1 GET https://registry.npmjs.org/is-odd"; then
if [ 0 -eq "${status}" ] && grep <<<"$output" -q "HTTP/1.1 GET https://registry.npmjs.org/is-odd"; then
echo "Successfully installed from default registry"
else
echo "${output}"
echo "Return code: ${status}"
echo "Failed to install from default registry"
Comment on lines +299 to 304
Copy link

@coderabbitai coderabbitai bot Mar 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Match on the registry URL, not Bun's exact verbose log prefix.

These assertions currently depend on Bun printing HTTP/1.1 and lowercase %2f. The invariant this workflow owns is the registry URL itself; coupling to the transport/log format will create noisy failures if Bun switches to HTTP/2 or changes its encoding style.

🔧 More robust assertion 
-          if [ 0 -eq "${status}" ] && grep <<<"$output" -q "HTTP/1.1 GET https://registry.npmjs.org/is-odd"; then
+          if [ 0 -eq "${status}" ] && grep -Fiq "https://registry.npmjs.org/is-odd" <<<"$output"; then
             echo "Successfully installed from default registry"
@@
-          if [ 0 -eq "${status}" ] && grep <<<"$output" -q "HTTP/1.1 GET https://registry.yarnpkg.com/@types%2fbun"; then
+          if [ 0 -eq "${status}" ] && grep -Fiq "https://registry.yarnpkg.com/@types%2fbun" <<<"$output"; then
             echo "Successfully installed from `@types` registry"

Also applies to: 314-319

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yml around lines 299 - 304, The workflow currently
greps for the transport-prefixed string "HTTP/1.1 GET
https://registry.npmjs.org/is-odd" making the assertion fragile; update the grep
to match the registry URL only and as a fixed string (e.g. use grep -F
<<<"$output" -q "https://registry.npmjs.org/is-odd") in the shell if block that
checks installation success, and make the identical change for the second
occurrence of the same assertion elsewhere in the file.

Copy link
Contributor Author

@tcely tcely Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't actually seen this output yet.

However, it seems like removing GET is a mistake. Presumably, the URL may appear multiple times and we only want to check for a particular instance in the output.

Copy link

@coderabbitai coderabbitai bot Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tcely, that's a fair correction. The real fragility is only the HTTP/1.1 prefix (which breaks if Bun's verbose output switches to HTTP/2), not the GET verb itself. Keeping GET is the right call since it anchors the match to the actual outgoing request line rather than any other mention of the URL (e.g. resolved/downloaded lines).

A minimal adjustment would be to drop only HTTP/1.1 while keeping GET:

-          if [ 0 -eq "${status}" ] && grep <<<"$output" -q "HTTP/1.1 GET https://registry.npmjs.org/is-odd"; then
+          if [ 0 -eq "${status}" ] && grep <<<"$output" -Fq "GET https://registry.npmjs.org/is-odd"; then
-          if [ 0 -eq "${status}" ] && grep <<<"$output" -q "HTTP/1.1 GET https://registry.yarnpkg.com/@types%2fbun"; then
+          if [ 0 -eq "${status}" ] && grep <<<"$output" -Fq "GET https://registry.yarnpkg.com/@types%2fbun"; then

The -F (fixed-string) flag is also worth keeping since the URL contains characters like / and % that have no special meaning to BRE/ERE but makes intent explicit. Since you mentioned you haven't seen the actual output yet, you may want to revisit this once you have a real run to inspect — if the format turns out to be stable, the current code is fine to leave as-is.

