From 81eeb79078c8e517ec38212fcdb3cf0a5653bcc3 Mon Sep 17 00:00:00 2001 From: delarea Date: Tue, 19 Aug 2025 17:07:32 +0300 Subject: [PATCH 1/8] export vars --- lib/evidence-collection.js | 7 +++---- lib/utils.js | 10 +++++++++- src/utils.ts | 10 ++++++++++ 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/lib/evidence-collection.js b/lib/evidence-collection.js index 0b909de7d..0ea62b953 100644 --- a/lib/evidence-collection.js +++ b/lib/evidence-collection.js @@ -116,11 +116,11 @@ function getEvidenceConfiguration() { } catch (error) { core.warning(`Failed to get evidence configuration (network error or server unavailable): ${error}`); - return {external_evidence_collection_supported: false, evidence_file_size_limit_mb: 0}; + return { external_evidence_collection_supported: false, evidence_file_size_limit_mb: 0 }; } if (response.message.statusCode !== 200) { core.warning(`Failed to get evidence configuration. Status: ${response.message.statusCode}, Response: ${body}`); - return {external_evidence_collection_supported: false, evidence_file_size_limit_mb: 0}; + return { external_evidence_collection_supported: false, evidence_file_size_limit_mb: 0 }; } try { const config = JSON.parse(body); @@ -128,7 +128,7 @@ function getEvidenceConfiguration() { } catch (error) { core.warning(`Failed to parse evidence config response: ${error}`); - return {external_evidence_collection_supported: false, evidence_file_size_limit_mb: 0}; + return { external_evidence_collection_supported: false, evidence_file_size_limit_mb: 0 }; } }); } @@ -164,7 +164,6 @@ function getSigstoreBundlePaths() { return filePaths; }); } - /** * Creates evidence for sigstore bundle files. * @param maxFileSizeMB Maximum allowed file size in MB diff --git a/lib/utils.js b/lib/utils.js index c50d103c8..c24b24560 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -245,7 +245,7 @@ class Utils { return Utils.SETUP_JFROG_CLI_SERVER_ID; } static setCliEnv() { - var _a, _b, _c, _d, _e; + var _a, _b, _c, _d, _e, _f, _g, _h, _j; Utils.exportVariableIfNotSet('JFROG_CLI_ENV_EXCLUDE', '*password*;*secret*;*key*;*token*;*auth*;JF_ARTIFACTORY_*;JF_ENV_*;JF_URL;JF_USER;JF_PASSWORD;JF_ACCESS_TOKEN'); Utils.exportVariableIfNotSet('JFROG_CLI_OFFER_CONFIG', 'false'); Utils.exportVariableIfNotSet('CI', 'true'); @@ -274,6 +274,14 @@ class Utils { } // Indicate if JF_GIT_TOKEN is provided as an environment variable, used by Xray usage. Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', (_e = process.env.JF_GIT_TOKEN) !== null && _e !== void 0 ? _e : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', (_g = (_f = process.env.GITHUB_SHA) !== null && _f !== void 0 ? _f : '') !== null && _g !== void 0 ? _g : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', (_j = (_h = process.env.GITHUB_REF_NAME) !== null && _h !== void 0 ? _h : '') !== null && _j !== void 0 ? _j : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); + } + static buildVcsUrl() { + const serverUrl = process.env.GITHUB_SERVER_URL; + const repo = process.env.GITHUB_REPOSITORY; + return serverUrl && repo ? `${serverUrl}/${repo}` : ''; } static exportVariableIfNotSet(key, value) { if (!process.env[key]) { diff --git a/src/utils.ts b/src/utils.ts index 54ff88dfe..9594838e4 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -311,6 +311,16 @@ export class Utils { // Indicate if JF_GIT_TOKEN is provided as an environment variable, used by Xray usage. Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', process.env.JF_GIT_TOKEN ?? ''); + + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', process.env.GITHUB_SHA ?? '' ?? ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', process.env.GITHUB_REF_NAME ?? '' ?? ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); + } + + private static buildVcsUrl(): string { + const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL; + const repo: string | undefined = process.env.GITHUB_REPOSITORY; + return serverUrl && repo ? `${serverUrl}/${repo}` : ''; } public static exportVariableIfNotSet(key: string, value: string) { From b3bcd1eded60fd6ef58e297fe121e541507ec989 Mon Sep 17 00:00:00 2001 From: delarea Date: Tue, 19 Aug 2025 17:22:57 +0300 Subject: [PATCH 2/8] use manual for test --- lib/oidc-utils.js | 30 ++++++++++++------------------ src/oidc-utils.ts | 30 +++++++++++++----------------- 2 files changed, 25 insertions(+), 35 