actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-09 16:16:55 +00:00
Code Activity Actions

Merge branch 'master' of https://github.com/hashicorp/vault-action into feat/wildcard-all-secrets

Browse source 
 Conflicts:
	package-lock.json
This commit is contained in:
FERNANDES Nicolas nicolas.fernandes.etu@univ-lille.fr 2021-11-23 22:38:57 +01:00
commit 1e3275a961
10 changed files with 1560 additions and 277 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
.github/workflows/jira.yaml vendored
View file

@ -13,21 +13,6 @@ jobs:
runs-on: ubuntu-latest
name: Jira sync
steps:
- name: Check if community user
if: github.event.action == 'opened'
id: vault-team-role
run: |
TEAM=vault
ROLE="$(hub api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')"
if [[ -n ${ROLE} ]]; then
echo "Actor ${{ github.actor }} is a ${TEAM} team member, skipping ticket creation"
else
echo "Actor ${{ github.actor }} is not a ${TEAM} team member"
fi
echo "::set-output name=role::${ROLE}"
env:
GITHUB_TOKEN: ${{ secrets.JIRA_SYNC_GITHUB_TOKEN }}
- name: Login
uses: atlassian/gajira-login@v2.0.0
env:
@ -46,7 +31,7 @@ jobs:
fi
- name: Create ticket
if: github.event.action == 'opened' && !steps.vault-team-role.outputs.role
if: github.event.action == 'opened'
uses: tomhjp/gh-action-jira-create@v0.2.0
with:
project: VAULT
@ -63,7 +48,7 @@ jobs:
uses: tomhjp/gh-action-jira-search@v0.2.1
with:
# cf[10089] is Issue Link custom field
jql: 'project = "VAULT" and issuetype = "GH Issue" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
- name: Sync comment
if: github.event.action == 'created' && steps.search.outputs.issue
@ -77,11 +62,11 @@ jobs:
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: Done
transition: Close
- name: Reopen ticket
if: github.event.action == 'reopened' && steps.search.outputs.issue
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "To Do"
transition: "Pending Triage"

5
CHANGELOG.md
View file

@ -1,5 +1,10 @@
## Unreleased
## 2.4.0 (October 21st, 2021)
Features:
* GitHub provided JWT auth is now supported [GH-257](https://github.com/hashicorp/vault-action/pull/257)
## 2.3.1 (August 23rd, 2021)
Improvements:

22
README.md
View file

@ -86,7 +86,28 @@ with:
githubToken: ${{ secrets.MY_GITHUB_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
```
- **jwt**: (Github OIDC) you must provide a `role` parameter, additionally you can pass `jwtGithubAudience` parameter.
```yaml
...
with:
url: https://vault.mycompany.com:8200
method: jwt
role: github-action
```
**Notice:** For Github provided OIDC token to work, the workflow should have `id-token: write` & `contents: read` specified in the `permissions` section of the workflow
```yaml
...
permissions:
id-token: write
contents: read
...
```
- **jwt**: you must provide a `role` & `jwtPrivateKey` parameters, additionally you can pass `jwtKeyPassword` & `jwtTtl` parameters
```yaml
...
with:
@ -278,6 +299,7 @@ Here are all the inputs available through `with`:
| `githubToken` | The Github Token to be used to authenticate with Vault | | |
| `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | |
| `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | |
| `jwtGithubAudience` | Identifies the recipient ("aud" claim) that the JWT is intended for |`sigstore`| |
| `jwtTtl` | Time in seconds, after which token expires | | 3600 |
| `kubernetesTokenPath` | The path to the service-account secret with the jwt token for kubernetes based authentication |`/var/run/secrets/kubernetes.io/serviceaccount/token` | |
| `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | |

3
action.yml
View file

@ -69,6 +69,9 @@ inputs:
jwtKeyPassword:
description: 'Password for key stored in jwtPrivateKey (if needed)'
required: false
jwtGithubAudience:
description: 'Identifies the recipient ("aud" claim) that the JWT is intended for'
required: false
jwtTtl:
description: 'Time in seconds, after which token expires'
required: false