🧠 Learnings used 
Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: .github/workflows/test.yml:43-44
Timestamp: 2026-03-15T02:04:23.763Z
Learning: In GitHub Actions workflows under .github/workflows, ensure that dist/ is appended to PATH in the Install dependencies step (as in oven-sh/setup-bun PR `#171`). The dist/ directory provides fallback shims for node, npm, and npx so the workflow can run with only bun available, while real versions on the runner should take precedence. Do not prepend dist/ to PATH.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/github-asset.ts:115-128
Timestamp: 2026-03-08T21:18:39.908Z
Learning: In `src/github-asset.ts` of `oven-sh/setup-bun` (PR `#171`), the preferred approach to normalize tag handling in `parseAssetUrl` is `const parts = urlObj.pathname.slice(1).split("/").map(decodeURIComponent)` — this decodes all path segments uniformly. As a result, the existing `decodeURIComponent(parts[5])` on `name` must be removed (it would double-decode). In `fetchAssetMetadata`, `base.tag` should always be stored decoded (including `base.tag = release.tag_name` for latest releases) and encoded with `encodeURIComponent(base.tag)` only when constructing the API URL path.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/action.ts:59-60
Timestamp: 2026-03-10T19:27:53.007Z
Learning: In `src/action.ts` of `oven-sh/setup-bun` (PR `#171`), the raw (potentially credentialed) URL is intentionally returned in the `Output` struct (`cacheState.url = result.url`) so that downstream workflow steps consuming the `bun-download-url` output can use it. Credential stripping via `stripUrlCredentials` is only applied to `sUrl`, which is used exclusively for state persistence (the `.json` sidecar) and cache-key comparison. Do NOT flag the returned URL as a credential leak.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/verify.ts:107-117
Timestamp: 2026-03-06T02:54:34.457Z
Learning: In `src/verify.ts` of the `setup-bun` action, the `setOutput("bun-download-checksum", ...)` call inside the GitHub API digest check branch (before PGP manifest verification) is intentional. The author wants to publish the checksum as soon as the GitHub API digest matches the local hash, rather than waiting for the full PGP manifest verification to complete. Do not flag this as a premature output.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/action.ts:116-121
Timestamp: 2026-03-07T22:33:16.093Z
Learning: In `src/action.ts` of `oven-sh/setup-bun` (PR `#171`), the `if (!cacheHit) { downloadBun(...) }` branch is intentionally placed **outside** the `if (!revision)` block. This means the fast-path (existing binary + version match, no `.json` sidecar) leaves `cacheHit = false`, so `downloadBun` (and thus `verifyAsset`) still runs to produce a verified checksum before any caching. Setting `cacheHit = cacheState.cacheHit` (not unconditionally `true`) in the fast-path is correct and intentional — do not suggest changing it to `true`.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/github-asset.ts:119-127
Timestamp: 2026-03-06T00:03:37.714Z
Learning: In `oven-sh/setup-bun`, the `request` function in `src/utils.ts` already throws a descriptive error (including status code, status text, and response body) for any non-OK HTTP response before returning. Callers of `request` never need to add their own `!response.ok` guard — suggesting one is redundant.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/download-bun.ts:29-33
Timestamp: 2026-03-08T21:54:43.567Z
Learning: In `src/download-bun.ts` of `oven-sh/setup-bun` (PR `#171`), `downloadBun(url, bunPath, token?)` intentionally returns `Promise<{ binPath: string; checksum: string; url: string }>`. The returned `url` may differ from the input because the URL can be normalized during the download process, and `binPath` may differ from the input `bunPath` because the final binary path is resolved during extraction. Do NOT flag this return contract as redundant or suggest narrowing it to only `{ revision, checksum }`.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/verify.ts:124-141
Timestamp: 2026-03-06T03:02:02.768Z
Learning: In src/verify.ts of the setup-bun repo, all Bun release archives follow the naming convention `bun-<platform>.zip` — they always start with `bun-` and end with `.zip`. Use `lastSegment.startsWith("bun-") && lastSegment.endsWith(".zip")` to validate asset URLs before deriving the manifest URL via path-replacement fallback.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/manifest.ts:61-75
Timestamp: 2026-03-08T21:58:44.853Z
Learning: In `src/manifest.ts` of `oven-sh/setup-bun` (PR `#171`), the `verification.signatures.find(...)` pattern is intentional: a bad (unverified) signature from a trusted key is treated as a hard release-process error, not a fallback scenario. Do NOT suggest iterating over multiple candidate signatures to find a valid one — the single-match approach is by design.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: package.json:21-24
Timestamp: 2026-03-13T23:38:01.902Z
Learning: In `package.json` of `oven-sh/setup-bun` (PR `#171`), all externally-invoked tool commands in scripts (e.g., `patch-package`, `prettier`, `esbuild`) must be prefixed with `npx -- ` (e.g., `"npx -- patch-package"`). This is because Bun intercepts bare `npx` calls and rewrites them to `bun x --` during testing. Always use `npx -- <tool>` for consistency and correctness in this project.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/action.ts:71-78
Timestamp: 2026-03-14T10:48:53.035Z
Learning: In `src/action.ts` of `oven-sh/setup-bun` (PR `#171`), when reconciling the `bunx` symlink, caught errors must be narrowed from `unknown` with `instanceof Error` before accessing `.code` (e.g., `if (!(error instanceof Error) || (error as NodeJS.ErrnoException).code !== "ENOENT") throw error`). Use `lstatSync` to check existence and type before touching the path; only call `unlinkSync` (never `rmSync` with `force: true`) and only when `lstatSync` confirms the entry is a symbolic link (`stat.isSymbolicLink()`). Non-symlink entries must not be removed. Create the symlink with `symlinkSync(exe("bun"), bunxPath)` (relative target).

