Skip to content

feat: Add mirror and mirror-token inputs for custom Python distribution sources#1302

Open
luhenry wants to merge 1 commit intoactions:mainfrom
riseproject-dev:main
Open

feat: Add mirror and mirror-token inputs for custom Python distribution sources#1302
luhenry wants to merge 1 commit intoactions:mainfrom
riseproject-dev:main

Conversation

@luhenry
Copy link
Copy Markdown

@luhenry luhenry commented Apr 6, 2026
edited
Loading

Description:

Users who need custom CPython builds (internal mirrors, GHES-hosted forks, special build configurations, compliance builds, air-gapped runners) could not previously point setup-python at anything other than actions/python-versions.

Adds two new inputs:

If mirror is a https://raw.githubusercontent.com/{owner}/{repo}/{branch} URL, the manifest is fetched via the GitHub REST API (authenticated rate limit applies); otherwise the action falls back to a direct GET of {mirror}/versions-manifest.json.

This approach is largely inspired from how it's done in actions/setup-node

Token interaction

token is never forwarded to arbitrary hosts. Auth resolution is per-URL:

  1. if mirror-token is set, use mirror-token
  2. else if token is set AND the target host is github.com, *.github.com, or *.githubusercontent.com, use token
  3. else send no auth

Cases:

Default (no inputs set)
  mirror = default raw.githubusercontent.com URL, mirror-token empty,
  token = github.token.
  → manifest API call and tarball downloads use `token`.
  Identical to prior behavior.

Custom raw.githubusercontent.com mirror (e.g. personal fork)
  mirror-token empty, token = github.token.
  → manifest API call and tarball downloads use `token`
    (target hosts are GitHub-owned).

Custom non-GitHub mirror, no mirror-token
  mirror-token empty, token = github.token.
  → manifest fetched via direct URL (no auth attached),
    tarball downloads use no auth.
  `token` is NOT forwarded to the custom host — this is the
  leak-prevention case.

Custom non-GitHub mirror with mirror-token
  mirror-token set, token may be set.
  → manifest fetch and tarball downloads use `mirror-token`.

Custom GitHub mirror with both tokens set
  mirror-token wins. Used for both the manifest API call and
  tarball downloads.

Related issue:

Fixes #1288

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

@luhenry
feat: Add mirror and mirror-token inputs for custom Python distri…
8b57351 
…bution sources

Users who need custom CPython builds (internal mirrors, GHES-hosted forks,
special build configurations, compliance builds, air-gapped runners) could not
previously point setup-python at anything other than actions/python-versions.

Adds two new inputs:
- `mirror`: base URL hosting versions-manifest.json and the Python
  distributions it references. Defaults to the existing
  https://raw.githubusercontent.com/actions/python-versions/main.
- `mirror-token`: optional token used to authenticate requests to the mirror.

If `mirror` is a raw.githubusercontent.com/{owner}/{repo}/{branch} URL, the
manifest is fetched via the GitHub REST API (authenticated rate limit applies);
otherwise the action falls back to a direct GET of {mirror}/versions-manifest.json.

Token interaction
-----------------

`token` is never forwarded to arbitrary hosts. Auth resolution is per-URL:

  1. if mirror-token is set, use mirror-token
  2. else if token is set AND the target host is github.com,
     *.github.com, or *.githubusercontent.com, use token
  3. else send no auth

Cases:

  Default (no inputs set)
    mirror = default raw.githubusercontent.com URL, mirror-token empty,
    token = github.token.
    → manifest API call and tarball downloads use `token`.
    Identical to prior behavior.

  Custom raw.githubusercontent.com mirror (e.g. personal fork)
    mirror-token empty, token = github.token.
    → manifest API call and tarball downloads use `token`
      (target hosts are GitHub-owned).

  Custom non-GitHub mirror, no mirror-token
    mirror-token empty, token = github.token.
    → manifest fetched via direct URL (no auth attached),
      tarball downloads use no auth.
    `token` is NOT forwarded to the custom host — this is the
    leak-prevention case.

  Custom non-GitHub mirror with mirror-token
    mirror-token set, token may be set.
    → manifest fetch and tarball downloads use `mirror-token`.

  Custom GitHub mirror with both tokens set
    mirror-token wins. Used for both the manifest API call and
    tarball downloads.
@luhenry luhenry requested a review from a team as a code owner April 6, 2026 00:41
@luhenry
Copy link
Copy Markdown
Author

luhenry commented Apr 6, 2026

Relates to #1289

@luhenry luhenry mentioned this pull request Apr 6, 2026
Open
2 tasks
@luhenry
Copy link
Copy Markdown
Author

luhenry commented Apr 6, 2026

I've verified it works as expected with https://github.com/riseproject-dev/riscv-runner-sample/actions/runs/24014042747/job/70030253499

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add riscv64 architecture support

1 participant

@luhenry