Only use github.token on github.com (#443)

* Only use github.token on github.com

This expression evaluates to `''` if called from GHES hosted elsewhere
You can still provide your token on both github.com and GHES

* Enshure blank result of expression and not false

* Revert "Revert "Pass the `token` input through on GHES (#427)" (#437)"

This reverts commit cf86e08a31.

* fix typo

* Add back the doc on the tool cache for self-hosted

Co-authored-by: Brian Cristante <33549821+brcrista@users.noreply.github.com>

action.yml

@@ -16,8 +16,8 @@ inputs:
     description: "Set this option if you want the action to check for the latest available version that satisfies the version spec."
     default: false
   token:
-    description: "Used to pull python distributions from actions/python-versions. Since there's a default, this is typically not supplied by the user."
+    description: "The token used to authenticate when fetching Python distributions from https://github.com/actions/python-versions. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting."
-    default: ${{ github.token }}
+    default: ${{ github.server_url == 'https://github.com' && github.token || '' }}
   cache-dependency-path:
     description: "Used to specify the path to dependency files. Supports wildcards or a list of file names for caching multiple dependencies."
   update-environment:

dist/setup/index.js

@@ -65190,7 +65190,7 @@ const tc = __importStar(__nccwpck_require__(7784));
 const exec = __importStar(__nccwpck_require__(1514));
 const utils_1 = __nccwpck_require__(1314);
 const TOKEN = core.getInput('token');
-const AUTH = !TOKEN || utils_1.isGhes() ? undefined : `token ${TOKEN}`;
+const AUTH = !TOKEN ? undefined : `token ${TOKEN}`;
 const MANIFEST_REPO_OWNER = 'actions';
 const MANIFEST_REPO_NAME = 'python-versions';
 const MANIFEST_REPO_BRANCH = 'main';

docs/advanced-usage.md

@@ -473,4 +473,13 @@ One quick way to grant access is to change the user and group of `/Users/runner/
 
 `setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: `##[error]API rate limit exceeded for...`.
 
-To avoid hitting rate-limit problems, we recommend [setting up your own runner tool cache](https://docs.github.com/en/enterprise-server@2.22/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access#about-the-included-setup-actions-and-the-runner-tool-cache).
+To get a higher rate limit, you can [generate a personal access token on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action:
+
+```yml
+uses: actions/setup-python@v4
+with:
+  token: ${{ secrets.GH_DOTCOM_TOKEN }}
+  python-version: 3.11
+```
+
+If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information.

src/install-python.ts

@@ -3,10 +3,10 @@ import * as core from '@actions/core';
 import * as tc from '@actions/tool-cache';
 import * as exec from '@actions/exec';
 import {ExecOptions} from '@actions/exec/lib/interfaces';
-import {IS_WINDOWS, IS_LINUX, isGhes} from './utils';
+import {IS_WINDOWS, IS_LINUX} from './utils';
 
 const TOKEN = core.getInput('token');
-const AUTH = !TOKEN || isGhes() ? undefined : `token ${TOKEN}`;
+const AUTH = !TOKEN ? undefined : `token ${TOKEN}`;
 const MANIFEST_REPO_OWNER = 'actions';
 const MANIFEST_REPO_NAME = 'python-versions';
 const MANIFEST_REPO_BRANCH = 'main';