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/action.ts:71-78
Timestamp: 2026-03-14T10:33:33.207Z
Learning: In `src/action.ts` of `oven-sh/setup-bun` (PR `#171`), the `bunx` symlink target must be the relative name `exe("bun")` (i.e., `"bun"` on Linux/macOS, `"bun.exe"` on Windows), not the absolute path. The destination (where `bunx` is placed) may be an absolute path. Use `symlinkSync(exe("bun"), bunxPath)` and check staleness with `readlinkSync(bunxPath) !== exe("bun")`. The symlink should be deferred until after `downloadBun` resolves the final binary path (`cacheState.bunPath`).

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/action.ts:123-125
Timestamp: 2026-03-06T11:58:22.397Z
Learning: In `src/action.ts` of `oven-sh/setup-bun` (PR `#171`), the correct way to persist the verified download checksum between the main action run and the post-run step is via `saveState`, by adding a `checksum?: string` field to `CacheState` and saving it with `JSON.stringify(cacheState)`. Do not use the filesystem cache (`src/filesystem-cache.ts`) for this purpose.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/action.ts:101-125
Timestamp: 2026-03-08T01:27:05.925Z
Learning: In `src/action.ts` of `oven-sh/setup-bun` (PR `#171`), the fast-path binary trust mechanism uses a `binaryFingerprint` field in `CacheState` (persisted to the `.json` sidecar). The fingerprint is computed by `computeBinaryFingerprint(filePath)`: reads first and last 256 KiB (BINARY_PARTIAL_SIZE = 256 * 1024), individually sha512-hashes each partial, then combines stat metadata (size, mtimeMs, ino) and both partial hashes into an ordered string `size:${size}|mtimeMs:${mtimeMs}|ino:${ino}|head:${headHash}|tail:${tailHash}` and returns `"sha512:" + sha512(combined)`. This fingerprint is stored as `binaryFingerprint?: string` in `CacheState` and compared on the fast path before trusting the existing binary.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/manifest.ts:22-46
Timestamp: 2026-03-07T09:52:23.520Z
Learning: In `src/manifest.ts` of `oven-sh/setup-bun` (PR `#171`), fix `getSignatureDate` to await `VerificationResult.signature` (which is a `Promise<Signature>`) and read the creation time from the resolved `SignaturePacket`, e.g. `sigObj.packets[0]?.created`. Update the function to accept a `VerificationResult` and return the timestamp after awaiting `.signature`. Remove any unnecessary subpacket traversal and ensure the result is a `Date`. Alternatively, the creation time can be emitted inline after `await sigResult.verified` resolves, eliminating the need for a separate helper entirely.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/manifest.ts:22-46
Timestamp: 2026-03-07T09:25:44.242Z
Learning: In `src/manifest.ts` of `oven-sh/setup-bun` (PR `#171`), the `getSignatureDate` helper never successfully returns a timestamp because `VerificationResult.signature` in openpgp.js v6 is a `Promise<Signature>` that must be awaited first. After awaiting, the creation time is available directly as `sigObj.packets[0]?.created` (a plain `Date`) on the resolved `SignaturePacket` — no subpacket traversal is needed. The function should be updated to accept a `VerificationResult` and await its `.signature` property.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/response-storage.ts:81-89
Timestamp: 2026-03-13T23:37:34.531Z
Learning: In `src/response-storage.ts` of `oven-sh/setup-bun` (PR `#171`), the synthetic backdated `Last-Modified` header in the legacy/raw cache handler (`new Date(Date.now() - CACHE_TTL).toUTCString()`) is intentional. It anchors OpenPGP signature verification (via `getValidatedLastModified` → `openpgp.verify({ date })`) in the recent past so that signatures which appear expired relative to `now` still pass. The accepted trade-off is a temporary failure window of up to `CACHE_TTL` (12 hours) for freshly published manifests. Do NOT suggest removing this header.