1378
dist/index.js vendored
View file

File diff suppressed because it is too large Load diff

112
integrationTests/basic/jwt_auth.test.js
View file

@ -1,7 +1,9 @@
jest.mock('@actions/core');
jest.mock('@actions/core/lib/command');
const core = require('@actions/core');
const rsasign = require('jsrsasign');
const {
privateRsaKey,
privateRsaKeyBase64,
publicRsaKey
} = require('./rsa_keys');
@ -13,6 +15,42 @@ const { exportSecrets } = require('../../src/action');
const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
/**
* Returns Github OIDC response mock
* @param {string} aud Audience claim
* @returns {string}
*/
function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action") {
const alg = 'RS256';
const header = { alg: alg, typ: 'JWT' };
const now = rsasign.KJUR.jws.IntDate.getNow();
const payload = {
jti: "unique-id",
sub: "repo:hashicorp/vault-action:ref:refs/heads/master",
aud,
ref: "refs/heads/master",
sha: "commit-sha",
repository: "hashicorp/vault-action",
repository_owner: "hashicorp",
run_id: "1",
run_number: "1",
run_attempt: "1",
actor: "github-username",
workflow: "Workflow Name",
head_ref: "",
base_ref: "",
event_name: "push",
ref_type: "branch",
job_workflow_ref: "hashicorp/vault-action/.github/workflows/workflow.yml@refs/heads/master",
iss: 'vault-action',
iat: now,
nbf: now,
exp: now + 3600,
};
const decryptedKey = rsasign.KEYUTIL.getKey(privateRsaKey);
return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
}
describe('jwt auth', () => {
beforeAll(async () => {
// Verify Connection
@ -94,6 +132,7 @@ describe('jwt auth', () => {
});
});
describe('authenticate with private key', () => {
beforeEach(() => {
jest.resetAllMocks();
@ -122,5 +161,78 @@ describe('jwt auth', () => {
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
});
});
describe('authenticate with Github OIDC', () => {
beforeAll(async () => {
await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_claims: {
iss: 'vault-action',
aud: 'sigstore',
},
user_claim: 'iss',
policies: ['reader']
}
});
})
beforeEach(() => {
jest.resetAllMocks();
when(core.getInput)
.calledWith('url')
.mockReturnValueOnce(`${vaultUrl}`);
when(core.getInput)
.calledWith('method')
.mockReturnValueOnce('jwt');
when(core.getInput)
.calledWith('jwtPrivateKey')
.mockReturnValueOnce('');
when(core.getInput)
.calledWith('role')
.mockReturnValueOnce('default');
when(core.getInput)
.calledWith('secrets')
.mockReturnValueOnce('secret/data/test secret');
when(core.getIDToken)
.calledWith()
.mockReturnValueOnce(mockGithubOIDCResponse());
});
it('successfully authenticates', async () => {
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
});
it('successfully authenticates with `jwtGithubAudience` set to `sigstore`', async () => {
when(core.getInput)
.calledWith('role')
.mockReturnValueOnce('default-sigstore');
when(core.getInput)
.calledWith('jwtGithubAudience')
.mockReturnValueOnce('sigstore');
when(core.getIDToken)
.calledWith()
.mockReturnValueOnce(mockGithubOIDCResponse('sigstore'));
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
})
});
});

1
integrationTests/basic/rsa_keys.js
View file

@ -72,6 +72,7 @@ f52E9W2iFNt3sxB0KFtOkbkCAwEAAQ==
`;
module.exports = {
privateRsaKey,
privateRsaKeyBase64,
publicRsaKey
};