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index e874644e8..da02d72b2 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -73,10 +73,10 @@ class OidcUtils { } // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. - if (this.isCLIVersionOidcSupported() && !core.getInput(utils_1.Utils.CLI_REMOTE_ARG)) { - core.debug('Using CLI exchange-oidc-token..'); - return yield this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); - } + // if (this.isCLIVersionOidcSupported() && !core.getInput(Utils.CLI_REMOTE_ARG)) { + // core.debug('Using CLI exchange-oidc-token..'); + // return await this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); + // } // Fallback to manual OIDC exchange for backward compatibility core.debug('Using Manual OIDC Auth Method..'); // Exchanges the token and set as access token in the credential's object @@ -123,6 +123,7 @@ class OidcUtils { } const exchangeUrl = url.replace(/\/$/, '') + '/access/api/v1/oidc/token'; const payload = this.buildOidcTokenExchangePayload(creds.oidcTokenId, providerName, applicationKey); + console.log(`Exchanging OIDC token with payload: ${JSON.stringify(payload)}`); const httpClient = new http_client_1.HttpClient(); const headers = { 'Content-Type': 'application/json' }; const response = yield httpClient.post(exchangeUrl, JSON.stringify(payload), headers); @@ -223,26 +224,19 @@ class OidcUtils { core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE'); } static buildOidcTokenExchangePayload(jwt, providerName, applicationKey) { - var _a, _b, _c, _d, _e, _f, _g, _h; + var _a, _b, _c, _d, _e, _f; return { grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange', subject_token_type: 'urn:ietf:params:oauth:token-type:id_token', subject_token: jwt, provider_name: providerName, project_key: (_a = process.env.JF_PROJECT) !== null && _a !== void 0 ? _a : '', - gh_job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', - gh_run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', - gh_repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', - gh_revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', - gh_branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', - application_key: applicationKey, - context: { - vcs_commit: { - vcs_url: this.buildVcsUrl(), - branch: (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '', - revision: (_h = process.env.GITHUB_SHA) !== null && _h !== void 0 ? _h : '', - }, - }, + jobId: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', + runId: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', + repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', + revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', + branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', + applicationKey: applicationKey, }; } static buildVcsUrl() { diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 8e4b7c68c..629b61679 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -50,10 +50,10 @@ export class OidcUtils { // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. - if (this.isCLIVersionOidcSupported() && !core.getInput(Utils.CLI_REMOTE_ARG)) { - core.debug('Using CLI exchange-oidc-token..'); - return await this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); - } + // if (this.isCLIVersionOidcSupported() && !core.getInput(Utils.CLI_REMOTE_ARG)) { + // core.debug('Using CLI exchange-oidc-token..'); + // return await this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); + // } // Fallback to manual OIDC exchange for backward compatibility core.debug('Using Manual OIDC Auth Method..'); @@ -101,6 +101,9 @@ export class OidcUtils { } const exchangeUrl: string = url.replace(/\/$/, '') + '/access/api/v1/oidc/token'; const payload: Record = this.buildOidcTokenExchangePayload(creds.oidcTokenId, providerName, applicationKey); + + console.log(`Exchanging OIDC token with payload: ${JSON.stringify(payload)}`); + const httpClient: HttpClient = new HttpClient(); const headers: OutgoingHttpHeaders = { 'Content-Type': 'application/json' }; @@ -218,19 +221,12 @@ export class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: process.env.JF_PROJECT ?? '', - gh_job_id: process.env.GITHUB_JOB ?? '', - gh_run_id: process.env.GITHUB_RUN_ID ?? '', - gh_repo: process.env.GITHUB_REPOSITORY ?? '', - gh_revision: process.env.GITHUB_SHA ?? '', - gh_branch: process.env.GITHUB_REF_NAME ?? '', - application_key: applicationKey, - context: { - vcs_commit: { - vcs_url: this.buildVcsUrl(), - branch: process.env.GITHUB_REF_NAME ?? '', - revision: process.env.GITHUB_SHA ?? '', - }, - }, + jobId: process.env.GITHUB_JOB ?? '', + runId: process.env.GITHUB_RUN_ID ?? '', + repo: process.env.GITHUB_REPOSITORY ?? '', + revision: process.env.GITHUB_SHA ?? '', + branch: process.env.GITHUB_REF_NAME ?? '', + applicationKey: applicationKey, }; } From 6929d175aaacbe36bae773c59729750577cf740c Mon Sep 17 00:00:00 2001 From: delarea Date: Wed, 20 Aug 2025 12:10:15 +0300 Subject: [PATCH 3/8] update --- lib/oidc-utils.js | 2 +- src/oidc-utils.