docs: clarify threat model authority boundary

simplify
docs: add repository threat model
2026-06-22 20:42:36 +00:00 · 2026-06-19 17:53:50 +01:00 · 2026-06-17 15:03:39 +01:00 · 2026-06-17 11:53:07 +01:00
12 changed files with 109 additions and 376 deletions
@@ -47,7 +47,7 @@ jobs:

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
        with:
          languages: ${{ matrix.language }}
          source-root: src
@@ -59,7 +59,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 https://git.io/JvXDl
@@ -73,4 +73,4 @@ jobs:
      #   make release

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
@@ -27,7 +27,7 @@ jobs:
      - name: Actionlint
        uses: eifinger/actionlint-action@7802e0cc3ab3f81cbffb36fb0bf1a3621d994b89 # v1.10.1
      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@a16621b09c6db4281f81a93cb393b05dcd7b7165 # v0.5.5
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version-file: .nvmrc
@@ -223,7 +223,7 @@ describe("download-version", () => {
      );
    });

-    it("does not send the token to non-GitHub URLs from the default manifest", async () => {
+    it("does not rewrite non-GitHub URLs", async () => {
      mockGetArtifact.mockResolvedValue({
        archiveFormat: "tar.gz",
        checksum: "abc123",
@@ -241,30 +241,8 @@ describe("download-version", () => {
      expect(mockDownloadTool).toHaveBeenCalledWith(
        "https://example.com/uv.tar.gz",
        undefined,
-        undefined,
-      );
-    });
-
-    it("does not send the token to GitHub lookalike hosts", async () => {
-      mockGetArtifact.mockResolvedValue({
-        archiveFormat: "tar.gz",
-        checksum: "abc123",
-        downloadUrl: "https://github.com.evil.test/uv.tar.gz",
-      });
-
-      await downloadVersion(
-        "unknown-linux-gnu",
-        "x86_64",
-        "0.9.26",
-        undefined,
        "token",
      );
-
-      expect(mockDownloadTool).toHaveBeenCalledWith(
-        "https://github.com.evil.test/uv.tar.gz",
-        undefined,
-        undefined,
-      );
    });

    it("falls back to GitHub Releases when the mirror fails", async () => {
@@ -63220,7 +63220,7 @@ async function run() {
      } else {
        info("save-cache is false. Skipping save cache step.");
      }
-      await new Promise((resolve2) => setTimeout(resolve2, 100));
+      await new Promise((resolve2) => setTimeout(resolve2, 50));
      process.exit(0);
    }
  } catch (error2) {
@@ -90977,78 +90977,6 @@ var fs10 = __toESM(require("node:fs"), 1);

 // src/download/checksum/known-checksums.ts
 var KNOWN_CHECKSUMS = {
-  "aarch64-apple-darwin-0.11.17": "2a162f6b90ff3691a2f9cae1622e066a3ce592e110f66670cdcc841324b28226",
-  "aarch64-pc-windows-msvc-0.11.17": "f4463aa9671c6d153d32f2a9b272389675a711a9bca806c4ab4a3c7559b045c2",
-  "aarch64-unknown-linux-gnu-0.11.17": "de008880a903ac2c5654647dc19a75c0d6652313c977a2bc5ce05e1e3a93429e",
-  "aarch64-unknown-linux-musl-0.11.17": "9e5eaf16ffad968fc689f18c2733ace914ed417d4e5572e92d807fd51a90228c",
-  "arm-unknown-linux-musleabihf-0.11.17": "201c7d727423095aa4ba39cc79b16cac2465720d4348270a3977824009526179",
-  "armv7-unknown-linux-gnueabihf-0.11.17": "c941377b20fdd4b101376a9c8ce37c209d36655697815a32658a7cbcb3212409",
-  "armv7-unknown-linux-musleabihf-0.11.17": "12606cc40d15c5ab5fd06e434c8ee1b0ef7e3ca3cd4d5b2b135a16dd1a45fed2",
-  "i686-pc-windows-msvc-0.11.17": "be48cd9aa35c8615eff3dba6a24e214edf00885150eacde032a258399131c59d",
-  "i686-unknown-linux-gnu-0.11.17": "89f859f3bfaf3a74733aef671e6a4ade36173623d4539d3559e11caa2c722718",
-  "i686-unknown-linux-musl-0.11.17": "8d2ecb44951b80861570f4a7f732c9f16f3b342450eeb0bd2eef876b10395400",
-  "powerpc64le-unknown-linux-gnu-0.11.17": "714c7b292c805231edbfc77ca14b29e6e469342236ef1cfb58fe7d6f8fed48a4",
-  "riscv64gc-unknown-linux-gnu-0.11.17": "f8bece740520b35f69c82653da77912b38a29a5634a6e0ce7d83122a485c6a6f",
-  "riscv64gc-unknown-linux-musl-0.11.17": "ae07b4e9c2bea3dcba2e3267e9e4229e45de63c15e74eee7fac7ccf9df6e04cd",
-  "s390x-unknown-linux-gnu-0.11.17": "10ec2070644dda19ab9c8dcc3d6f3bbf4b09ad6665b8a8be067d7fdb5a58b56c",
-  "x86_64-apple-darwin-0.11.17": "6c66e41eaf4d15abeda58d3f268161b6e3f742d98390341b174a7cfc1b48841d",
-  "x86_64-pc-windows-msvc-0.11.17": "35fc29e03e62f3cda769bc12773f3cb70ce305d0d36c0d8bd0c117dd0b3fcd14",
-  "x86_64-unknown-linux-gnu-0.11.17": "0017ccecaeb4d431d7f93b583ebff0c5c38e00eb734fcf13d05f72ca419125fe",
-  "x86_64-unknown-linux-musl-0.11.17": "4231a429d4e0f7c1937d8916658c08a7706cd7872afebeb87203a18c2e0dc28e",
-  "aarch64-apple-darwin-0.11.16": "2b25be1af546be330b340b0a76b99f989daa6d92678fdffb87438e661e9d88fb",
-  "aarch64-pc-windows-msvc-0.11.16": "e4f8e70eb21f0f4efd2eeb159ab289f9a16057d59881a4475758be4ce39bc8c5",
-  "aarch64-unknown-linux-gnu-0.11.16": "8c9d0f0ee98166ae6ab198747519ba6f25db29d185bd2ae5960ecebc91a5c22a",
-  "aarch64-unknown-linux-musl-0.11.16": "ac022d96411143b9a2dd75ea711fa8dd4cd14538bf248f2e5df3c10a80f7f6a4",
-  "arm-unknown-linux-musleabihf-0.11.16": "cdd60c84597690139e3696461d1278bf4dcd598cd44e3896a98aa75aa59965bf",
-  "armv7-unknown-linux-gnueabihf-0.11.16": "71cf33cb511c9fe28ae261c0b4789e1fd9bb84d1bc68828db647b77305a15185",
-  "armv7-unknown-linux-musleabihf-0.11.16": "f24fca34326c5b8f7ddc0001a40e5454bc8091ca67f9ce931ffdaef4ea4815e8",
-  "i686-pc-windows-msvc-0.11.16": "7417090298bf202395b9b3d6eefb9230332d8d6c94a5616e531148a0b041c8e2",
-  "i686-unknown-linux-gnu-0.11.16": "0d1e427cd3fcc042e85dfc75f6d95e076dff9b930241686969d6706afda21375",
-  "i686-unknown-linux-musl-0.11.16": "d5e611deffd3f5fd637b2dc89dbe252342ce4a38c8970e63add8029afe2b5629",
