refactor: use scoped registry config and env vars for GitHub auth

- Configure @voidzero-dev scoped registry for GitHub Package Registry
- Use environment variables for auth token instead of writing to .npmrc
- Prevents token theft by subsequent scripts
- Switch all imports from namespace to named imports
- Remove unused NPM_REGISTRY constant

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: fengmk2

dist/index.mjs

@@ -1,7 +1,7 @@
-import * as cache from '@actions/cache'
-import * as glob from '@actions/glob'
-import * as core from '@actions/core'
-import * as os from 'node:os'
+import { restoreCache as restoreCacheAction } from '@actions/cache'
+import { hashFiles } from '@actions/glob'
+import { warning, info, debug, saveState, setOutput } from '@actions/core'
+import { arch, platform } from 'node:os'
 import type { Inputs } from './types.js'
 import { State, Outputs } from './types.js'
 import { detectLockFile, getCacheDirectories } from './utils.js'
@@ -10,57 +10,57 @@ export async function restoreCache(inputs: Inputs): Promise<void> {
   // Detect lock file
   const lockFile = detectLockFile(inputs.cacheDependencyPath)
   if (!lockFile) {
-    core.warning('No lock file found. Skipping cache restore.')
-    core.setOutput(Outputs.CacheHit, false)
+    warning('No lock file found. Skipping cache restore.')
+    setOutput(Outputs.CacheHit, false)
     return
   }
 
-  core.info(`Using lock file: ${lockFile.path}`)
+  info(`Using lock file: ${lockFile.path}`)
 
   // Get cache directories based on lock file type
   const cachePaths = await getCacheDirectories(lockFile.type)
   if (!cachePaths.length) {
-    core.warning('No cache directories found. Skipping cache restore.')
-    core.setOutput(Outputs.CacheHit, false)
+    warning('No cache directories found. Skipping cache restore.')
+    setOutput(Outputs.CacheHit, false)
     return
   }
 
-  core.debug(`Cache paths: ${cachePaths.join(', ')}`)
-  core.saveState(State.CachePaths, JSON.stringify(cachePaths))
+  debug(`Cache paths: ${cachePaths.join(', ')}`)
+  saveState(State.CachePaths, JSON.stringify(cachePaths))
 
   // Generate cache key: vite-plus-{platform}-{arch}-{lockfile-type}-{hash}
-  const platform = process.env.RUNNER_OS || os.platform()
-  const arch = os.arch()
-  const fileHash = await glob.hashFiles(lockFile.path)
+  const runnerOS = process.env.RUNNER_OS || platform()
+  const runnerArch = arch()
+  const fileHash = await hashFiles(lockFile.path)
 
   if (!fileHash) {
     throw new Error(`Failed to generate hash for lock file: ${lockFile.path}`)
   }
 
-  const primaryKey = `vite-plus-${platform}-${arch}-${lockFile.type}-${fileHash}`
+  const primaryKey = `vite-plus-${runnerOS}-${runnerArch}-${lockFile.type}-${fileHash}`
   const restoreKeys = [
-    `vite-plus-${platform}-${arch}-${lockFile.type}-`,
-    `vite-plus-${platform}-${arch}-`,
+    `vite-plus-${runnerOS}-${runnerArch}-${lockFile.type}-`,
+    `vite-plus-${runnerOS}-${runnerArch}-`,
   ]
 
-  core.debug(`Primary key: ${primaryKey}`)
-  core.debug(`Restore keys: ${restoreKeys.join(', ')}`)
+  debug(`Primary key: ${primaryKey}`)
+  debug(`Restore keys: ${restoreKeys.join(', ')}`)
 
-  core.saveState(State.CachePrimaryKey, primaryKey)
+  saveState(State.CachePrimaryKey, primaryKey)
 
