From 26cbe9912a1b5f6c16bbc5121435037ef691b6c3 Mon Sep 17 00:00:00 2001
From: Brian DeHamer <bdehamer@github.com>
Date: Wed, 8 Mar 2023 09:49:01 -0800
Subject: [PATCH] fix: improve permission error for provenance (#6226)

Improves the error message returned when a user attempts to generate a
provenance statement on publish but has not set the correct perissions
in the GitHub Actions workflow.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
---
 workspaces/libnpmpublish/lib/publish.js  | 14 ++++++++---
 workspaces/libnpmpublish/test/publish.js | 30 +++++++++++++++++++++++-
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/workspaces/libnpmpublish/lib/publish.js b/workspaces/libnpmpublish/lib/publish.js
index 353688a10eac1..3f70a30bd8b50 100644
--- a/workspaces/libnpmpublish/lib/publish.js
+++ b/workspaces/libnpmpublish/lib/publish.js
@@ -141,15 +141,23 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
       digest: { sha512: integrity.sha512[0].hexDigest() },
     }
 
-    // Ensure that we're running in GHA and an OIDC token is available,
-    // currently the only supported build environment
-    if (ciInfo.name !== 'GitHub Actions' || !process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+    // Ensure that we're running in GHA, currently the only supported build environment
+    if (ciInfo.name !== 'GitHub Actions') {
       throw Object.assign(
         new Error('Automatic provenance generation not supported outside of GitHub Actions'),
         { code: 'EUSAGE' }
       )
     }
 
+    // Ensure that the GHA OIDC token is available
+    if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+      throw Object.assign(
+        /* eslint-disable-next-line max-len */
+        new Error('Provenance generation in GitHub Actions requires "write" access to the "id-token" permission'),
+        { code: 'EUSAGE' }
+      )
+    }
+
     const visibility =
       await npmFetch.json(`${registry}/-/package/${spec.escapedName}/visibility`, opts)
     if (!visibility.public && opts.provenance === true && opts.access !== 'public') {
diff --git a/workspaces/libnpmpublish/test/publish.js b/workspaces/libnpmpublish/test/publish.js
index 6daaeefc2c61b..d64952c189403 100644
--- a/workspaces/libnpmpublish/test/publish.js
+++ b/workspaces/libnpmpublish/test/publish.js
@@ -784,7 +784,7 @@ t.test('automatic provenance in unsupported environment', async t => {
   mockGlobals(t, {
     'process.env': {
       CI: false,
-      GITHUB_ACTIONS: false,
+      GITHUB_ACTIONS: undefined,
     },
   })
   const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
@@ -806,3 +806,31 @@ t.test('automatic provenance in unsupported environment', async t => {
     }
   )
 })
+
+t.test('automatic provenance with incorrect permissions', async t => {
+  mockGlobals(t, {
+    'process.env': {
+      CI: false,
+      GITHUB_ACTIONS: true,
+      ACTIONS_ID_TOKEN_REQUEST_URL: undefined,
+    },
+  })
+  const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') })
+  const manifest = {
+    name: '@npmcli/libnpmpublish-test',
+    version: '1.0.0',
+    description: 'test libnpmpublish package',
+  }
+
+  await t.rejects(
+    publish(manifest, Buffer.from(''), {
+      ...opts,
+      access: null,
+      provenance: true,
+    }),
+    {
+      message: /requires "write" access/,
+      code: 'EUSAGE',
+    }
+  )
+})