-  "powerpc64le-unknown-linux-gnu-0.11.16": "8a3b09ce14d14a75dbbf051cdb78a314fb579e78fb3a02e1ee833c4cb5f6e81e",
-  "riscv64gc-unknown-linux-gnu-0.11.16": "0314895f159ce97bcedac00a4b97fa7e53c16fee911a6a2d9f0b69ee6461b7d5",
-  "riscv64gc-unknown-linux-musl-0.11.16": "8a1aef4261011143f56c964eeaed5e06fa0cb95ff3005386381c610c91784feb",
-  "s390x-unknown-linux-gnu-0.11.16": "d161e914ad552aed83478fe9766061844297dadfa77a43e56285a147bde0021e",
-  "x86_64-apple-darwin-0.11.16": "6b91ae3de155f51bd1f5b74814821c79f016a176561f252cd9ddfb976939af2e",
-  "x86_64-pc-windows-msvc-0.11.16": "dd9d6d6554bfab265bfa98aa8e8a406c5c3a7b97582f93de1f4d48d9154a0395",
-  "x86_64-unknown-linux-gnu-0.11.16": "74947fe2c03315cf07e82ab3acc703eddef01aba4d5232a98e4c6825ec116131",
-  "x86_64-unknown-linux-musl-0.11.16": "1bc4be1be0a000f893b0d1db97906cf392b63fa22fda9a0ecf33d0d4bbb4bc9a",
-  "aarch64-apple-darwin-0.11.15": "7e5b336108f8576eda1939920ca0a805b4a9a3c3d3eb2f6140e38b7092fbe4f3",
-  "aarch64-pc-windows-msvc-0.11.15": "9eac2d68f3a66326c3e1fc97ef28bd54f1d13136ec092c2f0a8173ae12aaaf1e",
-  "aarch64-unknown-linux-gnu-0.11.15": "21a7dd1a03ea17ac0366887455dab15d215b31dba0870dcd65d3714e22f46c81",
-  "aarch64-unknown-linux-musl-0.11.15": "6505075cec3f551fad4fe9026922967ff9c895c9f513c97682b24e7a1c9becd3",
-  "arm-unknown-linux-musleabihf-0.11.15": "f9206848d617b7beec37c346624ad961d8d4110606990653ebbfc4c62b1f1741",
-  "armv7-unknown-linux-gnueabihf-0.11.15": "eb6a12e3e80e1474c1018edc9541bbe71cdf2248fa17b583dcbcc7bb391ad0c0",
-  "armv7-unknown-linux-musleabihf-0.11.15": "a40ee3c41443341846137afc5c7f29be766a9a677bd70c7ff91cbb4273e5383c",
-  "i686-pc-windows-msvc-0.11.15": "6a9431f0044a1ff59fd6920f6f982b691acf336b6e26ac8cd40a02b5ab839cd1",
-  "i686-unknown-linux-gnu-0.11.15": "557e329e76072b513e47bcd8b50ca4bad07ec87cb325cbfc05e6069847af06c4",
-  "i686-unknown-linux-musl-0.11.15": "69490ca5580958cdee3353b54357925913ec0540dc8e09819294b9e5b6d48556",
-  "powerpc64le-unknown-linux-gnu-0.11.15": "6be3637ef86cdee3f5fcfbc66681ecbf6d57c6a123398a1bdd09786d65a06016",
-  "riscv64gc-unknown-linux-gnu-0.11.15": "a43e22243e3f3b1fb136a0998b730367fe2589ea98ce6cd4f0d7d20b9f77fb5b",
-  "riscv64gc-unknown-linux-musl-0.11.15": "2256c9b625d67a55986adda62b09782b5547e28a79fba472e7e93ac3ec0af258",
-  "s390x-unknown-linux-gnu-0.11.15": "df2b69ed893ce00e242d8cfe5b9fdc7b7a42d578df487d09aa624563a9801578",
-  "x86_64-apple-darwin-0.11.15": "42bca7cc879d117ed7139a0e26de8cab0b6f033ad439a32144f324d1f8580d8c",
-  "x86_64-pc-windows-msvc-0.11.15": "04b98d414a9000e25e5e0e7c9f53749e66b790cdaffc582829e6f58c544ee11c",
-  "x86_64-unknown-linux-gnu-0.11.15": "b03e572f010bea94a4a52d42671ba72981e12894f71576181a1d26ff68546da7",
-  "x86_64-unknown-linux-musl-0.11.15": "200ccf2f351849c5d6698714e7e7eb9ead1e8c097dbdbb43730e1a4e059ceb87",
-  "aarch64-apple-darwin-0.11.14": "4333af5c0730d94323a7819bbdf87ce92dd07fc857d67fff0059e0fca31b5c02",
-  "aarch64-pc-windows-msvc-0.11.14": "d66c76ba912ba66fed011e0189dfbc4527dd9e620a2b5d5d5ecd2ad8936601b8",
-  "aarch64-unknown-linux-gnu-0.11.14": "c4958f729e216f1610632574ed927b8cf0af1bd02cb88cb30d948571727aee43",
-  "aarch64-unknown-linux-musl-0.11.14": "d7d3966e46915c5f6932692aaf152a2473eecb1d2517ca4f8e88a07484b380b6",
-  "arm-unknown-linux-musleabihf-0.11.14": "31b07fa8bc5bbc8f22064fc1d4238b53c663bdb4812cbfead0b43719571aec03",
-  "armv7-unknown-linux-gnueabihf-0.11.14": "2aca3925d7ad91d2e02a0f9cf75974ebd077ec5cb939a5eb66aba096d5666819",
-  "armv7-unknown-linux-musleabihf-0.11.14": "988d79544bbf55ebeaf6521d3cbf46957bcfbab998d22092ea860580639e2f30",
-  "i686-pc-windows-msvc-0.11.14": "579408a1134ec3c45dd7b94187978b98b15df4e0c49ebf05c52565e3858d9f2a",
-  "i686-unknown-linux-gnu-0.11.14": "8c93880c54dc7a632f602b7627d4338d80011ecf32e340fd2f67129df5325dc7",
-  "i686-unknown-linux-musl-0.11.14": "c84acf1036767797a7be97a3315122b9565a78bf90b5733741b1abeefa58387f",
-  "powerpc64le-unknown-linux-gnu-0.11.14": "d2da5ba5911b86dfec96f0737b7d1053ed78c0c65e51585db03fb4969b2a3825",
-  "riscv64gc-unknown-linux-gnu-0.11.14": "55731359293842826cd82d5fbd826a6bce542c3fec458214604e308b352560ed",
-  "riscv64gc-unknown-linux-musl-0.11.14": "86b053903d29a2d04441e4cbd05a8f690b8ec56f8959d27f15df13efffb5879b",
-  "s390x-unknown-linux-gnu-0.11.14": "cc7b233541a76dd484516a39c06d9d14100d1048708483e6f49ee20b6cc5761b",
-  "x86_64-apple-darwin-0.11.14": "9836c1440b0bd6aa5f81793648a339bd01d593b7b8f575de3b855dae4ab64654",
-  "x86_64-pc-windows-msvc-0.11.14": "52ba5d19409aaa688a8a1a6ec8dfb6a4817230d20186e75f4006105c3e39a846",
-  "x86_64-unknown-linux-gnu-0.11.14": "f3b623eb0e6141a7053d571d59a0bdc341e0f238ea8f5f0b4815ddbec9a2a296",
-  "x86_64-unknown-linux-musl-0.11.14": "077d36f45a0cc6d440b653b2d5c53e7731121e99e54b0221267eec5d1cae76ce",
  "aarch64-apple-darwin-0.11.13": "196a58aa24da89144187670df7c407358028984537fbc2f8f2d8f7a2604980df",
  "aarch64-pc-windows-msvc-0.11.13": "07c3c997020430a9f287fc05ff4c63fd5744eec49df5392a34731ed1a0971f2e",
  "aarch64-unknown-linux-gnu-0.11.13": "12366407dc1fdba5179b10bd69c11ebfc2eff25791366089c0b2f5701056efc5",
@@ -95790,16 +95718,10 @@ function getProxyAgent() {
  }
  return void 0;
 }
-var fetch = async (url2, opts) => {
-  const timeoutSignal = AbortSignal.timeout(3e4);
-  const existingSignal = opts.signal;
-  const mergedSignal = existingSignal ? AbortSignal.any([timeoutSignal, existingSignal]) : timeoutSignal;
-  return await (0, import_undici2.fetch)(url2, {
-    dispatcher: getProxyAgent(),
-    ...opts,
-    signal: mergedSignal
-  });
-};
+var fetch = async (url2, opts) => await (0, import_undici2.fetch)(url2, {
+  dispatcher: getProxyAgent(),
