Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: improve permission error for provenance #6226

Merged
merged 1 commit into from Mar 8, 2023
Merged

fix: improve permission error for provenance #6226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 11 additions & 3 deletions workspaces/libnpmpublish/lib/publish.js
View file
Open in desktop
Expand Up @@ -141,15 +141,23 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
digest: { sha512: integrity.sha512[0].hexDigest() },
}

// Ensure that we're running in GHA and an OIDC token is available,
// currently the only supported build environment
if (ciInfo.name !== 'GitHub Actions' || !process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
// Ensure that we're running in GHA, currently the only supported build environment
if (ciInfo.name !== 'GitHub Actions') {
throw Object.assign(
new Error('Automatic provenance generation not supported outside of GitHub Actions'),
{ code: 'EUSAGE' }
)
}

// Ensure that the GHA OIDC token is available
if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
throw Object.assign(
/* eslint-disable-next-line max-len */
new Error('Provenance generation in GitHub Actions requires "write" access to the "id-token" permission'),
{ code: 'EUSAGE' }
)
}

const visibility =
await npmFetch.json(`${registry}/-/package/${spec.escapedName}/visibility`, opts)
if (!visibility.public && opts.provenance === true && opts.access !== 'public') {
Expand Down
30 changes: 29 additions & 1 deletion workspaces/libnpmpublish/test/publish.js
View file
Open in desktop
Expand Up @@ -784,7 +784,7 @@ t.test('automatic provenance in unsupported environment', async t => {
mockGlobals(t, {
'process.env': {
CI: false,
GITHUB_ACTIONS: false,
GITHUB_ACTIONS: undefined,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that setting this to false still causes ciInfo.name to evaluate to "GITHUB_ACTIONS". To properly simulate NOT running in GitHub Actions, this needs to be undefined.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, I guess it would be very surprising if this env var was set to anything on some other platform?

},
})
const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
Expand All @@ -806,3 +806,31 @@ t.test('automatic provenance in unsupported environment', async t => {
}
)
})

t.test('automatic provenance with incorrect permissions', async t => {
mockGlobals(t, {
'process.env': {
CI: false,
GITHUB_ACTIONS: true,
ACTIONS_ID_TOKEN_REQUEST_URL: undefined,
},
})
const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
const manifest = {
name: '@npmcli/libnpmpublish-test',
version: '1.0.0',
description: 'test libnpmpublish package',
}

await t.rejects(
publish(manifest, Buffer.from(''), {
...opts,
access: null,
provenance: true,
}),
{
message: /requires "write" access/,
code: 'EUSAGE',
}
)
})