   // Attempt to restore cache
-  const matchedKey = await cache.restoreCache(
+  const matchedKey = await restoreCacheAction(
     cachePaths,
     primaryKey,
     restoreKeys
   )
 
   if (matchedKey) {
-    core.info(`Cache restored from key: ${matchedKey}`)
-    core.saveState(State.CacheMatchedKey, matchedKey)
-    core.setOutput(Outputs.CacheHit, true)
+    info(`Cache restored from key: ${matchedKey}`)
+    saveState(State.CacheMatchedKey, matchedKey)
+    setOutput(Outputs.CacheHit, true)
   } else {
-    core.info('Cache not found')
-    core.setOutput(Outputs.CacheHit, false)
+    info('Cache not found')
+    setOutput(Outputs.CacheHit, false)
   }
 }

src/cache-restore.ts

@@ -1,44 +1,44 @@
-import * as cache from '@actions/cache'
-import * as core from '@actions/core'
+import { saveCache as saveCacheAction } from '@actions/cache'
+import { getState, info, warning } from '@actions/core'
 import { State } from './types.js'
 
 export async function saveCache(): Promise<void> {
-  const primaryKey = core.getState(State.CachePrimaryKey)
-  const matchedKey = core.getState(State.CacheMatchedKey)
-  const cachePathsJson = core.getState(State.CachePaths)
+  const primaryKey = getState(State.CachePrimaryKey)
+  const matchedKey = getState(State.CacheMatchedKey)
+  const cachePathsJson = getState(State.CachePaths)
 
   if (!primaryKey) {
-    core.info('No cache key found. Skipping cache save.')
+    info('No cache key found. Skipping cache save.')
     return
   }
 
   if (!cachePathsJson) {
-    core.info('No cache paths found. Skipping cache save.')
+    info('No cache paths found. Skipping cache save.')
     return
   }
 
   // Skip if cache hit on primary key (no changes)
   if (primaryKey === matchedKey) {
-    core.info(`Cache hit on primary key "${primaryKey}". Skipping save.`)
+    info(`Cache hit on primary key "${primaryKey}". Skipping save.`)
     return
   }
 
   const cachePaths: string[] = JSON.parse(cachePathsJson) as string[]
 
   if (!cachePaths.length) {
-    core.info('Empty cache paths. Skipping cache save.')
+    info('Empty cache paths. Skipping cache save.')
     return
   }
 
   try {
-    const cacheId = await cache.saveCache(cachePaths, primaryKey)
+    const cacheId = await saveCacheAction(cachePaths, primaryKey)
     if (cacheId === -1) {
-      core.warning('Cache save failed or was skipped.')
+      warning('Cache save failed or was skipped.')
       return
     }
-    core.info(`Cache saved with key: ${primaryKey}`)
+    info(`Cache saved with key: ${primaryKey}`)
   } catch (error) {
     // Don't fail the action if cache save fails
-    core.warning(`Failed to save cache: ${error}`)
+    warning(`Failed to save cache: ${error}`)
   }
 }

src/cache-save.ts

@@ -1,4 +1,4 @@
-import * as core from '@actions/core'
+import { saveState, getState, setFailed } from '@actions/core'
 import { getInputs } from './inputs.js'
 import { installVitePlus } from './install-viteplus.js'
 import { runViteInstall } from './run-install.js'
@@ -9,7 +9,7 @@ import type { Inputs } from './types.js'
 
 async function runMain(inputs: Inputs): Promise<void> {
   // Mark that post action should run
-  core.saveState(State.IsPost, 'true')
+  saveState(State.IsPost, 'true')
 
   // Step 1: Install @voidzero-dev/global
   await installVitePlus(inputs)
@@ -35,7 +35,7 @@ async function runPost(inputs: Inputs): Promise<void> {
 async function main(): Promise<void> {
   const inputs = getInputs()
 