+  ...opts
+});

 // src/download/variant-selection.ts
 function selectDefaultVariant(entries, duplicateEntryDescription) {
@@ -97067,6 +96989,7 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
  const resolvedChecksum = manifestUrl === void 0 ? checksum : resolveChecksum(checksum, artifact.checksum);
  const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
  const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
+  const downloadToken = mirrorUrl !== void 0 ? void 0 : githubToken;
  try {
    return await downloadArtifact(
      downloadUrl,
@@ -97075,7 +96998,7 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
      arch3,
      version3,
      resolvedChecksum,
-      githubTokenForUrl(downloadUrl, githubToken)
+      downloadToken
    );
  } catch (err) {
    if (mirrorUrl === void 0) {
@@ -97091,7 +97014,7 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
      arch3,
      version3,
      resolvedChecksum,
-      githubTokenForUrl(artifact.downloadUrl, githubToken)
+      githubToken
    );
  }
 }
@@ -97101,13 +97024,6 @@ function rewriteToMirror(url2) {
  }
  return ASTRAL_MIRROR_PREFIX + url2.slice(GITHUB_RELEASES_PREFIX.length);
 }
-function githubTokenForUrl(downloadUrl, githubToken) {
-  try {
-    return new URL(downloadUrl).origin === "https://github.com" ? githubToken : void 0;
-  } catch {
-    return void 0;
-  }
-}
 async function downloadArtifact(downloadUrl, artifactName, platform2, arch3, version3, checksum, githubToken) {
  info(`Downloading uv from "${downloadUrl}" ...`);
  const downloadPath = await downloadTool(
@@ -97461,7 +97377,7 @@ async function run() {
    if (inputs.enableCache) {
      await restoreCache2(inputs, detectedPythonVersion);
    }
-    await new Promise((resolve3) => setTimeout(resolve3, 100));
+    await new Promise((resolve3) => setTimeout(resolve3, 50));
    process.exit(0);
  } catch (err) {
    setFailed(err.message);
@@ -44949,78 +44949,6 @@ var semver = __toESM(require_semver(), 1);

 // src/download/checksum/known-checksums.ts
 var KNOWN_CHECKSUMS = {
-  "aarch64-apple-darwin-0.11.17": "2a162f6b90ff3691a2f9cae1622e066a3ce592e110f66670cdcc841324b28226",
-  "aarch64-pc-windows-msvc-0.11.17": "f4463aa9671c6d153d32f2a9b272389675a711a9bca806c4ab4a3c7559b045c2",
-  "aarch64-unknown-linux-gnu-0.11.17": "de008880a903ac2c5654647dc19a75c0d6652313c977a2bc5ce05e1e3a93429e",
-  "aarch64-unknown-linux-musl-0.11.17": "9e5eaf16ffad968fc689f18c2733ace914ed417d4e5572e92d807fd51a90228c",
-  "arm-unknown-linux-musleabihf-0.11.17": "201c7d727423095aa4ba39cc79b16cac2465720d4348270a3977824009526179",
-  "armv7-unknown-linux-gnueabihf-0.11.17": "c941377b20fdd4b101376a9c8ce37c209d36655697815a32658a7cbcb3212409",
-  "armv7-unknown-linux-musleabihf-0.11.17": "12606cc40d15c5ab5fd06e434c8ee1b0ef7e3ca3cd4d5b2b135a16dd1a45fed2",
-  "i686-pc-windows-msvc-0.11.17": "be48cd9aa35c8615eff3dba6a24e214edf00885150eacde032a258399131c59d",
-  "i686-unknown-linux-gnu-0.11.17": "89f859f3bfaf3a74733aef671e6a4ade36173623d4539d3559e11caa2c722718",
-  "i686-unknown-linux-musl-0.11.17": "8d2ecb44951b80861570f4a7f732c9f16f3b342450eeb0bd2eef876b10395400",
-  "powerpc64le-unknown-linux-gnu-0.11.17": "714c7b292c805231edbfc77ca14b29e6e469342236ef1cfb58fe7d6f8fed48a4",
-  "riscv64gc-unknown-linux-gnu-0.11.17": "f8bece740520b35f69c82653da77912b38a29a5634a6e0ce7d83122a485c6a6f",
-  "riscv64gc-unknown-linux-musl-0.11.17": "ae07b4e9c2bea3dcba2e3267e9e4229e45de63c15e74eee7fac7ccf9df6e04cd",
-  "s390x-unknown-linux-gnu-0.11.17": "10ec2070644dda19ab9c8dcc3d6f3bbf4b09ad6665b8a8be067d7fdb5a58b56c",
-  "x86_64-apple-darwin-0.11.17": "6c66e41eaf4d15abeda58d3f268161b6e3f742d98390341b174a7cfc1b48841d",
-  "x86_64-pc-windows-msvc-0.11.17": "35fc29e03e62f3cda769bc12773f3cb70ce305d0d36c0d8bd0c117dd0b3fcd14",
-  "x86_64-unknown-linux-gnu-0.11.17": "0017ccecaeb4d431d7f93b583ebff0c5c38e00eb734fcf13d05f72ca419125fe",
-  "x86_64-unknown-linux-musl-0.11.17": "4231a429d4e0f7c1937d8916658c08a7706cd7872afebeb87203a18c2e0dc28e",
-  "aarch64-apple-darwin-0.11.16": "2b25be1af546be330b340b0a76b99f989daa6d92678fdffb87438e661e9d88fb",
-  "aarch64-pc-windows-msvc-0.11.16": "e4f8e70eb21f0f4efd2eeb159ab289f9a16057d59881a4475758be4ce39bc8c5",
-  "aarch64-unknown-linux-gnu-0.11.16": "8c9d0f0ee98166ae6ab198747519ba6f25db29d185bd2ae5960ecebc91a5c22a",
-  "aarch64-unknown-linux-musl-0.11.16": "ac022d96411143b9a2dd75ea711fa8dd4cd14538bf248f2e5df3c10a80f7f6a4",
-  "arm-unknown-linux-musleabihf-0.11.16": "cdd60c84597690139e3696461d1278bf4dcd598cd44e3896a98aa75aa59965bf",
-  "armv7-unknown-linux-gnueabihf-0.11.16": "71cf33cb511c9fe28ae261c0b4789e1fd9bb84d1bc68828db647b77305a15185",
-  "armv7-unknown-linux-musleabihf-0.11.16": "f24fca34326c5b8f7ddc0001a40e5454bc8091ca67f9ce931ffdaef4ea4815e8",
-  "i686-pc-windows-msvc-0.11.16": "7417090298bf202395b9b3d6eefb9230332d8d6c94a5616e531148a0b041c8e2",
-  "i686-unknown-linux-gnu-0.11.16": "0d1e427cd3fcc042e85dfc75f6d95e076dff9b930241686969d6706afda21375",
-  "i686-unknown-linux-musl-0.11.16": "d5e611deffd3f5fd637b2dc89dbe252342ce4a38c8970e63add8029afe2b5629",
-  "powerpc64le-unknown-linux-gnu-0.11.16": "8a3b09ce14d14a75dbbf051cdb78a314fb579e78fb3a02e1ee833c4cb5f6e81e",
-  "riscv64gc-unknown-linux-gnu-0.11.16": "0314895f159ce97bcedac00a4b97fa7e53c16fee911a6a2d9f0b69ee6461b7d5",
-  "riscv64gc-unknown-linux-musl-0.11.16": "8a1aef4261011143f56c964eeaed5e06fa0cb95ff3005386381c610c91784feb",
-  "s390x-unknown-linux-gnu-0.11.16": "d161e914ad552aed83478fe9766061844297dadfa77a43e56285a147bde0021e",
-  "x86_64-apple-darwin-0.11.16": "6b91ae3de155f51bd1f5b74814821c79f016a176561f252cd9ddfb976939af2e",