238
package-lock.json generated
View file

@ -14,7 +14,7 @@
"jsrsasign": "^10.1.10"
},
"devDependencies": {
"@actions/core": "^1.2.3",
"@actions/core": "^1.6.0",
"@types/got": "^9.6.11",
"@types/jest": "^26.0.13",
"@zeit/ncc": "^0.22.3",
@ -27,10 +27,22 @@
}
},
"node_modules/@actions/core": {
"version": "1.2.7",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.7.tgz",
"integrity": "sha512-kzLFD5BgEvq6ubcxdgPbRKGD2Qrgya/5j+wh4LZzqT915I0V3rED+MvjH6NXghbvk1MXknpNNQ3uKjXSEN00Ig==",
"dev": true
"version": "1.6.0",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
"integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
"dev": true,
"dependencies": {
"@actions/http-client": "^1.0.11"
}
},
"node_modules/@actions/http-client": {
"version": "1.0.11",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
"integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
"dev": true,
"dependencies": {
"tunnel": "0.0.6"
}
},
"node_modules/@babel/code-frame": {
"version": "7.5.5",
@ -5909,9 +5921,9 @@
}
},
"node_modules/glob-parent": {
"version": "5.1.2",
"resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
"integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
"version": "5.1.1",
"resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz",
"integrity": "sha512-FnI+VGOpnlGHWZxthPGR+QhR78fuiK0sNLkHQv+bL9fQi57lNNdquIbna/WrfROrolq8GK5Ek6BiMwqL/voRYQ==",
"dev": true,
"dependencies": {
"is-glob": "^4.0.1"
@ -12135,9 +12147,9 @@
}
},
"node_modules/npm": {
"version": "6.14.15",
"resolved": "https://registry.npmjs.org/npm/-/npm-6.14.15.tgz",
"integrity": "sha512-dkcQc4n+DiJAMYG2haNAMyJbmuvevjXz+WC9dCUzodw8EovwTIc6CATSsTEplCY6c0jG4OshxFGFJsrnKJguWA==",
"version": "6.14.9",
"resolved": "https://registry.npmjs.org/npm/-/npm-6.14.9.tgz",
"integrity": "sha512-yHi1+i9LyAZF1gAmgyYtVk+HdABlLy94PMIDoK1TRKWvmFQAt5z3bodqVwKvzY0s6dLqQPVsRLiwhJfNtiHeCg==",
"bundleDependencies": [
"abbrev",
"ansicolors",
@ -12295,13 +12307,13 @@
"glob": "^7.1.6",
"graceful-fs": "^4.2.4",
"has-unicode": "~2.0.1",
"hosted-git-info": "^2.8.9",
"hosted-git-info": "^2.8.8",
"iferr": "^1.0.2",
"imurmurhash": "*",
"infer-owner": "^1.0.4",
"inflight": "~1.0.6",
"inherits": "^2.0.4",
"ini": "^1.3.8",
"ini": "^1.3.5",
"init-package-json": "^1.10.3",
"is-cidr": "^3.0.0",
"json-parse-better-errors": "^1.0.2",
@ -12348,7 +12360,7 @@
"npm-user-validate": "^1.0.1",
"npmlog": "~4.1.2",
"once": "~1.4.0",
"opener": "^1.5.2",
"opener": "^1.5.1",
"osenv": "^0.1.5",
"pacote": "^9.5.12",
"path-is-inside": "~1.0.2",
@ -12372,9 +12384,9 @@
"slide": "~1.1.6",
"sorted-object": "~2.0.1",
"sorted-union-stream": "~2.1.3",
"ssri": "^6.0.2",
"ssri": "^6.0.1",
"stringify-package": "^1.0.1",
"tar": "^4.4.19",
"tar": "^4.4.13",
"text-table": "~0.2.0",
"tiny-relative-date": "^1.3.0",
"uid-number": "0.0.6",
@ -13893,12 +13905,6 @@
"inBundle": true,
"license": "ISC"
},
"node_modules/npm/node_modules/hosted-git-info": {
"version": "2.8.9",
"dev": true,
"inBundle": true,
"license": "ISC"
},
"node_modules/npm/node_modules/http-cache-semantics": {
"version": "3.8.1",
"dev": true,
@ -14025,12 +14031,6 @@
"inBundle": true,
"license": "ISC"
},
"node_modules/npm/node_modules/ini": {
"version": "1.3.8",
"dev": true,
"inBundle": true,
"license": "ISC"
