Releases · testingbot/testingbot-tunnel-action

A major release with breaking changes, new features, and a thorough security + dependency overhaul.

⚠️ Breaking Changes

Runtime bumped to Node 24. The action now runs on node24. If your workflow used runs-on values that don't provide Node 24 (very old self-hosted runners), you'll need to upgrade.
Credentials are now passed via environment variables. key and secret inputs are injected into the Docker container as TESTINGBOT_KEY / TESTINGBOT_SECRET env vars instead of positional command-line arguments. This keeps secrets out of ps aux and docker inspect. No action needed — the inputs in your workflow stay the same.
Fixed wrong flag names: --no-cache → --nocache and --no-proxy → --noproxy. Previously these were silently rejected by the tunnel binary; now they take effect. If you set noCache: true or noProxy: true and relied on them not working, behavior changes.
Log upload API updated to @actions/artifact@2. No change to the uploadLogFile input, but the artifact internals are completely different — you may see artifact URLs and download names change.

🆕 New Features

Action outputs — consume tunnel state in downstream steps:

uses: testingbot/testingbot-tunnel-action@v2
id: tunnel
with: {...}
if: always()
uses: actions/upload-artifact@v4
with:
name: tunnel-log
path: ${{ steps.tunnel.outputs.log-file }}
container-id — Docker container ID
tunnel-identifier — echoed tunnel identifier
log-file — absolute path to the tunnel log on the runner

Six new inputs matching the full TestingBot tunnel CLI:

readyTimeout input — configure how long to wait for the tunnel ready-file (default 60s, previously hardcoded).

🔒 Security

Credentials forwarded via Docker env vars, not visible in process listings
setSecret() applied to key and secret for defense-in-depth log masking
All production dependencies updated to their latest secure versions (@actions/core 1.2.7 → 1.11.1, @actions/exec 1.0.4 → 1.1.1, @actions/artifact 0.5.1 → 2.x)
Overrides added for vulnerable transitive deps (diff, serialize-javascript, undici)
CI workflow pinned to permissions: contents: read
E2E job skipped on PRs from forks (no secret exposure)

🐛 Bug Fixes

readyPoller race condition — fixed case where the tunnel could write tb.ready before the watcher was attached, causing false 60s timeouts
retryTimeout NaN handling — empty/non-numeric input no longer causes an infinite retry loop
Error typing — all catch blocks now safely handle unknown/non-Error throws
buildOptions no longer async — was returning a Promise needlessly

🧰 Internal / Quality

TypeScript 4.2 → 6.0, ESLint 7 → 8, Prettier 2 → 3, WebdriverIO 7 → 9
21 unit tests added (Mocha + Sinon), covering buildOptions, readyPoller, stopTunnel, uploadLog, startTunnel, retry logic in index.ts, and post-action cleanup in post.ts
CI split into separate unit and e2e jobs; unit matrix on Node 20/22/24
Pre-compile TypeScript tests to avoid Node-version-specific loader issues
CodeQL workflow updated to current action versions
dist/ now CI-verified to stay in sync with source on every push

📦 Migration Guide

For the vast majority of users, no changes needed — the input names are unchanged. The main things to verify:

If you set noCache: true or noProxy: true, confirm the tunnel is actually bypassing cache / skipping the local proxy (it will now, whereas before it silently didn't).
If you rely on uploadLogFile: true, the artifact in your run's artifact tab may have different contents/format.
If you pin to @v1.1.0, switch to @v2 when ready.

Provide feedback