Merge branch 'dev' into docs/v4

Author: LouisHaftmann

lib/db/index.ts

@@ -30,10 +30,16 @@ export interface UploadPartsTable {
   e_tag: string | null
 }
 
+export interface MetaTable {
+  key: 'version'
+  value: string
+}
+
 export interface Database {
   cache_keys: CacheKeysTable
   uploads: UploadsTable
   upload_parts: UploadPartsTable
+  meta: MetaTable
 }
 
 let _db: Kysely<Database>

lib/db/migrations.ts

@@ -4,7 +4,7 @@ import type { DatabaseDriverName } from '~/lib/db/drivers'
 
 export function migrations(dbType: DatabaseDriverName) {
   return {
-    cache_keys_table: {
+    $0_cache_keys_table: {
       async up(db) {
         let query = db.schema
           .createTable('cache_keys')
@@ -22,7 +22,7 @@ export function migrations(dbType: DatabaseDriverName) {
         await db.schema.dropTable('cache_keys').ifExists().execute()
       },
     },
-    uploads_and_upload_parts_tables: {
+    $1_uploads_and_upload_parts_tables: {
       async up(db) {
         await db.schema
           .createTable('uploads')
@@ -56,5 +56,18 @@ export function migrations(dbType: DatabaseDriverName) {
         await db.schema.dropTable('upload_parts').ifExists().execute()
       },
     },
+    $2_meta_table: {
+      async up(db) {
+        await db.schema
+          .createTable('meta')
+          .addColumn('key', dbType === 'mysql' ? 'varchar(255)' : 'text', (c) => c.primaryKey())
+          .addColumn('value', 'text')
+          .ifNotExists()
+          .execute()
+      },
+      async down(db) {
+        await db.schema.dropTable('meta').ifExists().execute()
+      },
+    },
   } satisfies Record<string, Migration>
 }

lib/env.ts

@@ -4,7 +4,6 @@ const booleanSchema = z.string().transform((v) => v.toLowerCase() === 'true')
 
 const envSchema = z.object({
   ENABLE_DIRECT_DOWNLOADS: booleanSchema.default('false'),
-  DOWNLOAD_SECRET_KEY: z.string(),
   URL_ACCESS_TOKEN: z.string().min(1),
   CLEANUP_OLDER_THAN_DAYS: z.coerce.number().int().min(0).default(90),
   API_BASE_URL: z.string().url(),

lib/storage/index.ts

@@ -1,4 +1,4 @@
-import { createHash, randomInt } from 'node:crypto'
+import { randomBytes, randomInt } from 'node:crypto'
 
 import consola from 'consola'
 
@@ -226,6 +226,11 @@ export async function initializeStorage() {
         })
 
         const keys = await findStaleKeys(db, { olderThanDays })
+        if (keys.length === 0) {
+          logger.debug('Prune: No caches to prune')
+          return
+        }
+
         await driver.delete({
           objectNames: keys.map((key) => getObjectNameFromKey(key.key, key.version)),
         })
@@ -266,11 +271,7 @@ export async function initializeStorage() {
 }
 
 function createLocalDownloadUrl(objectName: string) {
-  const hashedKey = createHash('sha256')
-    .update(objectName + ENV.DOWNLOAD_SECRET_KEY)
-    .digest('base64url')
-
-  return `${ENV.API_BASE_URL}/download/${hashedKey}/${objectName}`
+  return `${ENV.API_BASE_URL}/download/${randomBytes(64).toString('hex')}/${objectName}`
 }
 
 export function useStorageAdapter() {

plugins/setup.ts

@@ -1,12 +1,13 @@
 import { H3Error } from 'h3'
 
-import { initializeDatabase } from '~/lib/db'
+import { initializeDatabase, useDB } from '~/lib/db'
 import { ENV } from '~/lib/env'
 import { logger } from '~/lib/logger'
-import { initializeStorage } from '~/lib/storage'
+import { initializeStorage, useStorageAdapter } from '~/lib/storage'
 
 export default defineNitroPlugin(async (nitro) => {
-  logger.info(`🚀 Starting GitHub Actions Cache Server (${useRuntimeConfig().version})`)
+  const version = useRuntimeConfig().version
+  logger.info(`🚀 Starting GitHub Actions Cache Server (${version})`)
 
   await initializeDatabase()
   await initializeStorage()
@@ -34,6 +35,28 @@ export default defineNitroPlugin(async (nitro) => {
     })
   }
 
+  if (!version) throw new Error('No version found in runtime config')
+
+  const db = useDB()
+  const existing = await db
+    .selectFrom('meta')
+    .where('key', '=', 'version')
+    .select('value')
+    .executeTakeFirst()
+
+  if (!existing || existing.value !== version) {
+    logger.info(
+      `Version changed from ${existing?.value ?? '[no version, first install]'} to ${version}. Pruning cache...`,
+    )
+    await useStorageAdapter().pruneCaches()
+  }
+
+  if (existing) {
+    await db.updateTable('meta').set('value', version).where('key', '=', 'version').execute()
+  } else {
+    await db.insertInto('meta').values({ key: 'version', value: version }).execute()
+  }
+
   if (process.send) process.send('nitro:ready')
 })
 

routes/download/[hash]/[objectName].ts renamed to routes/download/[random]/[objectName].ts

@@ -1,13 +1,9 @@
-import { createHash } from 'node:crypto'
-
 import { z } from 'zod'
 
-import { ENV } from '~/lib/env'
 import { useStorageAdapter } from '~/lib/storage'
 
 const pathParamsSchema = z.object({
   objectName: z.string(),
-  hash: z.string(),
 })
 
 export default defineEventHandler(async (event) => {
@@ -18,12 +14,7 @@ export default defineEventHandler(async (event) => {
       statusMessage: `Invalid path parameters: ${parsedPathParams.error.message}`,
     })
 
-  const { objectName, hash } = parsedPathParams.data
-
-  const hashedCacheId = createHash('sha256')
-    .update(objectName + ENV.DOWNLOAD_SECRET_KEY)
-    .digest('base64url')
-  if (hashedCacheId !== hash) throw createError({ statusCode: 403, statusMessage: 'Forbidden' })
+  const { objectName } = parsedPathParams.data
 
   const stream = await useStorageAdapter().download(objectName)
 

tests/.env.base

@@ -2,5 +2,4 @@ URL_ACCESS_TOKEN=test_token
 API_BASE_URL=http://localhost:3000
 NODE_ENV=development
 RUNNER_TEMP=tests/temp/runner
-ACTIONS_CACHE_URL=http://localhost:3000/test_token/
-DOWNLOAD_SECRET_KEY=test_key
+ACTIONS_CACHE_URL=http://localhost:3000/test_token/