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index da02d72b2..dad1130a4 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -236,7 +236,7 @@ class OidcUtils { repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', - applicationKey: applicationKey, + application_key: applicationKey, }; } static buildVcsUrl() { diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 629b61679..1059e9727 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -226,7 +226,7 @@ export class OidcUtils { repo: process.env.GITHUB_REPOSITORY ?? '', revision: process.env.GITHUB_SHA ?? '', branch: process.env.GITHUB_REF_NAME ?? '', - applicationKey: applicationKey, + application_key: applicationKey, }; } From 2f1e2a9240c0385ac2636df8dcf8ba245778762a Mon Sep 17 00:00:00 2001 From: delarea Date: Wed, 20 Aug 2025 12:12:26 +0300 Subject: [PATCH 4/8] update --- lib/oidc-utils.js | 4 ++-- src/oidc-utils.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index dad1130a4..696afc3a0 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -231,8 +231,8 @@ class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: (_a = process.env.JF_PROJECT) !== null && _a !== void 0 ? _a : '', - jobId: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', - runId: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', + job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', + run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 1059e9727..a63ff0707 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -221,8 +221,8 @@ export class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: process.env.JF_PROJECT ?? '', - jobId: process.env.GITHUB_JOB ?? '', - runId: process.env.GITHUB_RUN_ID ?? '', + job_id: process.env.GITHUB_JOB ?? '', + run_id: process.env.GITHUB_RUN_ID ?? '', repo: process.env.GITHUB_REPOSITORY ?? '', revision: process.env.GITHUB_SHA ?? '', branch: process.env.GITHUB_REF_NAME ?? '', From 992d30f3710c66b304732dade028f4757f502fc0 Mon Sep 17 00:00:00 2001 From: delarea Date: Wed, 20 Aug 2025 13:56:50 +0300 Subject: [PATCH 5/8] Fix diff --- lib/oidc-utils.js | 14 ++++---------- src/oidc-utils.ts | 17 ++++------------- 2 files changed, 8 insertions(+), 23 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index 696afc3a0..cdc872def 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -73,10 +73,10 @@ class OidcUtils { } // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. - // if (this.isCLIVersionOidcSupported() && !core.getInput(Utils.CLI_REMOTE_ARG)) { - // core.debug('Using CLI exchange-oidc-token..'); - // return await this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); - // } + if (this.isCLIVersionOidcSupported() && !core.getInput(utils_1.Utils.CLI_REMOTE_ARG)) { + core.debug('Using CLI exchange-oidc-token..'); + return yield this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); + } // Fallback to manual OIDC exchange for backward compatibility core.debug('Using Manual OIDC Auth Method..'); // Exchanges the token and set as access token in the credential's object @@ -123,7 +123,6 @@ class OidcUtils { } const exchangeUrl = url.replace(/\/$/, '') + '/access/api/v1/oidc/token'; const payload = this.buildOidcTokenExchangePayload(creds.oidcTokenId, providerName, applicationKey); - console.log(`Exchanging OIDC token with payload: ${JSON.stringify(payload)}`); const httpClient = new http_client_1.HttpClient(); const headers = { 'Content-Type': 'application/json' }; const response = yield httpClient.post(exchangeUrl, JSON.stringify(payload), headers); @@ -239,11 +238,6 @@ class OidcUtils { application_key: applicationKey, }; } - static buildVcsUrl() { - const serverUrl = process.env.GITHUB_SERVER_URL; - const repo = process.env.GITHUB_REPOSITORY; - return serverUrl && repo ? `${serverUrl}/${repo}` : ''; - } /** * Retrieves the application key from .jfrog/config file. * diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index a63ff0707..fc89b94d0 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -50,10 +50,10 @@ export class OidcUtils { // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. - // if (this.isCLIVersionOidcSupported() && !core.getInput(Utils.CLI_REMOTE_ARG)) { - // core.debug('Using CLI exchange-oidc-token..'); - // return await this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); - // } + if (this.isCLIVersionOidcSupported() && !core.getInput(Utils.CLI_REMOTE_ARG)) { + core.debug('Using CLI exchange-oidc-token..'); + return await this.exchangeOIDCTokenAndExportStepOutputs(jfrogCredentials); + } // Fallback to manual OIDC exchange for backward compatibility core.debug('Using Manual OIDC Auth Method..'); @@ -101,9 +101,6 @@ export class OidcUtils { } const exchangeUrl: string = url.replace(/\/$/, '') + '/access/api/v1/oidc/token'; const payload: Record = this.buildOidcTokenExchangePayload(creds.oidcTokenId, providerName, applicationKey); - - console.log(`Exchanging OIDC token with payload: ${JSON.stringify(payload)}`); - const httpClient: HttpClient = new HttpClient(); const headers: OutgoingHttpHeaders = { 'Content-Type': 'application/json' }; @@ -230,12 +227,6 @@ export class OidcUtils { }; } - private static buildVcsUrl(): string { - const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL; - const repo: string | undefined = process.env.GITHUB_REPOSITORY; - return serverUrl && repo ? `${serverUrl}/${repo}` : ''; - } - /** * Retrieves the application key from .jfrog/config file. * From ffe16492abda2794f702e31e0f0cae7d49583dd2 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 24 Aug 2025 11:04:36 +0300 Subject: [PATCH 6/8] revert --- lib/oidc-utils.js | 24 ++++++++++++++++++------ src/oidc-utils.ts | 23 ++++++++++++++++++----- 2 files changed, 36 insertions(+), 11 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index cdc872def..e874644e8 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -223,21 +223,33 @@ class OidcUtils { core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE'); } static buildOidcTokenExchangePayload(jwt, providerName, applicationKey) { - var _a, _b, _c, _d, _e, _f; + var _a, _b, _c, _d, _e, _f, _g, _h; return { grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange', subject_token_type: 'urn:ietf:params:oauth:token-type:id_token', subject_token: jwt, provider_name: providerName, project_key: (_a = process.env.JF_PROJECT) !== null && _a !== void 0 ? _a : '', - job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', - run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', - repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', - revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', - branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', + gh_job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', + gh_run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', + gh_repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', + gh_revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', + gh_branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', application_key: applicationKey, + context: { + vcs_commit: { + vcs_url: this.buildVcsUrl(), + branch: (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '', + revision: (_h = process.env.GITHUB_SHA) !== null && _h !== void 0 ? _h : '', + }, + }, }; } + static buildVcsUrl() { + const serverUrl = process.env.GITHUB_SERVER_URL; + const repo = process.env.GITHUB_REPOSITORY; + return serverUrl && repo ? `${serverUrl}/${repo}` : ''; + } /** * Retrieves the application key from .jfrog/config file. * diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index fc89b94d0..8e4b7c68c 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -218,15 +218,28 @@ export class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: process.env.JF_PROJECT ?? '', - job_id: process.env.GITHUB_JOB ?? '', - run_id: process.env.GITHUB_RUN_ID ?? '', - repo: process.env.GITHUB_REPOSITORY ?? '', - revision: process.env.GITHUB_SHA ?? '', - branch: process.env.GITHUB_REF_NAME ?? '', + gh_job_id: process.env.GITHUB_JOB ?? '', + gh_run_id: process.env.GITHUB_RUN_ID ?? '', + gh_repo: process.env.GITHUB_REPOSITORY ?? '', + gh_revision: process.env.GITHUB_SHA ?? '', + gh_branch: process.env.GITHUB_REF_NAME ?? '', application_key: applicationKey, + context: { + vcs_commit: { + vcs_url: this.buildVcsUrl(), + branch: process.env.GITHUB_REF_NAME ?? '', + revision: process.env.GITHUB_SHA ?? '', + }, + }, }; } + private static buildVcsUrl(): string { + const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL; + const repo: string | undefined = process.env.GITHUB_REPOSITORY; + return serverUrl && repo ? `${serverUrl}/${repo}` : ''; + } + /** * Retrieves the application key from .jfrog/config file. * From 9ac00601e9ac9a1d0d12863a6d37c05139ea5211 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 24 Aug 2025 11:47:21 +0300 Subject: [PATCH 7/8] add comments and reuse function --- lib/oidc-utils.js | 20 ++++++++++++++------ src/oidc-utils.ts | 21 ++++++++++++++------- src/utils.ts | 2 +- 3 files changed, 29 insertions(+), 14 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index e874644e8..88e598d58 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -222,6 +222,16 @@ class OidcUtils { core.exportVariable('JFROG_CLI_USAGE_CONFIG_OIDC', 'TRUE'); core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE'); } + /** + * Constructs the payload for the OIDC token exchange request. + * NOTE: This structure is intended for legacy CLI versions and matches the access API format. + * The payload includes a context object and some duplicated parameters for backward compatibility. + * Future updates will move all additional parameters into the context object. + * @param jwt + * @param providerName + * @param applicationKey + * @private + */ static buildOidcTokenExchangePayload(jwt, providerName, applicationKey) { var _a, _b, _c, _d, _e, _f, _g, _h; return { @@ -230,26 +240,24 @@ class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: (_a = process.env.JF_PROJECT) !== null && _a !== void 0 ? _a : '', + // gh_* params are used for usage tracking gh_job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', gh_run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', gh_repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', gh_revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', gh_branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', application_key: applicationKey, + // This object is planned to be expanded as needed + // even though currently it contains some duplicated parameters context: { vcs_commit: { - vcs_url: this.buildVcsUrl(), + vcs_url: utils_1.Utils.buildVcsUrl(), branch: (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '', revision: (_h = process.env.GITHUB_SHA) !== null && _h !== void 0 ? _h : '', }, }, }; } - static buildVcsUrl() { - const serverUrl = process.env.GITHUB_SERVER_URL; - const repo = process.env.GITHUB_REPOSITORY; - return serverUrl && repo ? `${serverUrl}/${repo}` : ''; - } /** * Retrieves the application key from .jfrog/config file. * diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 8e4b7c68c..2769070d5 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -211,6 +211,16 @@ export class OidcUtils { core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE'); } + /** + * Constructs the payload for the OIDC token exchange request. + * NOTE: This structure is intended for legacy CLI versions and matches the access API format. + * The payload includes a context object and some duplicated parameters for backward compatibility. + * Future updates will move all additional parameters into the context object. + * @param jwt + * @param providerName + * @param applicationKey + * @private + */ private static buildOidcTokenExchangePayload(jwt: string, providerName: string, applicationKey: string): Record { return { grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange', @@ -218,15 +228,18 @@ export class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: process.env.JF_PROJECT ?? '', + // gh_* params are used for usage tracking gh_job_id: process.env.GITHUB_JOB ?? '', gh_run_id: process.env.GITHUB_RUN_ID ?? '', gh_repo: process.env.GITHUB_REPOSITORY ?? '', gh_revision: process.env.GITHUB_SHA ?? '', gh_branch: process.env.GITHUB_REF_NAME ?? '', application_key: applicationKey, + // This object is planned to be expanded as needed + // even though currently it contains some duplicated parameters context: { vcs_commit: { - vcs_url: this.buildVcsUrl(), + vcs_url: Utils.buildVcsUrl(), branch: process.env.GITHUB_REF_NAME ?? '', revision: process.env.GITHUB_SHA ?? '', }, @@ -234,12 +247,6 @@ export class OidcUtils { }; } - private static buildVcsUrl(): string { - const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL; - const repo: string | undefined = process.env.GITHUB_REPOSITORY; - return serverUrl && repo ? `${serverUrl}/${repo}` : ''; - } - /** * Retrieves the application key from .jfrog/config file. * diff --git a/src/utils.ts b/src/utils.ts index c55f14f0e..29f671e6a 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -320,7 +320,7 @@ export class Utils { Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); } - private static buildVcsUrl(): string { + public static buildVcsUrl(): string { const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL; const repo: string | undefined = process.env.GITHUB_REPOSITORY; return serverUrl && repo ? `${serverUrl}/${repo}` : ''; From ed34714033d1ec7ce610990f07d9e23570fdbe39 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 24 Aug 2025 11:51:07 +0300 Subject: [PATCH 8/8] move --- lib/utils.js | 9 +++++---- src/utils.ts | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/utils.js b/lib/utils.js index 9a1fddac3..7ee12f4cc 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -256,6 +256,10 @@ class Utils { Utils.exportVariableIfNotSet('JFROG_CLI_CI_JOB_ID', (_b = process.env.GITHUB_WORKFLOW) !== null && _b !== void 0 ? _b : ''); Utils.exportVariableIfNotSet('JFROG_CLI_CI_RUN_ID', (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : ''); Utils.exportVariableIfNotSet('JFROG_CLI_GITHUB_TOKEN', (_d = process.env.GITHUB_TOKEN) !== null && _d !== void 0 ? _d : ''); + // Used for OIDC token exchange extra params + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', (_f = (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '') !== null && _f !== void 0 ? _f : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', (_h = (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '') !== null && _h !== void 0 ? _h : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); let buildNameEnv = process.env.GITHUB_WORKFLOW; if (buildNameEnv) { Utils.exportVariableIfNotSet('JFROG_CLI_BUILD_NAME', buildNameEnv); @@ -276,10 +280,7 @@ class Utils { job_summary_1.JobSummary.enableJobSummaries(); } // Indicate if JF_GIT_TOKEN is provided as an environment variable, used by Xray usage. - Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', (_e = process.env.JF_GIT_TOKEN) !== null && _e !== void 0 ? _e : ''); - Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', (_g = (_f = process.env.GITHUB_SHA) !== null && _f !== void 0 ? _f : '') !== null && _g !== void 0 ? _g : ''); - Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', (_j = (_h = process.env.GITHUB_REF_NAME) !== null && _h !== void 0 ? _h : '') !== null && _j !== void 0 ? _j : ''); - Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); + Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', (_j = process.env.JF_GIT_TOKEN) !== null && _j !== void 0 ? _j : ''); } static buildVcsUrl() { const serverUrl = process.env.GITHUB_SERVER_URL; diff --git a/src/utils.ts b/src/utils.ts index 29f671e6a..b1f013552 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -287,6 +287,11 @@ export class Utils { Utils.exportVariableIfNotSet('JFROG_CLI_CI_RUN_ID', process.env.GITHUB_RUN_ID ?? ''); Utils.exportVariableIfNotSet('JFROG_CLI_GITHUB_TOKEN', process.env.GITHUB_TOKEN ?? ''); + // Used for OIDC token exchange extra params + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', process.env.GITHUB_SHA ?? '' ?? ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', process.env.GITHUB_REF_NAME ?? '' ?? ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); + let buildNameEnv: string | undefined = process.env.GITHUB_WORKFLOW; if (buildNameEnv) { Utils.exportVariableIfNotSet('JFROG_CLI_BUILD_NAME', buildNameEnv); @@ -314,10 +319,6 @@ export class Utils { // Indicate if JF_GIT_TOKEN is provided as an environment variable, used by Xray usage. Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', process.env.JF_GIT_TOKEN ?? ''); - - Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', process.env.GITHUB_SHA ?? '' ?? ''); - Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', process.env.GITHUB_REF_NAME ?? '' ?? ''); - Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); } public static buildVcsUrl(): string {