-  "x86_64-pc-windows-msvc-0.11.16": "dd9d6d6554bfab265bfa98aa8e8a406c5c3a7b97582f93de1f4d48d9154a0395",
-  "x86_64-unknown-linux-gnu-0.11.16": "74947fe2c03315cf07e82ab3acc703eddef01aba4d5232a98e4c6825ec116131",
-  "x86_64-unknown-linux-musl-0.11.16": "1bc4be1be0a000f893b0d1db97906cf392b63fa22fda9a0ecf33d0d4bbb4bc9a",
-  "aarch64-apple-darwin-0.11.15": "7e5b336108f8576eda1939920ca0a805b4a9a3c3d3eb2f6140e38b7092fbe4f3",
-  "aarch64-pc-windows-msvc-0.11.15": "9eac2d68f3a66326c3e1fc97ef28bd54f1d13136ec092c2f0a8173ae12aaaf1e",
-  "aarch64-unknown-linux-gnu-0.11.15": "21a7dd1a03ea17ac0366887455dab15d215b31dba0870dcd65d3714e22f46c81",
-  "aarch64-unknown-linux-musl-0.11.15": "6505075cec3f551fad4fe9026922967ff9c895c9f513c97682b24e7a1c9becd3",
-  "arm-unknown-linux-musleabihf-0.11.15": "f9206848d617b7beec37c346624ad961d8d4110606990653ebbfc4c62b1f1741",
-  "armv7-unknown-linux-gnueabihf-0.11.15": "eb6a12e3e80e1474c1018edc9541bbe71cdf2248fa17b583dcbcc7bb391ad0c0",
-  "armv7-unknown-linux-musleabihf-0.11.15": "a40ee3c41443341846137afc5c7f29be766a9a677bd70c7ff91cbb4273e5383c",
-  "i686-pc-windows-msvc-0.11.15": "6a9431f0044a1ff59fd6920f6f982b691acf336b6e26ac8cd40a02b5ab839cd1",
-  "i686-unknown-linux-gnu-0.11.15": "557e329e76072b513e47bcd8b50ca4bad07ec87cb325cbfc05e6069847af06c4",
-  "i686-unknown-linux-musl-0.11.15": "69490ca5580958cdee3353b54357925913ec0540dc8e09819294b9e5b6d48556",
-  "powerpc64le-unknown-linux-gnu-0.11.15": "6be3637ef86cdee3f5fcfbc66681ecbf6d57c6a123398a1bdd09786d65a06016",
-  "riscv64gc-unknown-linux-gnu-0.11.15": "a43e22243e3f3b1fb136a0998b730367fe2589ea98ce6cd4f0d7d20b9f77fb5b",
-  "riscv64gc-unknown-linux-musl-0.11.15": "2256c9b625d67a55986adda62b09782b5547e28a79fba472e7e93ac3ec0af258",
-  "s390x-unknown-linux-gnu-0.11.15": "df2b69ed893ce00e242d8cfe5b9fdc7b7a42d578df487d09aa624563a9801578",
-  "x86_64-apple-darwin-0.11.15": "42bca7cc879d117ed7139a0e26de8cab0b6f033ad439a32144f324d1f8580d8c",
-  "x86_64-pc-windows-msvc-0.11.15": "04b98d414a9000e25e5e0e7c9f53749e66b790cdaffc582829e6f58c544ee11c",
-  "x86_64-unknown-linux-gnu-0.11.15": "b03e572f010bea94a4a52d42671ba72981e12894f71576181a1d26ff68546da7",
-  "x86_64-unknown-linux-musl-0.11.15": "200ccf2f351849c5d6698714e7e7eb9ead1e8c097dbdbb43730e1a4e059ceb87",
-  "aarch64-apple-darwin-0.11.14": "4333af5c0730d94323a7819bbdf87ce92dd07fc857d67fff0059e0fca31b5c02",
-  "aarch64-pc-windows-msvc-0.11.14": "d66c76ba912ba66fed011e0189dfbc4527dd9e620a2b5d5d5ecd2ad8936601b8",
-  "aarch64-unknown-linux-gnu-0.11.14": "c4958f729e216f1610632574ed927b8cf0af1bd02cb88cb30d948571727aee43",
-  "aarch64-unknown-linux-musl-0.11.14": "d7d3966e46915c5f6932692aaf152a2473eecb1d2517ca4f8e88a07484b380b6",
-  "arm-unknown-linux-musleabihf-0.11.14": "31b07fa8bc5bbc8f22064fc1d4238b53c663bdb4812cbfead0b43719571aec03",
-  "armv7-unknown-linux-gnueabihf-0.11.14": "2aca3925d7ad91d2e02a0f9cf75974ebd077ec5cb939a5eb66aba096d5666819",
-  "armv7-unknown-linux-musleabihf-0.11.14": "988d79544bbf55ebeaf6521d3cbf46957bcfbab998d22092ea860580639e2f30",
-  "i686-pc-windows-msvc-0.11.14": "579408a1134ec3c45dd7b94187978b98b15df4e0c49ebf05c52565e3858d9f2a",
-  "i686-unknown-linux-gnu-0.11.14": "8c93880c54dc7a632f602b7627d4338d80011ecf32e340fd2f67129df5325dc7",
-  "i686-unknown-linux-musl-0.11.14": "c84acf1036767797a7be97a3315122b9565a78bf90b5733741b1abeefa58387f",
-  "powerpc64le-unknown-linux-gnu-0.11.14": "d2da5ba5911b86dfec96f0737b7d1053ed78c0c65e51585db03fb4969b2a3825",
-  "riscv64gc-unknown-linux-gnu-0.11.14": "55731359293842826cd82d5fbd826a6bce542c3fec458214604e308b352560ed",
-  "riscv64gc-unknown-linux-musl-0.11.14": "86b053903d29a2d04441e4cbd05a8f690b8ec56f8959d27f15df13efffb5879b",
-  "s390x-unknown-linux-gnu-0.11.14": "cc7b233541a76dd484516a39c06d9d14100d1048708483e6f49ee20b6cc5761b",
-  "x86_64-apple-darwin-0.11.14": "9836c1440b0bd6aa5f81793648a339bd01d593b7b8f575de3b855dae4ab64654",
-  "x86_64-pc-windows-msvc-0.11.14": "52ba5d19409aaa688a8a1a6ec8dfb6a4817230d20186e75f4006105c3e39a846",
-  "x86_64-unknown-linux-gnu-0.11.14": "f3b623eb0e6141a7053d571d59a0bdc341e0f238ea8f5f0b4815ddbec9a2a296",
-  "x86_64-unknown-linux-musl-0.11.14": "077d36f45a0cc6d440b653b2d5c53e7731121e99e54b0221267eec5d1cae76ce",
  "aarch64-apple-darwin-0.11.13": "196a58aa24da89144187670df7c407358028984537fbc2f8f2d8f7a2604980df",
  "aarch64-pc-windows-msvc-0.11.13": "07c3c997020430a9f287fc05ff4c63fd5744eec49df5392a34731ed1a0971f2e",
  "aarch64-unknown-linux-gnu-0.11.13": "12366407dc1fdba5179b10bd69c11ebfc2eff25791366089c0b2f5701056efc5",
@@ -49749,16 +49677,10 @@ function getProxyAgent() {
  }
  return void 0;
 }
-var fetch = async (url, opts) => {
-  const timeoutSignal = AbortSignal.timeout(3e4);
-  const existingSignal = opts.signal;
-  const mergedSignal = existingSignal ? AbortSignal.any([timeoutSignal, existingSignal]) : timeoutSignal;
-  return await (0, import_undici2.fetch)(url, {
-    dispatcher: getProxyAgent(),
-    ...opts,
-    signal: mergedSignal
-  });
-};
+var fetch = async (url, opts) => await (0, import_undici2.fetch)(url, {
+  dispatcher: getProxyAgent(),
+  ...opts
+});

 // src/download/manifest.ts
 var cachedManifestData = /* @__PURE__ */ new Map();
@@ -0,0 +1,81 @@
+# setup-uv Repository Threat Model
+
+## Overview
+
+`setup-uv` is a GitHub Action that installs or reuses `uv`, changes later-step paths and environment, may discover and execute a Python interpreter, may create or clear a virtual environment, and may restore or save caches. It runs with the workflow job's filesystem, network, token, secrets, OIDC, artifact, and release authority.
