feat: added OIDC (#262)

* feat: OIDC provider (with PR comments) * chore: Bump jest from 27.2.1 to 27.2.2 (#267) Bumps [jest](https://github.com/facebook/jest) from 27.2.1 to 27.2.2. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/jest/compare/v27.2.1...v27.2.2) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump ansi-regex from 5.0.0 to 5.0.1 (#269) Bumps [ansi-regex](https://github.com/chalk/ansi-regex) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/chalk/ansi-regex/releases) - [Commits](https://github.com/chalk/ansi-regex/compare/v5.0.0...v5.0.1) --- updated-dependencies: - dependency-name: ansi-regex dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump aws-sdk from 2.991.0 to 2.996.0 (#268) Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.991.0 to 2.996.0. - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Changelog](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js/compare/v2.991.0...v2.996.0) --- updated-dependencies: - dependency-name: aws-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * chore: Update dist * feat: OIDC provider (with PR comments) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: GitHub Actions <runner@fv-az209-487.sst5i0nymnhu5a1lxus1lxbvub.xx.internal.cloudapp.net>
2026-03-12 18:07:10 -04:00 · 2021-09-28 14:30:32 -04:00
parent ef6880f4e4
commit b8c74de753
6 changed files with 4352 additions and 172 deletions
--- a/index.test.js
+++ b/index.test.js
@@ -2,8 +2,10 @@ const core = require('@actions/core');
 const assert = require('assert');
 const aws = require('aws-sdk');
 const run = require('./index.js');
+const axios = require('axios');

 jest.mock('@actions/core');
+jest.mock("axios");

 const FAKE_ACCESS_KEY_ID = 'MY-AWS-ACCESS-KEY-ID';
 const FAKE_SECRET_ACCESS_KEY = 'MY-AWS-SECRET-ACCESS-KEY';
@@ -71,6 +73,11 @@ jest.mock('fs', () => {
    };
 });

+
+jest.mock('axios', () => ({
+  get: jest.fn(() => Promise.resolve({ data: { value: "testtoken" }})),
+}));
+
 describe('Configure AWS Credentials', () => {
    const OLD_ENV = process.env;

@@ -561,6 +568,47 @@ describe('Configure AWS Credentials', () => {
        })
    });

+    test('only role arn and region provided to use GH OIDC Token', async () => {
+        process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
+        process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
+        axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
+        core.getInput = jest
+            .fn()
+            .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION}));
+
+        await run();
+        expect(mockStsAssumeRoleWithWebIdentity).toHaveBeenCalledWith({
+            RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE',
+            RoleSessionName: 'GitHubActions',
+            DurationSeconds: 3600,
+            WebIdentityToken: 'testtoken'
+        });
+        expect(core.setSecret).toHaveBeenNthCalledWith(1, FAKE_STS_ACCESS_KEY_ID);
+        expect(core.setSecret).toHaveBeenNthCalledWith(2, FAKE_STS_SECRET_ACCESS_KEY);
+        expect(core.setSecret).toHaveBeenNthCalledWith(3, FAKE_STS_SESSION_TOKEN);
+    });
+
+    test('GH OIDC With custom role duration', async () => {
+        const CUSTOM_ROLE_DURATION = 1234;
+        process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
+        process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
+        axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
+        core.getInput = jest
+            .fn()
+            .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION, 'role-duration-seconds': CUSTOM_ROLE_DURATION}));
+
+        await run();
+        expect(mockStsAssumeRoleWithWebIdentity).toHaveBeenCalledWith({
+            RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE',
+            RoleSessionName: 'GitHubActions',
+            DurationSeconds: CUSTOM_ROLE_DURATION,
+            WebIdentityToken: 'testtoken'
+        });
+        expect(core.setSecret).toHaveBeenNthCalledWith(1, FAKE_STS_ACCESS_KEY_ID);
+        expect(core.setSecret).toHaveBeenNthCalledWith(2, FAKE_STS_SECRET_ACCESS_KEY);
+        expect(core.setSecret).toHaveBeenNthCalledWith(3, FAKE_STS_SESSION_TOKEN);
+    });
+
    test('role external ID provided', async () => {
        core.getInput = jest
            .fn()