actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: use actions/core for getting gh OIDC token (#2)

Browse Source 
Co-authored-by: Seth Vargo <seth@sethvargo.com>
This commit is contained in:
Bharath KKB 2021-09-18 10:35:52 -05:00 committed by GitHub
parent e13dfdd573
commit afef6a5b6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 1136 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1142
dist/index.js vendored
View File

File diff suppressed because it is too large Load Diff

49
package-lock.json generated
View File

@ -9,7 +9,7 @@
"version": "0.1.0", "version": "0.1.0",
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {
"@actions/core": "^1.5.0" "@actions/core": "^1.6.0-beta.0"
}, },
"devDependencies": { "devDependencies": {
"@types/chai": "^4.2.21", "@types/chai": "^4.2.21",
@ -30,9 +30,20 @@
} }
}, },
"node_modules/@actions/core": { "node_modules/@actions/core": {
"version": "1.5.0", "version": "1.6.0-beta.0",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.5.0.tgz", "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0-beta.0.tgz",
"integrity": "sha512-eDOLH1Nq9zh+PJlYLqEMkS/jLQxhksPNmUGNBHfa4G+tQmnIhzpctxmchETtVGyBOvXgOVVpYuE40+eS4cUnwQ==" "integrity": "sha512-NaJq0c65C8POKyHIDCa+/2RuYDSsTW11bfB2/UDPba529qJJGxOFBxjqIUY2YVqlI9umRta9ufgEIJndyQ4ZAA==",
"dependencies": {
"@actions/http-client": "^1.0.11"
}
},
"node_modules/@actions/http-client": {
"version": "1.0.11",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
"integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
"dependencies": {
"tunnel": "0.0.6"
}
}, },
"node_modules/@babel/code-frame": { "node_modules/@babel/code-frame": {
"version": "7.12.11", "version": "7.12.11",
@ -2423,6 +2434,14 @@
"typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta" "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta"
} }
}, },
"node_modules/tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
"engines": {
"node": ">=0.6.11 <=0.7.0 || >=0.7.3"
}
},
"node_modules/type-check": { "node_modules/type-check": {
"version": "0.4.0", "version": "0.4.0",
"resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz", "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@ -2670,9 +2689,20 @@
}, },
"dependencies": { "dependencies": {
"@actions/core": { "@actions/core": {
"version": "1.5.0", "version": "1.6.0-beta.0",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.5.0.tgz", "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0-beta.0.tgz",
"integrity": "sha512-eDOLH1Nq9zh+PJlYLqEMkS/jLQxhksPNmUGNBHfa4G+tQmnIhzpctxmchETtVGyBOvXgOVVpYuE40+eS4cUnwQ==" "integrity": "sha512-NaJq0c65C8POKyHIDCa+/2RuYDSsTW11bfB2/UDPba529qJJGxOFBxjqIUY2YVqlI9umRta9ufgEIJndyQ4ZAA==",
"requires": {
"@actions/http-client": "^1.0.11"
}
},
"@actions/http-client": {
"version": "1.0.11",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
"integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
"requires": {
"tunnel": "0.0.6"
}
}, },
"@babel/code-frame": { "@babel/code-frame": {
"version": "7.12.11", "version": "7.12.11",
@ -4378,6 +4408,11 @@
"tslib": "^1.8.1" "tslib": "^1.8.1"
} }
}, },
"tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
},
"type-check": { "type-check": {
"version": "0.4.0", "version": "0.4.0",
"resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz", "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",

2
package.json
View File

@ -23,7 +23,7 @@
"author": "GoogleCloudPlatform", "author": "GoogleCloudPlatform",
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {
"@actions/core": "^1.5.0" "@actions/core": "^1.6.0-beta.0"
}, },
"devDependencies": { "devDependencies": {
"@types/chai": "^4.2.21", "@types/chai": "^4.2.21",

50
src/client.ts
View File

@ -1,21 +1,6 @@
import https, { RequestOptions } from 'https'; import https, { RequestOptions } from 'https';
import { URL } from 'url'; import { URL } from 'url';
/**
* GitHubTokenParameters are the parameters to generate an OIDC token from
* within a GitHub Action.
*
* @param url URL endpoint from which to request the token.
* @param audience JWT aud value for the token.
* @param token Temporary token provided by the environment to request the real
* token.
*/
interface GitHubTokenParameters {
url: string;
audience: string;
token: string;
}
/** /**
* GoogleFederatedTokenParameters are the parameters to generate a Federated * GoogleFederatedTokenParameters are the parameters to generate a Federated
* Identity Token as described in: * Identity Token as described in:
@ -131,41 +116,6 @@ export class Client {
}); });
} }
/**
* githubToken invokes the given URL, appending the audience parameter, using
* the provided token as authentication. This can only be run from inside a
* GitHub Action.
*/
static async githubToken({ url, audience, token }: GitHubTokenParameters): Promise<string> {
const requestURL = new URL(url);
// Append the audience value to the request.
const params = requestURL.searchParams;
params.set('audience', audience);
requestURL.search = params.toString();
// Make the request.
const opts = {
hostname: requestURL.hostname,
port: requestURL.port,
path: requestURL.pathname + requestURL.search,
method: 'GET',
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json',
'Content-Type': 'application/json',
},
};
try {
const resp = await Client.request(opts);
const parsed = JSON.parse(resp);
return parsed['value'];
} catch (err) {
throw new Error(`failed to generate GitHub OIDC token via ${url} (aud: ${audience}): ${err}`);
}
}
/** /**
* googleFederatedToken generates a Google Cloud federated token using the * googleFederatedToken generates a Google Cloud federated token using the
* provided OIDC token and Workload Identity Provider. * provided OIDC token and Workload Identity Provider.

16
src/main.ts
View File

@ -39,21 +39,7 @@ async function run(): Promise<void> {
const lifetime = core.getInput('lifetime'); const lifetime = core.getInput('lifetime');
const idTokenAudience = core.getInput('id_token_audience'); const idTokenAudience = core.getInput('id_token_audience');
// Extract the GitHub Actions OIDC token. const githubOIDCToken = await core.getIDToken(audience);
const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
if (!requestToken) {
throw `missing ACTIONS_ID_TOKEN_REQUEST_TOKEN`;
}
const requestURL = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
if (!requestURL) {
throw `missing ACTIONS_ID_TOKEN_REQUEST_URL`;
}
const githubOIDCToken = await Client.githubToken({
url: requestURL,
token: requestToken,
audience: audience,
});
core.setSecret(githubOIDCToken);
// Exchange the GitHub OIDC token for a Google Federated Token. // Exchange the GitHub OIDC token for a Google Federated Token.
const googleFederatedToken = await Client.googleFederatedToken({ const googleFederatedToken = await Client.googleFederatedToken({