Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: improve permission error for provenance #6226

Merged
merged 1 commit into from Mar 8, 2023
Merged

fix: improve permission error for provenance #6226

merged 1 commit into from Mar 8, 2023

Conversation

bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Mar 7, 2023

Improves the error message returned when a user attempts to generate a provenance statement on publish but has not set the correct perissions in the GitHub Actions workflow.

Improves the error messaging if the user attempts to publish a package w/ provenance but has NOT set the necessary token permissions to create an OIDC token.

Currently, if the user omits the id-token: write permission, the error message reads:

Automatic provenance generation not supported outside of GitHub Actions

This is potentially confusing given that it may actually be running in GitHub Actions, just with incorrect permissions.

This change separates the CI == 'GitHub Actions' check from the ACTIONS_ID_TOKEN_REQUEST_URL check so we can provide more specific error messages in the two cases.

The new error message reads:

Provenance generation in GitHub Actions requires "write" access to the "id-token" permission

@bdehamer
fix: improve permission error for provenance
cb04873 
Improves the error message returned when a user attempts to generate a
provenance statement on publish but has not set the correct perissions
in the GitHub Actions workflow.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer requested a review from a team as a code owner March 7, 2023 20:28
@bdehamer bdehamer requested review from nlf and removed request for a team March 7, 2023 20:28
bdehamer
bdehamer commented Mar 7, 2023
View reviewed changes
workspaces/libnpmpublish/test/publish.js
GITHUB_ACTIONS: false,
GITHUB_ACTIONS: undefined,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that setting this to false still causes ciInfo.name to evaluate to "GITHUB_ACTIONS". To properly simulate NOT running in GitHub Actions, this needs to be undefined.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, I guess it would be very surprising if this env var was set to anything on some other platform?

@bdehamer bdehamer requested a review from feelepxyz March 7, 2023 20:38
feelepxyz
feelepxyz approved these changes Mar 8, 2023
View reviewed changes
Copy link
Member

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@lukekarrys lukekarrys merged commit 26cbe99 into latest Mar 8, 2023
22 checks passed
@lukekarrys lukekarrys deleted the bdehamer/provenance-oidc-error branch March 8, 2023 17:49
@github-actions github-actions bot mentioned this pull request Mar 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@feelepxyz feelepxyz feelepxyz approved these changes

@lukekarrys lukekarrys lukekarrys approved these changes

@nlf nlf Awaiting requested review from nlf nlf is a code owner automatically assigned from npm/cli-team

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bdehamer @feelepxyz @lukekarrys