feat: use actions/core for getting gh OIDC token (#2)

Co-authored-by: Seth Vargo <seth@sethvargo.com>
2021-09-18 10:35:52 -05:00 · 2021-09-18 10:35:52 -05:00 · afef6a5b6d
commit afef6a5b6d
parent e13dfdd573
5 changed files with 1136 additions and 123 deletions
--- a/dist/index.js
+++ b/dist/index.js
--- a/package-lock.json
+++ b/package-lock.json
@ -9,7 +9,7 @@
      "version": "0.1.0",
      "license": "Apache-2.0",
      "dependencies": {
-        "@actions/core": "^1.5.0"
+        "@actions/core": "^1.6.0-beta.0"
      },
      "devDependencies": {
        "@types/chai": "^4.2.21",
@ -30,9 +30,20 @@
      }
    },
    "node_modules/@actions/core": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.5.0.tgz",
-      "integrity": "sha512-eDOLH1Nq9zh+PJlYLqEMkS/jLQxhksPNmUGNBHfa4G+tQmnIhzpctxmchETtVGyBOvXgOVVpYuE40+eS4cUnwQ=="
+      "version": "1.6.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0-beta.0.tgz",
+      "integrity": "sha512-NaJq0c65C8POKyHIDCa+/2RuYDSsTW11bfB2/UDPba529qJJGxOFBxjqIUY2YVqlI9umRta9ufgEIJndyQ4ZAA==",
+      "dependencies": {
+        "@actions/http-client": "^1.0.11"
+      }
+    },
+    "node_modules/@actions/http-client": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
+      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "dependencies": {
+        "tunnel": "0.0.6"
+      }
    },
    "node_modules/@babel/code-frame": {
      "version": "7.12.11",
@ -2423,6 +2434,14 @@
        "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta"
      }
    },
+    "node_modules/tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "engines": {
+        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+      }
+    },
    "node_modules/type-check": {
      "version": "0.4.0",
      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@ -2670,9 +2689,20 @@
  },
  "dependencies": {
    "@actions/core": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.5.0.tgz",
-      "integrity": "sha512-eDOLH1Nq9zh+PJlYLqEMkS/jLQxhksPNmUGNBHfa4G+tQmnIhzpctxmchETtVGyBOvXgOVVpYuE40+eS4cUnwQ=="
+      "version": "1.6.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0-beta.0.tgz",
+      "integrity": "sha512-NaJq0c65C8POKyHIDCa+/2RuYDSsTW11bfB2/UDPba529qJJGxOFBxjqIUY2YVqlI9umRta9ufgEIJndyQ4ZAA==",
+      "requires": {
+        "@actions/http-client": "^1.0.11"
+      }
+    },
+    "@actions/http-client": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
+      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "requires": {
+        "tunnel": "0.0.6"
+      }
    },
    "@babel/code-frame": {
      "version": "7.12.11",
@ -4378,6 +4408,11 @@
        "tslib": "^1.8.1"
      }
    },
+    "tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+    },
    "type-check": {
      "version": "0.4.0",
      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
--- a/package.json
+++ b/package.json
@ -23,7 +23,7 @@
  "author": "GoogleCloudPlatform",
  "license": "Apache-2.0",
  "dependencies": {
-    "@actions/core": "^1.5.0"
+    "@actions/core": "^1.6.0-beta.0"
  },
  "devDependencies": {
    "@types/chai": "^4.2.21",
--- a/src/client.ts
+++ b/src/client.ts
@ -1,21 +1,6 @@
 import https, { RequestOptions } from 'https';
 import { URL } from 'url';

-/**
- * GitHubTokenParameters are the parameters to generate an OIDC token from
- * within a GitHub Action.
- *
- * @param url URL endpoint from which to request the token.
- * @param audience JWT aud value for the token.
- * @param token Temporary token provided by the environment to request the real
- * token.
- */
-interface GitHubTokenParameters {
-  url: string;
-  audience: string;
-  token: string;
-}
-
 /**
 * GoogleFederatedTokenParameters are the parameters to generate a Federated
 * Identity Token as described in:
@ -131,41 +116,6 @@ export class Client {
    });
  }

-  /**
-   * githubToken invokes the given URL, appending the audience parameter, using
-   * the provided token as authentication. This can only be run from inside a
-   * GitHub Action.
-   */
-  static async githubToken({ url, audience, token }: GitHubTokenParameters): Promise<string> {
-    const requestURL = new URL(url);
-
-    // Append the audience value to the request.
-    const params = requestURL.searchParams;
-    params.set('audience', audience);
-    requestURL.search = params.toString();
-
-    // Make the request.
-    const opts = {
-      hostname: requestURL.hostname,
-      port: requestURL.port,
-      path: requestURL.pathname + requestURL.search,
-      method: 'GET',
-      headers: {
-        'Authorization': `Bearer ${token}`,
-        'Accept': 'application/json',
-        'Content-Type': 'application/json',
-      },
-    };
-
-    try {
-      const resp = await Client.request(opts);
-      const parsed = JSON.parse(resp);
-      return parsed['value'];
-    } catch (err) {
-      throw new Error(`failed to generate GitHub OIDC token via ${url} (aud: ${audience}): ${err}`);
-    }
-  }
-
  /**
   * googleFederatedToken generates a Google Cloud federated token using the
   * provided OIDC token and Workload Identity Provider.
--- a/src/main.ts
+++ b/src/main.ts
@ -39,21 +39,7 @@ async function run(): Promise<void> {
    const lifetime = core.getInput('lifetime');
    const idTokenAudience = core.getInput('id_token_audience');

-    // Extract the GitHub Actions OIDC token.
-    const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
-    if (!requestToken) {
-      throw `missing ACTIONS_ID_TOKEN_REQUEST_TOKEN`;
-    }
-    const requestURL = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
-    if (!requestURL) {
-      throw `missing ACTIONS_ID_TOKEN_REQUEST_URL`;
-    }
-    const githubOIDCToken = await Client.githubToken({
-      url: requestURL,
-      token: requestToken,
-      audience: audience,
-    });
-    core.setSecret(githubOIDCToken);
+    const githubOIDCToken = await core.getIDToken(audience);

    // Exchange the GitHub OIDC token for a Google Federated Token.
    const googleFederatedToken = await Client.googleFederatedToken({