Learnt from: tcely
Repo: oven-sh/setup-bun PR: 171
File: src/filesystem-cache.ts:98-109
Timestamp: 2026-03-07T09:24:30.540Z
Learning: In `src/filesystem-cache.ts` of `oven-sh/setup-bun` (PR `#171`), the filesystem cache uses zero-padded 3-digit month subdirectories (001–012) under `$RUNNER_TEMP/setup-bun/`. Cache reads check the current AND previous month directories (sliding window). `cleanupFutureCache()` removes only the next-month directory on each `setCache` call to bound growth. A 12-hour mtime check is also applied within `getCache` as an additional TTL. Atomic writes use `randomBytes`-based temp extensions plus `renameSync`.

exit 1
fi

- name: ▶️ Install from @types registry
shell: bash
run: |
output=$(bun add @types/bun --verbose --force 2>&1)
status=0
output=$(bun add @types/bun --verbose --force 2>&1) || status=$?

if echo "$output" | grep -q "HTTP/1.1 GET https://registry.yarnpkg.com/@types%2fbun"; then
if [ 0 -eq "${status}" ] && grep <<<"$output" -q "HTTP/1.1 GET https://registry.yarnpkg.com/@types%2fbun"; then
echo "Successfully installed from @types registry"
else
echo "${output}"
echo "Return code: ${status}"
echo "Failed to install from @types registry"
exit 1
fi
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
.DS_Store
node_modules/
tests/build/

15 changes: 8 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,10 +90,11 @@ If you need to override the download URL, you can use the `bun-download-url` inp

## Outputs

| Name | Description | Example |
| ------------------ | ------------------------------------------ | ------------------------------------------------------------------ |
| `bun-version` | The output from `bun --version`. | `1.0.0` |
| `bun-revision` | The output from `bun --revision`. | `1.0.0+822a00c4` |
| `bun-path` | The path to the Bun executable. | `/path/to/bun` |
| `bun-download-url` | The URL from which Bun was downloaded. | `https://bun.sh/download/latest/linux/x64?avx2=true&profile=false` |
| `cache-hit` | If the Bun executable was read from cache. | `true` |
| Name | Description | Example |
| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
| `bun-version` | The output from `bun --version`. | `1.0.0` |
| `bun-revision` | The output from `bun --revision`. | `1.0.0+822a00c4` |
| `bun-path` | The path to the Bun executable. | `/path/to/bun` |
| `bun-download-checksum` | The verified checksum of the archive from which Bun was extracted. May be empty on cache hits from previous action versions. | `sha256:a7bc4cdea1ef255a83adbf39c7aafcd30e09f2b8f74deec4b10ee318bc024d1f` |
| `bun-download-url` | The URL from which Bun was downloaded. | `https://github.com/oven-sh/bun/releases/latest/download/bun-linux-x64-musl-baseline.zip` |
| `cache-hit` | If the Bun executable was read from cache. | `true` |
2 changes: 2 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ outputs:
description: The revision of Bun that was installed.
bun-path:
description: The path to the Bun executable.
bun-download-checksum:
description: The verified checksum of the archive from which Bun was extracted. May be empty on cache hits from previous action versions.
bun-download-url:
description: The URL from which Bun was downloaded.
cache-hit:
Expand Down
Loading