+
+The consumer runtime is the selected ref's committed action metadata, bundles, and runner-interpreted companion files; source alone is not evidence of shipped behavior. Privileged automation that generates, updates, or publishes those artifacts is also in scope.
+
+The assets are job credentials; integrity of installed executables, interpreter, environment, checkout, runner, artifacts, and caches; isolation between jobs sharing caches or persistent runners; integrity of published action refs; and workflow compute/storage availability.
+
+Material failures are unauthorized executable selection, credential disclosure, premature execution of lower-authority content, filesystem escape or destructive path use, cross-authority cache/runner persistence, and unauthorized publication.
+
+## Threat Model, Trust Boundaries, and Assumptions
+
+### Authority and trust boundaries
+
+| Actor or input | Trust decision |
+|---|---|
+| Maintainers, repository/configuration administrators, and GitHub infrastructure | Trusted roots for source, bundles, workflows, refs, rulesets, environments, runner protocol, hosted isolation, and cache service. A lower-authority path into these roots is in scope; their compromise alone is not a repository bug. |
+| Consumer workflow authors and runner operators | Control the action ref, trigger, runner, permissions, secrets, proxy, environment, inputs, paths, globs, and custom sources. These are trusted choices unless derived from lower-authority event data. Selecting a custom manifest delegates metadata and executable authority; selecting a path authorizes normal operations on it and intended referents. |
+| Selected checkout, project authors, and pull-request contributors | The consumer delegates project/version files, interpreter discovery state, virtual environments, symlinks, cache inputs, and code execution within `setup-uv`'s process environment. Checkout-controlled behavior is trusted unless it overrides an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary. |
+| Remote metadata and artifacts | Default official endpoints, TLS roots, and an operator proxy are trusted mutable authorities. A custom manifest authorizes its URLs and hashes; a hash supplied by that same authority detects corruption, not malice. |
+| Cache and runner-state producers/consumers | Same-principal state is trusted by default. Integrity attacks require a lower-authority producer and higher-authority consumer. Confidentiality can flow the opposite way because lower-authority refs may read eligible higher-authority caches. Shared self-hosted state creates a boundary only when principals and authority differ. |
+| GitHub-managed automation | Dependency, coding-agent, and review workflows may exist outside the committed tree. Treat them as external principals and obtain their effective trigger, actor, token, environment, ref, and write/secret authority from live evidence. |
+
+### Assumptions
+
+- Running the selected `uv` and checkout-selected Python interpreters is intended. Project execution is out of scope unless it bypasses an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary.
+- Mutable official manifests, ranges, `latest`, and unprotected refs are not attacker control. A protected ref or independent checksum matters only if the selected bundle actually enforces it.
+- Same-user changes to paths, environment, proxies, or tool/cache state are not separate attacks. Demonstrate a cross-principal or lower-to-higher boundary.
+- Content merged through a trust path that can also merge executable code is not a lower-authority source; require a narrower writer or post-review mutation path.
+- Running `setup-uv` on an untrusted checkout with higher authority is a consumer trust decision; checkout-selected code may inherit the action environment.
+- Authorized paths include expected symlink/junction referents. Absolute paths and paths outside the workspace are supported; an escape requires independent control crossing an unauthorized boundary.
+- Hosted runners are assumed ephemeral and isolated. Persistence or hostile co-tenancy on self-hosted runners must be demonstrated.
+- Branch/tag rules, environments, token defaults, cache visibility, fork policy, dynamic workflows, and runner allocation are external state. Re-query required approvals/checks, bypass actors, tag movement, deployment reviewers/principals, release targets, and effective permissions for each attack path.
+- Web-application classes such as sessions, CSRF, XSS, SQL injection, and tenant isolation are not applicable.
+
+### Security invariants
+
+1. **Published runtime:** review `action.yml`, committed `dist/*.cjs`, and runner-interpreted shipped files; source-only fixes do not protect consumers.
+2. **Executable identity:** precedence is workflow version, version file, project configuration, then `latest`. Manifest authority, platform, variant, URL, checksum, mirror fallback, extraction, and cache placement must bind the intended artifact. A tool-cache hit bypasses download validation and depends on cache provenance.
+3. **Credential recipients:** tokens and URL credentials may reach only workflow-authorized origins, redirects, paths, and logs. Metadata authority does not imply token-recipient authority.
+4. **Executable boundaries:** checkout-selected interpreters are authorized by default. Explicit workflow selections must win, and independent cache, runner, or remote state must not substitute executables or gain additional authority.
+5. **Paths and action channels:** path/environment changes, virtual-environment clearing, outputs, state, and problem matchers must affect only authorized targets and keep untrusted values as data.
+6. **Cache boundaries:** keys, scope, restore paths, and executable content must prevent lower-to-higher poisoning; cache contents and post-action path re-resolution must prevent higher-to-lower disclosure, destructive pruning, or persistence.
+7. **Workflow and release authority:** unreviewed code or mutable tooling must not acquire write, secret, OIDC, artifact, deployment, tag, or publication authority. Only the intended reviewed bundles and commit may be released.
+8. **Availability:** independently controlled manifests, archives, globs, traversal, and caches must stay within the accepted one-job resource-failure model.
+
+### Finding gate
+
+Before reporting, identify the attacker and victim principals; exact controlled input; scanned action and checkout refs; runtime reachability in committed bundles; effective token, secrets/OIDC, environment gates, cache scope, and runner persistence; applicable defaults and opt-ins; validation performed or skipped; declared trust roots; baseline versus incremental capability; and concrete impact. Reproduce platform-specific behavior and distinguish the scanned ref from other versions.
+
+Missing independent attacker control, a violated guarantee, committed-runtime reachability, incremental capability, or practical impact is `NOT_APPLICABLE`, `INTENDED_BEHAVIOR`, `CORRECTNESS`, `DEFENSE_IN_DEPTH`, or `NEEDS_EVIDENCE`, not a security severity.
