Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: improve permission error for provenance #6226

Merged
merged 1 commit into from
Mar 8, 2023

Conversation

bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Mar 7, 2023

Improves the error message returned when a user attempts to generate a provenance statement on publish but has not set the correct perissions in the GitHub Actions workflow.

Improves the error messaging if the user attempts to publish a package w/ provenance but has NOT set the necessary token permissions to create an OIDC token.

Currently, if the user omits the id-token: write permission, the error message reads:

Automatic provenance generation not supported outside of GitHub Actions

This is potentially confusing given that it may actually be running in GitHub Actions, just with incorrect permissions.

This change separates the CI == 'GitHub Actions' check from the ACTIONS_ID_TOKEN_REQUEST_URL check so we can provide more specific error messages in the two cases.

The new error message reads:

Provenance generation in GitHub Actions requires "write" access to the "id-token" permission

Improves the error message returned when a user attempts to generate a
provenance statement on publish but has not set the correct perissions
in the GitHub Actions workflow.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer requested a review from a team as a code owner March 7, 2023 20:28
@bdehamer bdehamer requested review from nlf and removed request for a team March 7, 2023 20:28
GITHUB_ACTIONS: false,
GITHUB_ACTIONS: undefined,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that setting this to false still causes ciInfo.name to evaluate to "GITHUB_ACTIONS". To properly simulate NOT running in GitHub Actions, this needs to be undefined.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, I guess it would be very surprising if this env var was set to anything on some other platform?

@bdehamer bdehamer requested a review from feelepxyz March 7, 2023 20:38
Copy link
Contributor

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@lukekarrys lukekarrys merged commit 26cbe99 into latest Mar 8, 2023
@lukekarrys lukekarrys deleted the bdehamer/provenance-oidc-error branch March 8, 2023 17:49
@github-actions github-actions bot mentioned this pull request Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants