diff --git a/.gitignore b/.gitignore index b443287..35c13ae 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .env coverage node_modules/ +.vscode diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..97da669 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "cSpell.words": [ + "lepadatu" + ] +} \ No newline at end of file diff --git a/README.md b/README.md index a52ff32..d6826e6 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,13 @@ In the vanilla action, the runner has direct access to sensitive information (i. This action mitigates this risk by importing the sensitive information in a very secure location (AWS KMS) which does not allow the retrieval of the sensitive information. - >[!IMPORTANT] - >Neither this action, nor AWS is responsible for securing access to your AWS account. See the [shared responsibility model](https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/shared-responsibility-model.html). It is highly advised to use temporary AWS credentials scoped to the least privilege when accessing AWS API in order to sign the JWT token. + >[!IMPORTANT] + > + >Neither this action, nor AWS is responsible for securing access to your AWS account. See the [shared responsibility model](https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/shared-responsibility-model.html). + > + >It is highly advised to use temporary AWS credentials scoped to the least privilege when accessing AWS API in order to sign the JWT token. + > + >Using AWS KMS will generate extra costs in your AWS bill. ## Usage diff --git a/package-lock.json b/package-lock.json index df2843e..404a4cf 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1257,68 +1257,6 @@ "node": ">= 8" } }, - "node_modules/@octokit/auth-app": { - "version": "7.1.0", - "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-7.1.0.tgz", - "integrity": "sha512-cazGaJPSgeZ8NkVYeM/C5l/6IQ5vZnsI8p1aMucadCkt/bndI+q+VqwrlnWbASRmenjOkf1t1RpCKrif53U8gw==", - "dependencies": { - "@octokit/auth-oauth-app": "^8.1.0", - "@octokit/auth-oauth-user": "^5.1.0", - "@octokit/request": "^9.1.1", - "@octokit/request-error": "^6.1.1", - "@octokit/types": "^13.4.1", - "lru-cache": "^10.0.0", - "universal-github-app-jwt": "^2.2.0", - "universal-user-agent": "^7.0.0" - }, - "engines": { - "node": ">= 18" - } - }, - "node_modules/@octokit/auth-oauth-app": { - "version": "8.1.1", - "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-8.1.1.tgz", - "integrity": "sha512-5UtmxXAvU2wfcHIPPDWzVSAWXVJzG3NWsxb7zCFplCWEmMCArSZV0UQu5jw5goLQXbFyOr5onzEH37UJB3zQQg==", - "dependencies": { - "@octokit/auth-oauth-device": "^7.0.0", - "@octokit/auth-oauth-user": "^5.0.1", - "@octokit/request": "^9.0.0", - "@octokit/types": "^13.0.0", - "universal-user-agent": "^7.0.0" - }, - "engines": { - "node": ">= 18" - } - }, - "node_modules/@octokit/auth-oauth-device": { - "version": "7.1.1", - "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-7.1.1.tgz", - "integrity": "sha512-HWl8lYueHonuyjrKKIup/1tiy0xcmQCdq5ikvMO1YwkNNkxb6DXfrPjrMYItNLyCP/o2H87WuijuE+SlBTT8eg==", - "dependencies": { - "@octokit/oauth-methods": "^5.0.0", - "@octokit/request": "^9.0.0", - "@octokit/types": "^13.0.0", - "universal-user-agent": "^7.0.0" - }, - "engines": { - "node": ">= 18" - } - }, - "node_modules/@octokit/auth-oauth-user": { - "version": "5.1.1", - "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-5.1.1.tgz", - "integrity": "sha512-rRkMz0ErOppdvEfnemHJXgZ9vTPhBuC6yASeFaB7I2yLMd7QpjfrL1mnvRPlyKo+M6eeLxrKanXJ9Qte29SRsw==", - "dependencies": { - "@octokit/auth-oauth-device": "^7.0.1", - "@octokit/oauth-methods": "^5.0.0", - "@octokit/request": "^9.0.1", - "@octokit/types": "^13.0.0", - "universal-user-agent": "^7.0.0" - }, - "engines": { - "node": ">= 18" - } - }, "node_modules/@octokit/endpoint": { "version": "10.1.1", "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz", @@ -1331,28 +1269,6 @@ "node": ">= 18" } }, - "node_modules/@octokit/oauth-authorization-url": { - "version": "7.1.1", - "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-7.1.1.tgz", - "integrity": "sha512-ooXV8GBSabSWyhLUowlMIVd9l1s2nsOGQdlP2SQ4LnkEsGXzeCvbSbCPdZThXhEFzleGPwbapT0Sb+YhXRyjCA==", - "engines": { - "node": ">= 18" - } - }, - "node_modules/@octokit/oauth-methods": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-5.1.2.tgz", - "integrity": "sha512-C5lglRD+sBlbrhCUTxgJAFjWgJlmTx5bQ7Ch0+2uqRjYv7Cfb5xpX4WuSC9UgQna3sqRGBL9EImX9PvTpMaQ7g==", - "dependencies": { - "@octokit/oauth-authorization-url": "^7.0.0", - "@octokit/request": "^9.1.0", - "@octokit/request-error": "^6.1.0", - "@octokit/types": "^13.0.0" - }, - "engines": { - "node": ">= 18" - } - }, "node_modules/@octokit/openapi-types": { "version": "22.2.0", "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz", @@ -3711,6 +3627,7 @@ "version": "10.2.2", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz", "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==", + "dev": true, "engines": { "node": "14 || >=16.14" } @@ -4977,11 +4894,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/universal-github-app-jwt": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-2.2.0.tgz", - "integrity": "sha512-G5o6f95b5BggDGuUfKDApKaCgNYy2x7OdHY0zSMF081O0EJobw+1130VONhrA7ezGSV2FNOGyM+KQpQZAr9bIQ==" - }, "node_modules/universal-user-agent": { "version": "7.0.2", "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz", diff --git a/package.json b/package.json index 31e60ec..a42090f 100644 --- a/package.json +++ b/package.json @@ -50,5 +50,11 @@ } ] ] - } + }, + "main": "main.js", + "directories": { + "lib": "lib", + "test": "tests" + }, + "author": "" } diff --git a/tests/main-missing-kms-key-id.test.js b/tests/main-missing-kms-key-id.test.js index 102ea85..d96dc38 100644 --- a/tests/main-missing-kms-key-id.test.js +++ b/tests/main-missing-kms-key-id.test.js @@ -1,5 +1,5 @@ -process.env.GITHUB_REPOSITORY_OWNER = "lepadatu-org"; -process.env.GITHUB_REPOSITORY = "lepadatu-org/create-github-app-token-aws"; +process.env.GITHUB_REPOSITORY_OWNER = "lepadatu-actions"; +process.env.GITHUB_REPOSITORY = "lepadatu-actions/create-github-app-token-aws"; process.env["INPUT_APP-ID"] = "123456"; // Verify `main` exits with an error when neither the `kms-key-id` nor `kms_key_id` input is set. diff --git a/tests/main-token-get-installation-access-token-fail-response.test.js b/tests/main-token-get-installation-access-token-fail-response.test.js index 26a0445..4b3f9cf 100644 --- a/tests/main-token-get-installation-access-token-fail-response.test.js +++ b/tests/main-token-get-installation-access-token-fail-response.test.js @@ -11,7 +11,7 @@ await test((mockPool) => { method: "POST", headers: { accept: "application/vnd.github.v3+json", - "user-agent": "lepadatu-org/create-github-app-token-aws", + "user-agent": "lepadatu-actions/create-github-app-token-aws", // Intentionally omitting the `authorization` header. }, }) diff --git a/tests/main.js b/tests/main.js index 174bb5f..082aebf 100644 --- a/tests/main.js +++ b/tests/main.js @@ -3,8 +3,8 @@ import { MockAgent, setGlobalDispatcher } from "undici"; export const DEFAULT_ENV = { - GITHUB_REPOSITORY_OWNER: "lepadatu-org", - GITHUB_REPOSITORY: "lepadatu-org/create-github-app-token-aws", + GITHUB_REPOSITORY_OWNER: "lepadatu-actions", + GITHUB_REPOSITORY: "lepadatu-actions/create-github-app-token-aws", // inputs are set as environment variables with the prefix INPUT_ // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs "INPUT_GITHUB-API-URL": "https://api.github.com", diff --git a/tests/snapshots/index.js.md b/tests/snapshots/index.js.md index 6ca43bf..b8c5150 100644 --- a/tests/snapshots/index.js.md +++ b/tests/snapshots/index.js.md @@ -24,7 +24,7 @@ Generated by [AVA](https://avajs.dev). > stdout - `owner and repositories set, creating token for repositories "lepadatu-org/create-github-app-token-aws" owned by "lepadatu-org"␊ + `owner and repositories set, creating token for repositories "lepadatu-actions/create-github-app-token-aws" owned by "lepadatu-actions"␊ ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ ␊ ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ @@ -93,7 +93,7 @@ Generated by [AVA](https://avajs.dev). > stdout - `owner and repositories set, creating token for repositories "lepadatu-org/create-github-app-token-aws" owned by "lepadatu-org"␊ + `owner and repositories set, creating token for repositories "lepadatu-actions/create-github-app-token-aws" owned by "lepadatu-actions"␊ ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ ␊ ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ @@ -132,7 +132,7 @@ Generated by [AVA](https://avajs.dev). > stdout - `owner and repositories set, creating token for repositories "lepadatu-org/create-github-app-token-aws,actions/toolkit" owned by "lepadatu-org"␊ + `owner and repositories set, creating token for repositories "lepadatu-actions/create-github-app-token-aws,actions/toolkit" owned by "lepadatu-actions"␊ ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ ␊ ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ @@ -151,7 +151,7 @@ Generated by [AVA](https://avajs.dev). > stdout - `owner and repositories set, creating token for repositories "lepadatu-org/create-github-app-token-aws" owned by "lepadatu-org"␊ + `owner and repositories set, creating token for repositories "lepadatu-actions/create-github-app-token-aws" owned by "lepadatu-actions"␊ ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ ␊ ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ @@ -170,7 +170,7 @@ Generated by [AVA](https://avajs.dev). > stdout - `repositories not set, creating token for all repositories for given owner "lepadatu-org"␊ + `repositories not set, creating token for all repositories for given owner "lepadatu-actions"␊ ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ ␊ ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ @@ -228,7 +228,7 @@ Generated by [AVA](https://avajs.dev). > stdout - `owner not set, creating owner for given repositories "lepadatu-org/create-github-app-token-aws" in current owner ("lepadatu-org")␊ + `owner not set, creating owner for given repositories "lepadatu-actions/create-github-app-token-aws" in current owner ("lepadatu-actions")␊ ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ ␊ ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊ diff --git a/tests/snapshots/index.js.snap b/tests/snapshots/index.js.snap index 6411d87..db02ead 100644 Binary files a/tests/snapshots/index.js.snap and b/tests/snapshots/index.js.snap differ