-  if (core.getState(State.IsPost) === 'true') {
+  if (getState(State.IsPost) === 'true') {
     await runPost(inputs)
   } else {
     await runMain(inputs)
@@ -44,5 +44,5 @@ async function main(): Promise<void> {
 
 main().catch(error => {
   console.error(error)
-  core.setFailed(error instanceof Error ? error.message : String(error))
+  setFailed(error instanceof Error ? error.message : String(error))
 })

src/index.ts

@@ -1,17 +1,17 @@
-import * as core from '@actions/core'
+import { getInput, getBooleanInput } from '@actions/core'
 import { parse as parseYaml } from 'yaml'
 import { z } from 'zod'
 import type { Inputs, Registry, RunInstall } from './types.js'
 import { RunInstallInputSchema } from './types.js'
 
 export function getInputs(): Inputs {
   return {
-    version: core.getInput('version') || 'latest',
-    registry: parseRegistry(core.getInput('registry')),
-    githubToken: core.getInput('github-token') || undefined,
-    runInstall: parseRunInstall(core.getInput('run-install')),
-    cache: core.getBooleanInput('cache'),
-    cacheDependencyPath: core.getInput('cache-dependency-path') || undefined,
+    version: getInput('version') || 'latest',
+    registry: parseRegistry(getInput('registry')),
+    githubToken: getInput('github-token') || undefined,
+    runInstall: parseRunInstall(getInput('run-install')),
+    cache: getBooleanInput('cache'),
+    cacheDependencyPath: getInput('cache-dependency-path') || undefined,
   }
 }
 

src/inputs.ts

@@ -1,9 +1,8 @@
-import * as core from '@actions/core'
-import * as exec from '@actions/exec'
+import { info, debug, warning, saveState, setOutput, addPath } from '@actions/core'
+import { exec, getExecOutput } from '@actions/exec'
 import type { Inputs } from './types.js'
 import {
   PACKAGE_NAME,
-  NPM_REGISTRY,
   GITHUB_REGISTRY,
   State,
   Outputs,
@@ -12,7 +11,7 @@ import {
 export async function installVitePlus(inputs: Inputs): Promise<void> {
   const { version, registry, githubToken } = inputs
 
-  core.info(`Installing ${PACKAGE_NAME}@${version} from ${registry} registry...`)
+  info(`Installing ${PACKAGE_NAME}@${version} from ${registry} registry...`)
 
   // Validate GitHub token if using GitHub registry
   if (registry === 'github' && !githubToken) {
@@ -26,30 +25,33 @@ export async function installVitePlus(inputs: Inputs): Promise<void> {
   const packageSpec =
     version === 'latest' ? PACKAGE_NAME : `${PACKAGE_NAME}@${version}`
 
-  const registryUrl = registry === 'github' ? GITHUB_REGISTRY : NPM_REGISTRY
-
-  // Run npm install -g
-  const args = ['install', '-g', packageSpec, `--registry=${registryUrl}`]
-
-  core.debug(`Running: npm ${args.join(' ')}`)
+  const args = ['install', '-g', packageSpec]
 
   // Set up environment for installation
+  // Use environment variables instead of writing to .npmrc to prevent token theft
   const env: Record<string, string> = {}
   for (const [key, value] of Object.entries(process.env)) {
     if (value !== undefined) {
       env[key] = value
     }
   }
 
-  // Configure registry auth for GitHub
+  // Configure scoped registry for GitHub Package Registry via environment variables
+  // This allows @voidzero-dev packages from GitHub while other packages use npm
   if (registry === 'github' && githubToken) {
-    env.NODE_AUTH_TOKEN = githubToken
+    debug('Configuring @voidzero-dev scoped registry for GitHub Package Registry')
+
+    // npm reads environment variables in the format: npm_config_<key>
+    // For scoped registry: @voidzero-dev:registry -> npm_config_@voidzero-dev:registry
+    env['npm_config_@voidzero-dev:registry'] = GITHUB_REGISTRY
+
+    // For auth token: //npm.pkg.github.com/:_authToken -> npm_config_//npm.pkg.github.com/:_authToken
+    env['npm_config_//npm.pkg.github.com/:_authToken'] = githubToken
   }
 
-  const exitCode = await exec.exec('npm', args, {
-    env,
-    silent: false,
-  })
+  debug(`Running: npm ${args.join(' ')}`)
+
+  const exitCode = await exec('npm', args, { env })
 
   if (exitCode !== 0) {
     throw new Error(
@@ -59,26 +61,26 @@ export async function installVitePlus(inputs: Inputs): Promise<void> {
 
