Skip tool cache if corresponding input is disabled

Author: svartalf

.github/workflows/ci.yml

@@ -18,6 +18,7 @@ jobs:
       - run: npm run test
 
   install_from_tool_cache:
+    needs: test
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -26,6 +27,18 @@ jobs:
           - ubuntu-16.04
           - macOS-latest
           - windows-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install sccache
+        uses: ./
+        with:
+          crate: sccache
+          use-tool-cache: true
+      - run: sccache --help
+
+  disabled_tool_cache:
+    needs: test
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - name: Install sccache
@@ -35,11 +48,13 @@ jobs:
       - run: sccache --help
 
   install_missing_from_tool_cache:
+    needs: test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - name: Install bat
         uses: ./
         with:
           crate: bat
+          use-tool-cache: true
       - run: bat package.json

README.md

@@ -8,28 +8,32 @@
 
 This GitHub Action provides faster version of the `cargo install` command.
 
-⚠ ️**NOTE: Work on this Action is still in progress, no guarantees on stability, correctness or security are provided right now.** ⚠
+⚠ ️**NOTE: This is an experimental Action.** ⚠
 
 **Table of Contents**
 
 * [How does this works?](#how-does-it-work)
 * [Example workflow](#example-workflow)
 * [Inputs](#inputs)
-* [Security considerations](#security-considerations)
+* [Tool cache](#tool-cache)
+    * [Security considerations](#security-considerations)
+* [GitHub cache](#github-cache)
 * [License](#license)
 * [Contribute and support](#contribute-and-support)
 
 ## How does it work?
 
-1. Most popular binary crates used in Rust CI are selected for the speed-up installation
-2. They are compiled directly at GitHub virtual environments
-3. Then they are uploaded into the external storage
-4. When you use this Action to install one of these crates,
-   it will be downloaded from this cache storage
-5. If crate was not found in the cache storage, usual `cargo install` will be invoked instead.
+Before calling your usual `cargo install` command, this Action
+attempts to download pre-build binary crate file from the binary crates cache.\
+See [Security considerations](#security-considerations) to read more
+about potential caveats and usage policy.
+
+If requested crate does not exist in the crates cache storage,
+this Action will fall back to the usual `cargo install`.
+
+As soon as [actions-rs/meta#21](https://github.com/actions-rs/meta/issues/21) will be implemented,
+this Action will also cache compiled binary in the GitHub cache.
 
-As soon as https://github.com/actions-rs/meta/issues/21 will be implemented,
-this Action will also cache resulting binary in the GitHub cache after compilation.
 
 ## Example workflow
 
@@ -53,18 +57,41 @@ jobs:
 
 ## Inputs
 
-| Name         | Required | Description              | Type   | Default |
-| ------------ | :------: | -------------------------| ------ | --------|
-| `crate`      | ✓        | Binary crate name        | string |         |
-| `version`    |          | Crate version to install | string | latest  |
+| Name             | Required | Description                                      | Type   | Default |
+| ---------------- | :------: | ------------------------------------------------ | ------ | --------|
+| `crate`          | ✓        | Binary crate name                                | string |         |
+| `version`        |          | Crate version to install                         | string | latest  |
+| `use-tool-cache` |          | Use pre-compiled crates to speed-up installation | bool   | false   |
+
+## Tool cache
+
+As it was mentioned in [How does it work?](#how-does-it-work) section,
+this Action can use external cache with the pre-compiled crates in it.
+
+In order to use it, you need to **explicitly** enable `use-tool-cache` input:
+
+```yaml
+- uses: actions-rs/install@master
+  with:
+    crate: cargo-audit
+    version: latest
+    use-tool-cache: true
+```
+
+Before enabling this input, you should acknowledge security risks
+of executing pre-compiled binaries in your CI workflows.
+
+### Security considerations
 
-## Security considerations
+Check the [`tool-cache`](https://github.com/actions-rs/tool-cache/) repo
+to under understand how binary crates are built, signed and uploaded to the external cache.
 
-You should acknowledge that in order to speed up the crates installation,
-this Action uses pre-built binaries stored in the external storage.
+This Action downloads both binary file and its signature.\
+Signature validation is proceeded by `openssl` and public key (`public.pem`)
+of the same certificate used for signing files at `tool-cache` repo.
 
-Before using this Action consider checking the [Security considerations](https://github.com/actions-rs/tool-cache/blob/master/README.md#security-considerations) chapter
-of the tool cache builder to understand how this might affect you.
+If signature validation fails, binary file is removed immediately,
+warning issued and fall back to the `cargo install` call happens.
 
 ## License
 

action.yml

@@ -12,8 +12,6 @@ inputs:
     description: Specify a version to install
     required: false
     default: 'latest'
-
-  # These inputs are not used/implemented yet
   use-tool-cache:
     description: Use tool cache to speed up installation (not used yet)
     required: false

dist/index.js

@@ -8,14 +8,20 @@ import { input } from "@actions-rs/core";
 export interface Input {
     crate: string;
     version: string;
+    useToolCache: boolean;
+    useCache: boolean;
 }
 
 export function get(): Input {
     const crate = input.getInput("crate", { required: true });
     const version = input.getInput("version", { required: true });
+    const useToolCache = input.getInputBool("use-tool-cache") || false;
+    const useCache = input.getInputBool("use-cache") || true;
 
     return {
         crate: crate,
         version: version,
+        useToolCache: useToolCache,
+        useCache: useCache,
     };
 }

src/input.ts

@@ -4,13 +4,52 @@ import { Cargo } from "@actions-rs/core";
 import * as input from "./input";
 import * as download from "./download";
 
-export async function run(crate: string, version: string): Promise<void> {
+interface Options {
+    useToolCache: boolean;
+    useCache: boolean;
+}
+
+async function downloadFromToolCache(
+    crate: string,
+    version: string
+): Promise<void> {
     try {
         await download.downloadFromCache(crate, version);
     } catch (error) {
         core.warning(
             `Unable to download ${crate} == ${version} from the tool cache: ${error}`
         );
+        throw error;
+    }
+}
+
+export async function run(
+    crate: string,
+    version: string,
+    options: Options
+): Promise<void> {
+    try {
+        if (options.useToolCache) {
+            try {
+                core.info(
+                    "Tool cache is explicitly enabled via the Action input"
+                );
+                core.startGroup("Downloading from the tool cache");
+
+                return await downloadFromToolCache(crate, version);
+            } finally {
+                core.endGroup();
+            }
+        } else {
+            core.info(
+                "Tool cache is disabled in the Action inputs, skipping it"
+            );
+
+            throw new Error(
+                "Faster installation options either failed or disabled"
+            );
+        }
+    } catch (error) {
         core.info("Falling back to the `cargo install` command");
         const cargo = await Cargo.get();
         await cargo.installCached(crate, version);
@@ -21,7 +60,10 @@ async function main(): Promise<void> {
     try {
         const actionInput = input.get();
 
-        await run(actionInput.crate, actionInput.version);
+        await run(actionInput.crate, actionInput.version, {
+            useToolCache: actionInput.useToolCache,
+            useCache: actionInput.useCache,
+        });
     } catch (error) {
         core.setFailed(error.message);
     }