+
+## Attack Surface, Mitigations, and Attacker Stories
+
+| Surface | Security-relevant behavior and controls | Reportable attacker story |
+|---|---|---|
+| Published action and build/release supply chain | Consumers execute committed bundles and embedded dependencies. Verify source/bundle alignment, lockfile integrity, dependency-install policy, reproducible/generated-diff checks, immutable action pins, branch enforcement, and publication target checks. | A lower-authority contributor or dependency changes shipped code, or release automation publishes a different commit, by bypassing an effective review, branch, or release control. |
+| Version, manifest, proxy, and network selection | Project files may select an official version by documented precedence. Custom manifests may select URLs, hashes, variants, and platforms and may reach arbitrary network locations. Parsing should reject malformed, ambiguous, unsupported, or incorrectly typed records; verify HTTPS, time/size bounds, proxy behavior, and selected-ref defaults. | Lower-authority event/project data violates a promised fixed version, escapes the selected manifest, probes runner-only services, causes material resource use, selects attacker bytes, or redirects later credentials. Operator selection of a custom authority is not itself a finding. |
+| Artifact URL, token, checksum, extraction, and tool cache | Mirror fallback must preserve identity and checksum policy. Origin gating should restrict tokens; redirect handling should strip authorization across unauthorized hosts and reject downgrade. Verify checksum precedence and reject missing/empty hashes when policy requires validation. Independent hashes must precede extraction. Native helpers come from `PATH`; tool-cache hits skip network/hash validation. | An attacker receives a usable token outside delegated authority, bypasses an independent pin, exploits archive/link traversal, substitutes the cached executable, or poisons shared tool state later executed with higher authority. Same-authority manifest hashes and same-user cache changes do not establish the boundary. |
+| Interpreter, PATH, virtual environment, and action channels | Checkout-selected interpreters, virtual environments, paths, symlinks, and helpers are delegated project authority. Explicit workflow choices must bind; the action also changes later-step paths/environment, emits state/outputs, invokes native helpers, and consumes cache/runner state. | Independent cache, runner, or remote content substitutes an executable; an explicit workflow choice is bypassed; or action channels cross an authority boundary. Same-checkout interpreter, path, and helper effects are not findings. |
+| GitHub uv/Python caches and post action | Cache keys should partition platform, interpreter, dependency, and policy state and restore without unsafe fallback. Determine cache defaults, visibility, and the exact hit/miss path from the selected ref and GitHub policy; an exact hit may suppress post save/prune. Post processing re-reads inputs/config/environment and may save re-resolved uv or Python paths. | A lower producer supplies executable content to a higher consumer; a higher producer exposes private data to a lower cache reader; or a later successful step retargets a cache miss toward sensitive files, destructive pruning, or cross-job persistence. Existing equal-authority code with the same secrets often gains no new confidentiality. |
+| CI, updater, dynamic automation, and release workflows | PR workflows intentionally execute contributor code. Verify effective permissions, fork behavior, credential persistence, mutable tooling, security-upload authority, and whether checks are required. Updaters convert remote data into source under write authority. Distinguish ruleset-required deployment from human review present only in a workflow DAG. | Unreviewed code gains write/secret/OIDC/artifact authority; remote metadata becomes executable generated source; a dynamic workflow has unexpected authority; or an actor satisfies a deployment/tag rule without the intended review and publishes a malicious ref. |
+| Availability and logging | Manifests, version enumeration, archives, globs, hashing, caches, and remote strings can consume resources or influence logs. Verify size/count/expansion bounds, timeouts, retries, top-level error handling, and that parsing never executes data. | Independently controlled input causes reliable material workflow cost, disk/memory exhaustion, or meaningful log/output manipulation. A bounded one-job failure or operator-selected broad input is usually Low or correctness. |
+| Lower-priority classes | Shell injection is constrained where child execution uses argv, but workflow shell blocks still require quoting review. Prototype pollution requires a dangerous merge/sink. Secret-shaped strings require proof of a genuine usable secret. Documentation drift, range surprises, malformed trusted config, and test-only code normally lack a security boundary. | Report only when a concrete lower-authority value reaches an execution, credential, persistent-state, publication, or material-availability sink. |
+
+## Severity Calibration (Critical, High, Medium, Low)
+
+Severity follows the complete attack graph and incremental capability, not the presence of words such as token, checksum, cache, manifest, archive, Python, PATH, release, or OIDC.
+
+| Severity | Threshold | Representative examples |
+|---|---|---|
+| **Critical** | A low-prerequisite remote/lower-authority attacker compromises default distribution or installation across many consumers, publishes trusted malicious action artifacts, or gains broad credentials/runner control under safe defaults without first compromising a declared trust root. | Bypass an effective hash/origin control to distribute an automatically executed malicious binary at scale; reach publication authority to ship malicious bundles or move trusted refs without required approval; exploit default-accepted archive content for host overwrite or cross-job execution across hosted runners. |
+| **High** | A demonstrated lower-authority input crosses an execution, confidentiality, integrity, or persistence boundary in a privileged job and gains substantial capability. | Independent shared-state interpreter substitution in a write/OIDC release job; shared cache poisoning later executed with secrets; high-value cache disclosure to an untrusted ref; usable write-token disclosure; independent-pin bypass; archive/cache escape into sensitive state. |
+| **Medium** | A real but constrained crossing causes limited credential/filesystem impact, reliable remote denial of service, scoped persistence, or premature execution in a realistic uncommon configuration. | Limited executable substitution from independent cache/runner state in a read-only job; same-repository cache confusion or disclosure; reliable hosted-runner exhaustion; disclosure of a usable read-only private token; output manipulation without publication or high-value credentials. |
+| **Low** | A genuine weak boundary causes narrow disclosure, log/annotation spoofing, defense-in-depth weakness, exotic cache aliasing without a privileged consumer, or limited waste. | Confusing logs with no execution effect; bounded job failure; limited overwrite of nonexecuted cache data; disclosure of a path/URL without private data or follow-on capability. |
+
+Trust-root compromise may have Critical impact but is not a repository Critical without a lower-authority path into that root or an independent control that should have survived. High requires exact trigger, refs, effective authority, sink, and committed runtime; it cannot rely only on a trusted operator choosing malicious inputs, same-user state changes, or code already intentionally executed with equal authority. A separate privileged consumer, broad secret, persistent trusted state, publication path, or cross-repository boundary can raise Medium to High.
+
+Normally non-reportable without additional evidence: expected mutability of ranges, `latest`, official/custom sources, or unprotected refs; documented project version selection; checkout-selected interpreters, paths, virtual environments, symlinks, and helpers; deliberate operator selection of manifests, proxies, checksums, or paths; same-principal cache/path changes; requested `uv` or dependency execution; trusted-runner `PATH` lookup; test/developer-only code without a shipped or privileged-workflow path; behavior fixed in the scanned ref; and correctness/compatibility/documentation issues without incremental confidentiality, integrity, persistence, or availability impact.