   // Verify installation and get version
   const installedVersion = await getInstalledVersion()
-  core.info(`Successfully installed ${PACKAGE_NAME}@${installedVersion}`)
+  info(`Successfully installed ${PACKAGE_NAME}@${installedVersion}`)
 
   // Save state for outputs
-  core.saveState(State.InstalledVersion, installedVersion)
-  core.setOutput(Outputs.Version, installedVersion)
+  saveState(State.InstalledVersion, installedVersion)
+  setOutput(Outputs.Version, installedVersion)
 
   // Ensure global bin is in PATH
   await ensureGlobalBinInPath()
 }
 
 async function getInstalledVersion(): Promise<string> {
   try {
-    const result = await exec.getExecOutput('vp', ['--version'], {
+    const result = await getExecOutput('vp', ['--version'], {
       silent: true,
     })
     return result.stdout.trim()
   } catch {
     // Fallback: check npm list
     try {
-      const result = await exec.getExecOutput(
+      const result = await getExecOutput(
         'npm',
         ['list', '-g', PACKAGE_NAME, '--depth=0', '--json'],
         { silent: true }
@@ -95,15 +97,15 @@ async function getInstalledVersion(): Promise<string> {
 
 async function ensureGlobalBinInPath(): Promise<void> {
   try {
-    const result = await exec.getExecOutput('npm', ['bin', '-g'], {
+    const result = await getExecOutput('npm', ['bin', '-g'], {
       silent: true,
     })
     const globalBin = result.stdout.trim()
     if (globalBin && !process.env.PATH?.includes(globalBin)) {
-      core.addPath(globalBin)
-      core.debug(`Added ${globalBin} to PATH`)
+      addPath(globalBin)
+      debug(`Added ${globalBin} to PATH`)
     }
   } catch (error) {
-    core.warning(`Could not determine global npm bin path: ${error}`)
+    warning(`Could not determine global npm bin path: ${error}`)
   }
 }

src/install-viteplus.ts

@@ -1,5 +1,5 @@
-import * as core from '@actions/core'
-import * as exec from '@actions/exec'
+import { startGroup, endGroup, setFailed, info } from '@actions/core'
+import { exec } from '@actions/exec'
 import type { Inputs } from './types.js'
 
 export async function runViteInstall(inputs: Inputs): Promise<void> {
@@ -12,25 +12,25 @@ export async function runViteInstall(inputs: Inputs): Promise<void> {
     const cwd = options.cwd || process.env.GITHUB_WORKSPACE || process.cwd()
     const cmdStr = `vite ${args.join(' ')}`
 
-    core.startGroup(`Running ${cmdStr} in ${cwd}...`)
+    startGroup(`Running ${cmdStr} in ${cwd}...`)
 
     try {
-      const exitCode = await exec.exec('vite', args, {
+      const exitCode = await exec('vite', args, {
         cwd,
         ignoreReturnCode: true,
       })
 
       if (exitCode !== 0) {
-        core.setFailed(
+        setFailed(
           `Command "${cmdStr}" (cwd: ${cwd}) exited with code ${exitCode}`
         )
       } else {
-        core.info(`Successfully ran ${cmdStr}`)
+        info(`Successfully ran ${cmdStr}`)
       }
     } catch (error) {
-      core.setFailed(`Failed to run ${cmdStr}: ${error}`)
+      setFailed(`Failed to run ${cmdStr}: ${error}`)
     } finally {
-      core.endGroup()
+      endGroup()
     }
   }
 }

src/run-install.ts

@@ -60,5 +60,4 @@ export enum Outputs {
 
 // Package constants
 export const PACKAGE_NAME = '@voidzero-dev/global'
-export const NPM_REGISTRY = 'https://registry.npmjs.org'
 export const GITHUB_REGISTRY = 'https://npm.pkg.github.com'