},
"node_modules/npm/node_modules/init-package-json": {
"version": "1.10.3",
"dev": true,
@ -15129,7 +15129,7 @@
}
},
"node_modules/npm/node_modules/opener": {
"version": "1.5.2",
"version": "1.5.1",
"dev": true,
"inBundle": true,
"license": "(WTFPL OR MIT)",
@ -15305,12 +15305,6 @@
"node": ">=4"
}
},
"node_modules/npm/node_modules/path-parse": {
"version": "1.0.7",
"dev": true,
"inBundle": true,
"license": "MIT"
},
"node_modules/npm/node_modules/performance-now": {
"version": "2.1.0",
"dev": true,
@ -15955,7 +15949,7 @@
}
},
"node_modules/npm/node_modules/ssri": {
"version": "6.0.2",
"version": "6.0.1",
"dev": true,
"inBundle": true,
"license": "ISC",
@ -16129,18 +16123,18 @@
}
},
"node_modules/npm/node_modules/tar": {
"version": "4.4.19",
"version": "4.4.13",
"dev": true,
"inBundle": true,
"license": "ISC",
"dependencies": {
"chownr": "^1.1.4",
"fs-minipass": "^1.2.7",
"minipass": "^2.9.0",
"minizlib": "^1.3.3",
"mkdirp": "^0.5.5",
"safe-buffer": "^5.2.1",
"yallist": "^3.1.1"
"chownr": "^1.1.1",
"fs-minipass": "^1.2.5",
"minipass": "^2.8.6",
"minizlib": "^1.2.1",
"mkdirp": "^0.5.0",
"safe-buffer": "^5.1.2",
"yallist": "^3.0.3"
},
"engines": {
"node": ">=4.5"
@ -16156,32 +16150,6 @@
"yallist": "^3.0.0"
}
},
"node_modules/npm/node_modules/tar/node_modules/safe-buffer": {
"version": "5.2.1",
"dev": true,
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/feross"
},
{
"type": "patreon",
"url": "https://www.patreon.com/feross"
},
{
"type": "consulting",
"url": "https://feross.org/support"
}
],
"inBundle": true,
"license": "MIT"
},
"node_modules/npm/node_modules/tar/node_modules/yallist": {
"version": "3.1.1",
"dev": true,
"inBundle": true,
"license": "ISC"
},
"node_modules/npm/node_modules/term-size": {
"version": "1.2.0",
"dev": true,
@ -16635,7 +16603,7 @@
}
},
"node_modules/npm/node_modules/y18n": {
"version": "4.0.1",
"version": "4.0.0",
"dev": true,
"inBundle": true,
"license": "ISC"
@ -18955,9 +18923,9 @@
"dev": true
},
"node_modules/trim-newlines": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.1.tgz",
"integrity": "sha512-c1PTsA3tYrIsLGkJkzHF+w9F2EyxfXGo4UyJc4pFL++FMjnq0HJS69T3M7d//gKrFKwy429bouPescbjecU+Zw==",
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz",
"integrity": "sha512-C4+gOpvmxaSMKuEf9Qc134F1ZuOHVXKRbtEflf4NTtuuJDEIJ9p5PXsalL8SkeRw+qit1Mo+yuvMPAKwWg/1hA==",
"dev": true,
"engines": {
"node": ">=8"
@ -18972,6 +18940,15 @@
"node": ">=0.10.0"
}
},
"node_modules/tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
"dev": true,
"engines": {
"node": ">=0.6.11 <=0.7.0 || >=0.7.3"
}
},
"node_modules/tunnel-agent": {
"version": "0.6.0",
"resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz",
@ -19395,9 +19372,9 @@
}
},
"node_modules/ws": {
"version": "7.5.3",
"resolved": "https://registry.npmjs.org/ws/-/ws-7.5.3.tgz",
"integrity": "sha512-kQ/dHIzuLrS6Je9+uv81ueZomEwH0qVYstcAQ4/Z93K8zeko9gtAbttJWzoC5ukqXY1PpoouV3+VSOqEAFt5wg==",
"version": "7.4.1",
"resolved": "https://registry.npmjs.org/ws/-/ws-7.4.1.tgz",
"integrity": "sha512-pTsP8UAfhy3sk1lSk/O/s4tjD0CRwvMnzvwr4OKGX7ZvqZtUyx4KIJB5JWbkykPoc55tixMGgTNoh3k4FkNGFQ==",
"dev": true,
"engines": {
"node": ">=8.3.0"
@ -19562,10 +19539,22 @@
},
"dependencies": {
"@actions/core": {