@@ -1,149 +1,5 @@
 // AUTOGENERATED_DO_NOT_EDIT
 export const KNOWN_CHECKSUMS: { [key: string]: string } = {
-  "aarch64-apple-darwin-0.11.17":
-    "2a162f6b90ff3691a2f9cae1622e066a3ce592e110f66670cdcc841324b28226",
-  "aarch64-pc-windows-msvc-0.11.17":
-    "f4463aa9671c6d153d32f2a9b272389675a711a9bca806c4ab4a3c7559b045c2",
-  "aarch64-unknown-linux-gnu-0.11.17":
-    "de008880a903ac2c5654647dc19a75c0d6652313c977a2bc5ce05e1e3a93429e",
-  "aarch64-unknown-linux-musl-0.11.17":
-    "9e5eaf16ffad968fc689f18c2733ace914ed417d4e5572e92d807fd51a90228c",
-  "arm-unknown-linux-musleabihf-0.11.17":
-    "201c7d727423095aa4ba39cc79b16cac2465720d4348270a3977824009526179",
-  "armv7-unknown-linux-gnueabihf-0.11.17":
-    "c941377b20fdd4b101376a9c8ce37c209d36655697815a32658a7cbcb3212409",
-  "armv7-unknown-linux-musleabihf-0.11.17":
-    "12606cc40d15c5ab5fd06e434c8ee1b0ef7e3ca3cd4d5b2b135a16dd1a45fed2",
-  "i686-pc-windows-msvc-0.11.17":
-    "be48cd9aa35c8615eff3dba6a24e214edf00885150eacde032a258399131c59d",
-  "i686-unknown-linux-gnu-0.11.17":
-    "89f859f3bfaf3a74733aef671e6a4ade36173623d4539d3559e11caa2c722718",
-  "i686-unknown-linux-musl-0.11.17":
-    "8d2ecb44951b80861570f4a7f732c9f16f3b342450eeb0bd2eef876b10395400",
-  "powerpc64le-unknown-linux-gnu-0.11.17":
-    "714c7b292c805231edbfc77ca14b29e6e469342236ef1cfb58fe7d6f8fed48a4",
-  "riscv64gc-unknown-linux-gnu-0.11.17":
-    "f8bece740520b35f69c82653da77912b38a29a5634a6e0ce7d83122a485c6a6f",
-  "riscv64gc-unknown-linux-musl-0.11.17":
-    "ae07b4e9c2bea3dcba2e3267e9e4229e45de63c15e74eee7fac7ccf9df6e04cd",
-  "s390x-unknown-linux-gnu-0.11.17":
-    "10ec2070644dda19ab9c8dcc3d6f3bbf4b09ad6665b8a8be067d7fdb5a58b56c",
-  "x86_64-apple-darwin-0.11.17":
-    "6c66e41eaf4d15abeda58d3f268161b6e3f742d98390341b174a7cfc1b48841d",
-  "x86_64-pc-windows-msvc-0.11.17":
-    "35fc29e03e62f3cda769bc12773f3cb70ce305d0d36c0d8bd0c117dd0b3fcd14",
-  "x86_64-unknown-linux-gnu-0.11.17":
-    "0017ccecaeb4d431d7f93b583ebff0c5c38e00eb734fcf13d05f72ca419125fe",
-  "x86_64-unknown-linux-musl-0.11.17":
-    "4231a429d4e0f7c1937d8916658c08a7706cd7872afebeb87203a18c2e0dc28e",
-  "aarch64-apple-darwin-0.11.16":
-    "2b25be1af546be330b340b0a76b99f989daa6d92678fdffb87438e661e9d88fb",
-  "aarch64-pc-windows-msvc-0.11.16":
-    "e4f8e70eb21f0f4efd2eeb159ab289f9a16057d59881a4475758be4ce39bc8c5",
-  "aarch64-unknown-linux-gnu-0.11.16":
-    "8c9d0f0ee98166ae6ab198747519ba6f25db29d185bd2ae5960ecebc91a5c22a",
-  "aarch64-unknown-linux-musl-0.11.16":
-    "ac022d96411143b9a2dd75ea711fa8dd4cd14538bf248f2e5df3c10a80f7f6a4",
-  "arm-unknown-linux-musleabihf-0.11.16":
-    "cdd60c84597690139e3696461d1278bf4dcd598cd44e3896a98aa75aa59965bf",
-  "armv7-unknown-linux-gnueabihf-0.11.16":
-    "71cf33cb511c9fe28ae261c0b4789e1fd9bb84d1bc68828db647b77305a15185",
-  "armv7-unknown-linux-musleabihf-0.11.16":
-    "f24fca34326c5b8f7ddc0001a40e5454bc8091ca67f9ce931ffdaef4ea4815e8",
-  "i686-pc-windows-msvc-0.11.16":
-    "7417090298bf202395b9b3d6eefb9230332d8d6c94a5616e531148a0b041c8e2",
-  "i686-unknown-linux-gnu-0.11.16":
-    "0d1e427cd3fcc042e85dfc75f6d95e076dff9b930241686969d6706afda21375",
-  "i686-unknown-linux-musl-0.11.16":
-    "d5e611deffd3f5fd637b2dc89dbe252342ce4a38c8970e63add8029afe2b5629",
-  "powerpc64le-unknown-linux-gnu-0.11.16":
-    "8a3b09ce14d14a75dbbf051cdb78a314fb579e78fb3a02e1ee833c4cb5f6e81e",
-  "riscv64gc-unknown-linux-gnu-0.11.16":
-    "0314895f159ce97bcedac00a4b97fa7e53c16fee911a6a2d9f0b69ee6461b7d5",
-  "riscv64gc-unknown-linux-musl-0.11.16":
-    "8a1aef4261011143f56c964eeaed5e06fa0cb95ff3005386381c610c91784feb",
-  "s390x-unknown-linux-gnu-0.11.16":
-    "d161e914ad552aed83478fe9766061844297dadfa77a43e56285a147bde0021e",
-  "x86_64-apple-darwin-0.11.16":
-    "6b91ae3de155f51bd1f5b74814821c79f016a176561f252cd9ddfb976939af2e",
-  "x86_64-pc-windows-msvc-0.11.16":
-    "dd9d6d6554bfab265bfa98aa8e8a406c5c3a7b97582f93de1f4d48d9154a0395",
-  "x86_64-unknown-linux-gnu-0.11.16":
-    "74947fe2c03315cf07e82ab3acc703eddef01aba4d5232a98e4c6825ec116131",
-  "x86_64-unknown-linux-musl-0.11.16":
-    "1bc4be1be0a000f893b0d1db97906cf392b63fa22fda9a0ecf33d0d4bbb4bc9a",
-  "aarch64-apple-darwin-0.11.15":
-    "7e5b336108f8576eda1939920ca0a805b4a9a3c3d3eb2f6140e38b7092fbe4f3",
-  "aarch64-pc-windows-msvc-0.11.15":
-    "9eac2d68f3a66326c3e1fc97ef28bd54f1d13136ec092c2f0a8173ae12aaaf1e",
-  "aarch64-unknown-linux-gnu-0.11.15":
-    "21a7dd1a03ea17ac0366887455dab15d215b31dba0870dcd65d3714e22f46c81",
-  "aarch64-unknown-linux-musl-0.11.15":
-    "6505075cec3f551fad4fe9026922967ff9c895c9f513c97682b24e7a1c9becd3",
-  "arm-unknown-linux-musleabihf-0.11.15":
-    "f9206848d617b7beec37c346624ad961d8d4110606990653ebbfc4c62b1f1741",
-  "armv7-unknown-linux-gnueabihf-0.11.15":
-    "eb6a12e3e80e1474c1018edc9541bbe71cdf2248fa17b583dcbcc7bb391ad0c0",
-  "armv7-unknown-linux-musleabihf-0.11.15":
-    "a40ee3c41443341846137afc5c7f29be766a9a677bd70c7ff91cbb4273e5383c",
-  "i686-pc-windows-msvc-0.11.15":
-    "6a9431f0044a1ff59fd6920f6f982b691acf336b6e26ac8cd40a02b5ab839cd1",
-  "i686-unknown-linux-gnu-0.11.15":
-    "557e329e76072b513e47bcd8b50ca4bad07ec87cb325cbfc05e6069847af06c4",
-  "i686-unknown-linux-musl-0.11.15":
-    "69490ca5580958cdee3353b54357925913ec0540dc8e09819294b9e5b6d48556",
-  "powerpc64le-unknown-linux-gnu-0.11.15":
-    "6be3637ef86cdee3f5fcfbc66681ecbf6d57c6a123398a1bdd09786d65a06016",
-  "riscv64gc-unknown-linux-gnu-0.11.15":
-    "a43e22243e3f3b1fb136a0998b730367fe2589ea98ce6cd4f0d7d20b9f77fb5b",
-  "riscv64gc-unknown-linux-musl-0.11.15":
-    "2256c9b625d67a55986adda62b09782b5547e28a79fba472e7e93ac3ec0af258",
-  "s390x-unknown-linux-gnu-0.11.15":
-    "df2b69ed893ce00e242d8cfe5b9fdc7b7a42d578df487d09aa624563a9801578",
-  "x86_64-apple-darwin-0.11.15":
-    "42bca7cc879d117ed7139a0e26de8cab0b6f033ad439a32144f324d1f8580d8c",
