Skip to content

Commit

Permalink
fix: improve permission error for provenance (#6226)
Browse files Browse the repository at this point in the history
Improves the error message returned when a user attempts to generate a
provenance statement on publish but has not set the correct perissions
in the GitHub Actions workflow.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
  • Loading branch information
bdehamer authored Mar 8, 2023
1 parent 8a78c6f commit 26cbe99
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 4 deletions.
14 changes: 11 additions & 3 deletions workspaces/libnpmpublish/lib/publish.js
Original file line number Diff line number Diff line change
Expand Up @@ -141,15 +141,23 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
digest: { sha512: integrity.sha512[0].hexDigest() },
}

// Ensure that we're running in GHA and an OIDC token is available,
// currently the only supported build environment
if (ciInfo.name !== 'GitHub Actions' || !process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
// Ensure that we're running in GHA, currently the only supported build environment
if (ciInfo.name !== 'GitHub Actions') {
throw Object.assign(
new Error('Automatic provenance generation not supported outside of GitHub Actions'),
{ code: 'EUSAGE' }
)
}

// Ensure that the GHA OIDC token is available
if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
throw Object.assign(
/* eslint-disable-next-line max-len */
new Error('Provenance generation in GitHub Actions requires "write" access to the "id-token" permission'),
{ code: 'EUSAGE' }
)
}

const visibility =
await npmFetch.json(`${registry}/-/package/${spec.escapedName}/visibility`, opts)
if (!visibility.public && opts.provenance === true && opts.access !== 'public') {
Expand Down
30 changes: 29 additions & 1 deletion workspaces/libnpmpublish/test/publish.js
Original file line number Diff line number Diff line change
Expand Up @@ -784,7 +784,7 @@ t.test('automatic provenance in unsupported environment', async t => {
mockGlobals(t, {
'process.env': {
CI: false,
GITHUB_ACTIONS: false,
GITHUB_ACTIONS: undefined,
},
})
const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
Expand All @@ -806,3 +806,31 @@ t.test('automatic provenance in unsupported environment', async t => {
}
)
})

t.test('automatic provenance with incorrect permissions', async t => {
mockGlobals(t, {
'process.env': {
CI: false,
GITHUB_ACTIONS: true,
ACTIONS_ID_TOKEN_REQUEST_URL: undefined,
},
})
const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
const manifest = {
name: '@npmcli/libnpmpublish-test',
version: '1.0.0',
description: 'test libnpmpublish package',
}

await t.rejects(
publish(manifest, Buffer.from(''), {
...opts,
access: null,
provenance: true,
}),
{
message: /requires "write" access/,
code: 'EUSAGE',
}
)
})

0 comments on commit 26cbe99

Please # to comment.