Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: improve permission error for provenance #6226

Merged
merged 1 commit into from
Mar 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions workspaces/libnpmpublish/lib/publish.js
Original file line number Diff line number Diff line change
Expand Up @@ -141,15 +141,23 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
digest: { sha512: integrity.sha512[0].hexDigest() },
}

// Ensure that we're running in GHA and an OIDC token is available,
// currently the only supported build environment
if (ciInfo.name !== 'GitHub Actions' || !process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
// Ensure that we're running in GHA, currently the only supported build environment
if (ciInfo.name !== 'GitHub Actions') {
throw Object.assign(
new Error('Automatic provenance generation not supported outside of GitHub Actions'),
{ code: 'EUSAGE' }
)
}

// Ensure that the GHA OIDC token is available
if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
throw Object.assign(
/* eslint-disable-next-line max-len */
new Error('Provenance generation in GitHub Actions requires "write" access to the "id-token" permission'),
{ code: 'EUSAGE' }
)
}

const visibility =
await npmFetch.json(`${registry}/-/package/${spec.escapedName}/visibility`, opts)
if (!visibility.public && opts.provenance === true && opts.access !== 'public') {
Expand Down
30 changes: 29 additions & 1 deletion workspaces/libnpmpublish/test/publish.js
Original file line number Diff line number Diff line change
Expand Up @@ -784,7 +784,7 @@ t.test('automatic provenance in unsupported environment', async t => {
mockGlobals(t, {
'process.env': {
CI: false,
GITHUB_ACTIONS: false,
GITHUB_ACTIONS: undefined,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that setting this to false still causes ciInfo.name to evaluate to "GITHUB_ACTIONS". To properly simulate NOT running in GitHub Actions, this needs to be undefined.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, I guess it would be very surprising if this env var was set to anything on some other platform?

},
})
const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
Expand All @@ -806,3 +806,31 @@ t.test('automatic provenance in unsupported environment', async t => {
}
)
})

t.test('automatic provenance with incorrect permissions', async t => {
mockGlobals(t, {
'process.env': {
CI: false,
GITHUB_ACTIONS: true,
ACTIONS_ID_TOKEN_REQUEST_URL: undefined,
},
})
const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
const manifest = {
name: '@npmcli/libnpmpublish-test',
version: '1.0.0',
description: 'test libnpmpublish package',
}

await t.rejects(
publish(manifest, Buffer.from(''), {
...opts,
access: null,
provenance: true,
}),
{
message: /requires "write" access/,
code: 'EUSAGE',
}
)
})