"version": "1.2.7",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.7.tgz",
"integrity": "sha512-kzLFD5BgEvq6ubcxdgPbRKGD2Qrgya/5j+wh4LZzqT915I0V3rED+MvjH6NXghbvk1MXknpNNQ3uKjXSEN00Ig==",
"dev": true
"version": "1.6.0",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
"integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
"dev": true,
"requires": {
"@actions/http-client": "^1.0.11"
}
},
"@actions/http-client": {
"version": "1.0.11",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
"integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
"dev": true,
"requires": {
"tunnel": "0.0.6"
}
},
"@babel/code-frame": {
"version": "7.5.5",
@ -24255,9 +24244,9 @@
}
},
"glob-parent": {
"version": "5.1.2",
"resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
"integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
"version": "5.1.1",
"resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz",
"integrity": "sha512-FnI+VGOpnlGHWZxthPGR+QhR78fuiK0sNLkHQv+bL9fQi57lNNdquIbna/WrfROrolq8GK5Ek6BiMwqL/voRYQ==",
"dev": true,
"requires": {
"is-glob": "^4.0.1"
@ -29095,9 +29084,9 @@
"integrity": "sha512-9UZCFRHQdNrfTpGg8+1INIg93B6zE0aXMVFkw1WFwvO4SlZywU6aLg5Of0Ap/PgcbSw4LNxvMWXMeugwMCX0AA=="
},
"npm": {
"version": "6.14.15",
"resolved": "https://registry.npmjs.org/npm/-/npm-6.14.15.tgz",
"integrity": "sha512-dkcQc4n+DiJAMYG2haNAMyJbmuvevjXz+WC9dCUzodw8EovwTIc6CATSsTEplCY6c0jG4OshxFGFJsrnKJguWA==",
"version": "6.14.9",
"resolved": "https://registry.npmjs.org/npm/-/npm-6.14.9.tgz",
"integrity": "sha512-yHi1+i9LyAZF1gAmgyYtVk+HdABlLy94PMIDoK1TRKWvmFQAt5z3bodqVwKvzY0s6dLqQPVsRLiwhJfNtiHeCg==",
"dev": true,
"requires": {
"abbrev": "~1.1.1",
@ -29130,13 +29119,13 @@
"glob": "^7.1.6",
"graceful-fs": "^4.2.4",
"has-unicode": "~2.0.1",
"hosted-git-info": "^2.8.9",
"hosted-git-info": "^2.8.8",
"iferr": "^1.0.2",
"imurmurhash": "*",
"infer-owner": "^1.0.4",
"inflight": "~1.0.6",
"inherits": "^2.0.4",
"ini": "^1.3.8",
"ini": "^1.3.5",
"init-package-json": "^1.10.3",
"is-cidr": "^3.0.0",
"json-parse-better-errors": "^1.0.2",
@ -29183,7 +29172,7 @@
"npm-user-validate": "^1.0.1",
"npmlog": "~4.1.2",
"once": "~1.4.0",
"opener": "^1.5.2",
"opener": "^1.5.1",
"osenv": "^0.1.5",
"pacote": "^9.5.12",
"path-is-inside": "~1.0.2",
@ -29207,9 +29196,9 @@
"slide": "~1.1.6",
"sorted-object": "~2.0.1",
"sorted-union-stream": "~2.1.3",
"ssri": "^6.0.2",
"ssri": "^6.0.1",
"stringify-package": "^1.0.1",
"tar": "^4.4.19",
"tar": "^4.4.13",
"text-table": "~0.2.0",
"tiny-relative-date": "^1.3.0",
"uid-number": "0.0.6",
@ -30398,11 +30387,6 @@
"bundled": true,
"dev": true
},
"hosted-git-info": {
"version": "2.8.9",
"bundled": true,
"dev": true
},
"http-cache-semantics": {
"version": "3.8.1",
"bundled": true,
@ -30494,11 +30478,6 @@
"bundled": true,
"dev": true
},
"ini": {
"version": "1.3.8",
"bundled": true,
"dev": true
},
"init-package-json": {
"version": "1.10.3",
"bundled": true,
@ -31363,7 +31342,7 @@
}
},
"opener": {
"version": "1.5.2",
"version": "1.5.1",
"bundled": true,
"dev": true
},
@ -31504,11 +31483,6 @@
"bundled": true,
"dev": true
},
"path-parse": {
"version": "1.0.7",
"bundled": true,
"dev": true
},
"performance-now": {
"version": "2.1.0",
"bundled": true,
@ -32005,7 +31979,7 @@
}
},
"ssri": {