-  "x86_64-pc-windows-msvc-0.11.15":
-    "04b98d414a9000e25e5e0e7c9f53749e66b790cdaffc582829e6f58c544ee11c",
-  "x86_64-unknown-linux-gnu-0.11.15":
-    "b03e572f010bea94a4a52d42671ba72981e12894f71576181a1d26ff68546da7",
-  "x86_64-unknown-linux-musl-0.11.15":
-    "200ccf2f351849c5d6698714e7e7eb9ead1e8c097dbdbb43730e1a4e059ceb87",
-  "aarch64-apple-darwin-0.11.14":
-    "4333af5c0730d94323a7819bbdf87ce92dd07fc857d67fff0059e0fca31b5c02",
-  "aarch64-pc-windows-msvc-0.11.14":
-    "d66c76ba912ba66fed011e0189dfbc4527dd9e620a2b5d5d5ecd2ad8936601b8",
-  "aarch64-unknown-linux-gnu-0.11.14":
-    "c4958f729e216f1610632574ed927b8cf0af1bd02cb88cb30d948571727aee43",
-  "aarch64-unknown-linux-musl-0.11.14":
-    "d7d3966e46915c5f6932692aaf152a2473eecb1d2517ca4f8e88a07484b380b6",
-  "arm-unknown-linux-musleabihf-0.11.14":
-    "31b07fa8bc5bbc8f22064fc1d4238b53c663bdb4812cbfead0b43719571aec03",
-  "armv7-unknown-linux-gnueabihf-0.11.14":
-    "2aca3925d7ad91d2e02a0f9cf75974ebd077ec5cb939a5eb66aba096d5666819",
-  "armv7-unknown-linux-musleabihf-0.11.14":
-    "988d79544bbf55ebeaf6521d3cbf46957bcfbab998d22092ea860580639e2f30",
-  "i686-pc-windows-msvc-0.11.14":
-    "579408a1134ec3c45dd7b94187978b98b15df4e0c49ebf05c52565e3858d9f2a",
-  "i686-unknown-linux-gnu-0.11.14":
-    "8c93880c54dc7a632f602b7627d4338d80011ecf32e340fd2f67129df5325dc7",
-  "i686-unknown-linux-musl-0.11.14":
-    "c84acf1036767797a7be97a3315122b9565a78bf90b5733741b1abeefa58387f",
-  "powerpc64le-unknown-linux-gnu-0.11.14":
-    "d2da5ba5911b86dfec96f0737b7d1053ed78c0c65e51585db03fb4969b2a3825",
-  "riscv64gc-unknown-linux-gnu-0.11.14":
-    "55731359293842826cd82d5fbd826a6bce542c3fec458214604e308b352560ed",
-  "riscv64gc-unknown-linux-musl-0.11.14":
-    "86b053903d29a2d04441e4cbd05a8f690b8ec56f8959d27f15df13efffb5879b",
-  "s390x-unknown-linux-gnu-0.11.14":
-    "cc7b233541a76dd484516a39c06d9d14100d1048708483e6f49ee20b6cc5761b",
-  "x86_64-apple-darwin-0.11.14":
-    "9836c1440b0bd6aa5f81793648a339bd01d593b7b8f575de3b855dae4ab64654",
-  "x86_64-pc-windows-msvc-0.11.14":
-    "52ba5d19409aaa688a8a1a6ec8dfb6a4817230d20186e75f4006105c3e39a846",
-  "x86_64-unknown-linux-gnu-0.11.14":
-    "f3b623eb0e6141a7053d571d59a0bdc341e0f238ea8f5f0b4815ddbec9a2a296",
-  "x86_64-unknown-linux-musl-0.11.14":
-    "077d36f45a0cc6d440b653b2d5c53e7731121e99e54b0221267eec5d1cae76ce",
  "aarch64-apple-darwin-0.11.13":
    "196a58aa24da89144187670df7c407358028984537fbc2f8f2d8f7a2604980df",
  "aarch64-pc-windows-msvc-0.11.13":
@@ -54,6 +54,8 @@ export async function downloadVersion(

  const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
  const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
+  // Don't send the GitHub token to the Astral mirror.
+  const downloadToken = mirrorUrl !== undefined ? undefined : githubToken;

  try {
    return await downloadArtifact(
@@ -63,7 +65,7 @@ export async function downloadVersion(
      arch,
      version,
      resolvedChecksum,
-      githubTokenForUrl(downloadUrl, githubToken),
+      downloadToken,
    );
  } catch (err) {
    if (mirrorUrl === undefined) {
@@ -81,7 +83,7 @@ export async function downloadVersion(
      arch,
      version,
      resolvedChecksum,
-      githubTokenForUrl(artifact.downloadUrl, githubToken),
+      githubToken,
    );
  }
 }
@@ -98,19 +100,6 @@ export function rewriteToMirror(url: string): string | undefined {
  return ASTRAL_MIRROR_PREFIX + url.slice(GITHUB_RELEASES_PREFIX.length);
 }

-function githubTokenForUrl(
-  downloadUrl: string,
-  githubToken: string,
-): string | undefined {
-  try {
-    return new URL(downloadUrl).origin === "https://github.com"
-      ? githubToken
-      : undefined;
-  } catch {
-    return undefined;
-  }
-}
-
 async function downloadArtifact(
  downloadUrl: string,
  artifactName: string,
@@ -20,8 +20,8 @@ export async function run(): Promise<void> {
      } else {
        core.info("save-cache is false. Skipping save cache step.");
      }
-      // https://github.com/nodejs/node/issues/56645#issuecomment-3924958861
-      await new Promise((resolve) => setTimeout(resolve, 100));
+      // https://github.com/nodejs/node/issues/56645#issuecomment-3077594952
+      await new Promise((resolve) => setTimeout(resolve, 50));

      // node will stay alive if any promises are not resolved,
      // which is a possibility if HTTP requests are dangling
@@ -84,8 +84,8 @@ async function run(): Promise<void> {
    if (inputs.enableCache) {
      await restoreCache(inputs, detectedPythonVersion);
    }
-    // https://github.com/nodejs/node/issues/56645#issuecomment-3924958861
-    await new Promise((resolve) => setTimeout(resolve, 100));
+    // https://github.com/nodejs/node/issues/56645#issuecomment-3077594952
+    await new Promise((resolve) => setTimeout(resolve, 50));
    process.exit(0);
  } catch (err) {
    core.setFailed((err as Error).message);
@@ -14,17 +14,8 @@ export function getProxyAgent() {
  return undefined;
 }

-export const fetch = async (url: string, opts: RequestInit) => {
-  // Merge timeout signal with any existing signal from opts
-  const timeoutSignal = AbortSignal.timeout(30_000);
-  const existingSignal = opts.signal;
-  const mergedSignal = existingSignal
-    ? AbortSignal.any([timeoutSignal, existingSignal])
-    : timeoutSignal;
-
-  return await undiciFetch(url, {
+export const fetch = async (url: string, opts: RequestInit) =>
+  await undiciFetch(url, {
    dispatcher: getProxyAgent(),
    ...opts,
-    signal: mergedSignal,
  });
-};
Author	SHA1	Message	Date
Zsolt Dollenstein	81e0b4e357	docs: clarify threat model authority boundary	2026-06-19 17:53:50 +01:00
Zsolt Dollenstein	c2f220d627	simplify	2026-06-17 15:03:39 +01:00
Zsolt Dollenstein	38ae580275	docs: add repository threat model	2026-06-17 11:53:07 +01:00