-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Full release of actions/core 1.6.0 with oidc behavior #919
Changes from all commits
bdacfc4
1322acb
f733089
c45ad60
53a7529
4831d7a
9df7428
8071504
962ff70
885469e
a6114b6
f541fb1
7965cc3
456cf5a
58dfa1c
330dc0b
662a937
a2adaa8
ff90431
0c1cb72
5afccaa
9c6e7d8
0a94a78
f559006
aa1968c
5d9c674
cca2b18
33891d9
dac801e
d0f4aae
c7ec407
1c86c4c
22e5d95
547e30c
619566e
3ceb264
1162975
1c03cd3
1f8d7b5
09e9478
4631854
2b58973
d9212ff
af75719
0bab362
3da67ac
d7dd89f
a7aa89a
eb88fce
b2c6bee
fe8d95a
5c3e1c2
8360bae
0a588c3
4eaf5d5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
/* eslint-disable @typescript-eslint/no-extraneous-class */ | ||
import * as actions_http_client from '@actions/http-client' | ||
import {IRequestOptions} from '@actions/http-client/interfaces' | ||
import {HttpClient} from '@actions/http-client' | ||
import {BearerCredentialHandler} from '@actions/http-client/auth' | ||
import {debug, setSecret} from './core' | ||
interface TokenResponse { | ||
value?: string | ||
} | ||
|
||
export class OidcClient { | ||
private static createHttpClient( | ||
allowRetry = true, | ||
maxRetry = 10 | ||
): actions_http_client.HttpClient { | ||
const requestOptions: IRequestOptions = { | ||
allowRetries: allowRetry, | ||
maxRetries: maxRetry | ||
} | ||
|
||
return new HttpClient( | ||
'actions/oidc-client', | ||
[new BearerCredentialHandler(OidcClient.getRequestToken())], | ||
requestOptions | ||
) | ||
} | ||
|
||
private static getRequestToken(): string { | ||
const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Using jobs:
job:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v6
id: script
timeout-minutes: 10
with:
debug: true
script: |
const token = process.env['ACTIONS_RUNTIME_TOKEN']
const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
core.setOutput('TOKEN', token.trim())
core.setOutput('IDTOKENURL', runtimeUrl.trim()) Also see github/docs#32573 |
||
if (!token) { | ||
throw new Error( | ||
'Unable to get ACTIONS_ID_TOKEN_REQUEST_TOKEN env variable' | ||
) | ||
} | ||
return token | ||
} | ||
|
||
private static getIDTokenUrl(): string { | ||
const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL'] | ||
if (!runtimeUrl) { | ||
throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable') | ||
} | ||
return runtimeUrl | ||
} | ||
|
||
private static async getCall(id_token_url: string): Promise<string> { | ||
const httpclient = OidcClient.createHttpClient() | ||
|
||
const res = await httpclient | ||
.getJson<TokenResponse>(id_token_url) | ||
.catch(error => { | ||
throw new Error( | ||
`Failed to get ID Token. \n | ||
Error Code : ${error.statusCode}\n | ||
Error Message: ${error.result.message}` | ||
) | ||
}) | ||
|
||
const id_token = res.result?.value | ||
if (!id_token) { | ||
throw new Error('Response json body do not have ID Token field') | ||
} | ||
return id_token | ||
} | ||
|
||
static async getIDToken(audience?: string): Promise<string> { | ||
try { | ||
// New ID Token is requested from action service | ||
let id_token_url: string = OidcClient.getIDTokenUrl() | ||
if (audience) { | ||
const encodedAudience = encodeURIComponent(audience) | ||
id_token_url = `${id_token_url}&audience=${encodedAudience}` | ||
} | ||
|
||
debug(`ID token url is ${id_token_url}`) | ||
|
||
const id_token = await OidcClient.getCall(id_token_url) | ||
setSecret(id_token) | ||
return id_token | ||
} catch (error) { | ||
throw new Error(`Error message: ${error.message}`) | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hope we could have some real tests.