"version": "6.0.2",
"version": "6.0.1",
"bundled": true,
"dev": true,
"requires": {
@ -32140,17 +32114,17 @@
}
},
"tar": {
"version": "4.4.19",
"version": "4.4.13",
"bundled": true,
"dev": true,
"requires": {
"chownr": "^1.1.4",
"fs-minipass": "^1.2.7",
"minipass": "^2.9.0",
"minizlib": "^1.3.3",
"mkdirp": "^0.5.5",
"safe-buffer": "^5.2.1",
"yallist": "^3.1.1"
"chownr": "^1.1.1",
"fs-minipass": "^1.2.5",
"minipass": "^2.8.6",
"minizlib": "^1.2.1",
"mkdirp": "^0.5.0",
"safe-buffer": "^5.1.2",
"yallist": "^3.0.3"
},
"dependencies": {
"minipass": {
@ -32161,16 +32135,6 @@
"safe-buffer": "^5.1.2",
"yallist": "^3.0.0"
}
},
"safe-buffer": {
"version": "5.2.1",
"bundled": true,
"dev": true
},
"yallist": {
"version": "3.1.1",
"bundled": true,
"dev": true
}
}
},
@ -32520,7 +32484,7 @@
"dev": true
},
"y18n": {
"version": "4.0.1",
"version": "4.0.0",
"bundled": true,
"dev": true
},
@ -34336,9 +34300,9 @@
"dev": true
},
"trim-newlines": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.1.tgz",
"integrity": "sha512-c1PTsA3tYrIsLGkJkzHF+w9F2EyxfXGo4UyJc4pFL++FMjnq0HJS69T3M7d//gKrFKwy429bouPescbjecU+Zw==",
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz",
"integrity": "sha512-C4+gOpvmxaSMKuEf9Qc134F1ZuOHVXKRbtEflf4NTtuuJDEIJ9p5PXsalL8SkeRw+qit1Mo+yuvMPAKwWg/1hA==",
"dev": true
},
"trim-off-newlines": {
@ -34347,6 +34311,12 @@
"integrity": "sha1-n5up2e+odkw4dpi8v+sshI8RrbM=",
"dev": true
},
"tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
"dev": true
},
"tunnel-agent": {
"version": "0.6.0",
"resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz",
@ -34693,9 +34663,9 @@
}
},
"ws": {
"version": "7.5.3",
"resolved": "https://registry.npmjs.org/ws/-/ws-7.5.3.tgz",
"integrity": "sha512-kQ/dHIzuLrS6Je9+uv81ueZomEwH0qVYstcAQ4/Z93K8zeko9gtAbttJWzoC5ukqXY1PpoouV3+VSOqEAFt5wg==",
"version": "7.4.1",
"resolved": "https://registry.npmjs.org/ws/-/ws-7.4.1.tgz",
"integrity": "sha512-pTsP8UAfhy3sk1lSk/O/s4tjD0CRwvMnzvwr4OKGX7ZvqZtUyx4KIJB5JWbkykPoc55tixMGgTNoh3k4FkNGFQ==",
"dev": true,
"requires": {}
},

2
package.json
View file

@ -52,7 +52,7 @@
"@actions/core": ">=1 <2"
},
"devDependencies": {
"@actions/core": "^1.2.3",
"@actions/core": "^1.6.0",
"@types/got": "^9.6.11",
"@types/jest": "^26.0.13",
"@zeit/ncc": "^0.22.3",

13
src/auth.js
View file

@ -23,12 +23,21 @@ async function retrieveToken(method, client) {
return await getClientToken(client, method, path, { token: githubToken });
}
case 'jwt': {
/** @type {string} */
let jwt;
const role = core.getInput('role', { required: true });
const privateKeyRaw = core.getInput('jwtPrivateKey', { required: true });
const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false });
const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
const keyPassword = core.getInput('jwtKeyPassword', { required: false });
const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
const jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
const githubAudience = core.getInput('jwtGithubAudience', { required: false });
if (!privateKey) {
jwt = await core.getIDToken(githubAudience)
} else {
jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
}
return await getClientToken(client, method, path, { jwt: jwt, role: role });
}
case 'kubernetes': {