Initial commit: setup-takumi-guard-npm action

Composite GitHub Action that configures npm to use the
Takumi Guard registry via OIDC token exchange.

Author: ren-

.github/workflows/test.yml

@@ -0,0 +1,23 @@
+name: Test
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate action.yml
+        run: |
+          python3 -c "import yaml; yaml.safe_load(open('action.yml'))"
+          echo "action.yml is valid YAML"
+
+      - name: Check required fields
+        run: |
+          grep -q 'using:.*composite' action.yml
+          grep -q "bot-id:" action.yml
+          echo "Required fields present"

.gitignore

@@ -0,0 +1,6 @@
+node_modules/
+.npmrc
+*.log
+.DS_Store
+*.pem
+*.pub

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Shisho Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,69 @@
+<h1 align="center">setup-takumi-guard-npm</h1>
+
+<p align="center">
+  GitHub Action to configure npm with <a href="https://shisho.dev">Takumi Guard</a> registry auth via OIDC.
+</p>
+
+<p align="center">
+  <a href="https://github.com/flatt-security/setup-takumi-guard-npm/actions"><img src="https://github.com/flatt-security/setup-takumi-guard-npm/actions/workflows/test.yml/badge.svg" alt="CI" /></a>
+</p>
+
+## Usage
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: flatt-security/setup-takumi-guard-npm@v1
+        with:
+          bot-id: "BT01EXAMPLE..."  # from Shisho Cloud console
+
+      - run: npm install
+      - run: npm test
+```
+
+The Bot ID is a public reference key, not a secret. You can find it on the Shisho Cloud console settings page. Storing it as a GitHub secret also works if you prefer.
+
+## What this does
+
+1. Requests an OIDC token from GitHub's token endpoint
+2. Exchanges it for a short-lived access token via `POST {sts-url}/bots/exchange`
+3. Writes registry URL and auth token to a project-level `.npmrc`
+
+After that, `npm install` goes through Takumi Guard. No PATs or long-lived tokens involved.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `bot-id` | Yes | — | Bot ID from Shisho Cloud |
+| `sts-url` | No | `https://sts.shisho.dev` | STS endpoint |
+| `registry-url` | No | `https://npm.takumi-guard.shisho.dev` | Registry endpoint |
+| `expires-in` | No | `1800` | Token lifetime in seconds (max 86400) |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `token-expires-at` | ISO 8601 expiration timestamp |
+
+## Security
+
+Tokens are short-lived (30 min by default, 24h max) and masked in workflow logs. The action writes to project-level `.npmrc` only, so your global npm config is untouched. Existing scoped registries (e.g. `@myorg:registry=...`) are preserved.
+
+## Troubleshooting
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `OIDC not available` | Missing permission | Add `id-token: write` to your job's `permissions` |
+| `invalid ID token` | Trust condition mismatch | Check the bot's trust settings in Shisho Cloud |
+| `invalid request` | Bad bot-id format | Double-check the bot-id value |
+
+## License
+
+[MIT](LICENSE)

action.yml

@@ -0,0 +1,110 @@
+name: 'Setup Takumi Guard npm Registry'
+description: 'Configure npm to use Takumi Guard registry with OIDC-based auth'
+author: 'Shisho Security'
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
+inputs:
+  bot-id:
+    description: 'Bot ID from Shisho Cloud console'
+    required: true
+  sts-url:
+    description: 'STS service URL'
+    required: false
+    default: 'https://sts.cloud.shisho.dev'
+  registry-url:
+    description: 'npm registry URL'
+    required: false
+    default: 'https://npm.takumi-guard.shisho.dev'
+  expires-in:
+    description: 'Token expiration in seconds (max 86400)'
+    required: false
+    default: '1800'
+
+outputs:
+  token-expires-at:
+    description: 'ISO 8601 timestamp when the token expires'
+    value: ${{ steps.set-outputs.outputs.token-expires-at }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Get OIDC token
+      id: oidc
+      shell: bash
+      run: |
+        if [ -z "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
+          echo "::error::OIDC not available. Add 'permissions: { id-token: write }' to your job."
+          exit 1
+        fi
+
+        OIDC_TOKEN=$(curl -sS -f \
+          -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=takumi-guard.shisho.dev" \
+          | jq -r '.value')
+
+        if [ -z "$OIDC_TOKEN" ] || [ "$OIDC_TOKEN" = "null" ]; then
+          echo "::error::Failed to get OIDC token. Ensure id-token: write permission is set."
+          exit 1
+        fi
+
+        echo "::add-mask::${OIDC_TOKEN}"
+        echo "oidc_token=${OIDC_TOKEN}" >> "$GITHUB_OUTPUT"
+
+    - name: Exchange for STS access token
+      id: exchange
+      shell: bash
+      env:
+        OIDC_TOKEN: ${{ steps.oidc.outputs.oidc_token }}
+        BOT_ID: ${{ inputs.bot-id }}
+        STS_URL: ${{ inputs.sts-url }}
+        EXPIRES_IN: ${{ inputs.expires-in }}
+      run: |
+        RESPONSE=$(curl -sS -f -X POST "${STS_URL}/bots/exchange" \
+          -H "Content-Type: application/json" \
+          -d "{\"bot_id\": \"${BOT_ID}\", \"id_token\": \"${OIDC_TOKEN}\", \"expires_in\": ${EXPIRES_IN}}")
+
+        if [ $? -ne 0 ]; then
+          echo "::error::STS token exchange request failed. Check sts-url and network connectivity."
+          exit 1
+        fi
+
+        ACCESS_TOKEN=$(echo "$RESPONSE" | jq -r '.access_token')
+        EXPIRES_IN_ACTUAL=$(echo "$RESPONSE" | jq -r '.expires_in')
+
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          ERROR_MSG=$(echo "$RESPONSE" | jq -r '.message // "Unknown error"')
+          echo "::error::Token exchange failed: ${ERROR_MSG}"
+          exit 1
+        fi
+
+        echo "::add-mask::${ACCESS_TOKEN}"
+        echo "access_token=${ACCESS_TOKEN}" >> "$GITHUB_OUTPUT"
+
+        # Calculate expiration timestamp (Linux date -d, macOS date -v fallback)
+        EXPIRES_AT=$(date -u -d "+${EXPIRES_IN_ACTUAL} seconds" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || \
+                     date -u -v+"${EXPIRES_IN_ACTUAL}"S +%Y-%m-%dT%H:%M:%SZ)
+        echo "expires_at=${EXPIRES_AT}" >> "$GITHUB_OUTPUT"
+
+    - name: Configure npm
+      shell: bash
+      env:
+        ACCESS_TOKEN: ${{ steps.exchange.outputs.access_token }}
+        REGISTRY_URL: ${{ inputs.registry-url }}
+      run: |
+        REGISTRY_HOST=$(echo "$REGISTRY_URL" | sed 's|^https://||' | sed 's|/$||')
+
+        npm config set registry "${REGISTRY_URL}/" --location=project
+        npm config set "//${REGISTRY_HOST}/:_authToken" "${ACCESS_TOKEN}" --location=project
+
+        echo "::notice::Configured npm to use Takumi Guard registry at ${REGISTRY_URL}"
+
+    - name: Set outputs
+      id: set-outputs
+      shell: bash
+      env:
+        EXPIRES_AT: ${{ steps.exchange.outputs.expires_at }}
+      run: |
+        echo "token-expires-at=${EXPIRES_AT}" >> "$GITHUB_OUTPUT"