Export OIDC vcs params (#297)

Author: EyalDelarea

lib/oidc-utils.js

@@ -222,6 +222,16 @@ class OidcUtils {
         core.exportVariable('JFROG_CLI_USAGE_CONFIG_OIDC', 'TRUE');
         core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE');
     }
+    /**
+     * Constructs the payload for the OIDC token exchange request.
+     * NOTE: This structure is intended for legacy CLI versions and matches the access API format.
+     * The payload includes a context object and some duplicated parameters for backward compatibility.
+     * Future updates will move all additional parameters into the context object.
+     * @param jwt
+     * @param providerName
+     * @param applicationKey
+     * @private
+     */
     static buildOidcTokenExchangePayload(jwt, providerName, applicationKey) {
         var _a, _b, _c, _d, _e, _f, _g, _h;
         return {
@@ -230,26 +240,24 @@ class OidcUtils {
             subject_token: jwt,
             provider_name: providerName,
             project_key: (_a = process.env.JF_PROJECT) !== null && _a !== void 0 ? _a : '',
+            // gh_* params are used for usage tracking
             gh_job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '',
             gh_run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '',
             gh_repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '',
             gh_revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '',
             gh_branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '',
             application_key: applicationKey,
+            // This object is planned to be expanded as needed
+            // even though currently it contains some duplicated parameters
             context: {
                 vcs_commit: {
-                    vcs_url: this.buildVcsUrl(),
+                    vcs_url: utils_1.Utils.buildVcsUrl(),
                     branch: (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '',
                     revision: (_h = process.env.GITHUB_SHA) !== null && _h !== void 0 ? _h : '',
                 },
             },
         };
     }
-    static buildVcsUrl() {
-        const serverUrl = process.env.GITHUB_SERVER_URL;
-        const repo = process.env.GITHUB_REPOSITORY;
-        return serverUrl && repo ? `${serverUrl}/${repo}` : '';
-    }
     /**
      * Retrieves the application key from .jfrog/config file.
      *

lib/utils.js

@@ -245,7 +245,7 @@ class Utils {
         return Utils.SETUP_JFROG_CLI_SERVER_ID;
     }
     static setCliEnv() {
-        var _a, _b, _c, _d, _e;
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j;
         if (core.isDebug()) {
             Utils.exportVariableIfNotSet('JFROG_CLI_LOG_LEVEL', 'DEBUG');
         }
@@ -256,6 +256,10 @@ class Utils {
         Utils.exportVariableIfNotSet('JFROG_CLI_CI_JOB_ID', (_b = process.env.GITHUB_WORKFLOW) !== null && _b !== void 0 ? _b : '');
         Utils.exportVariableIfNotSet('JFROG_CLI_CI_RUN_ID', (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '');
         Utils.exportVariableIfNotSet('JFROG_CLI_GITHUB_TOKEN', (_d = process.env.GITHUB_TOKEN) !== null && _d !== void 0 ? _d : '');
+        // Used for OIDC token exchange extra params
+        Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', (_f = (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '') !== null && _f !== void 0 ? _f : '');
+        Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', (_h = (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '') !== null && _h !== void 0 ? _h : '');
+        Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl());
         let buildNameEnv = process.env.GITHUB_WORKFLOW;
         if (buildNameEnv) {
             Utils.exportVariableIfNotSet('JFROG_CLI_BUILD_NAME', buildNameEnv);
@@ -276,7 +280,12 @@ class Utils {
             job_summary_1.JobSummary.enableJobSummaries();
         }
         // Indicate if JF_GIT_TOKEN is provided as an environment variable, used by Xray usage.
-        Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', (_e = process.env.JF_GIT_TOKEN) !== null && _e !== void 0 ? _e : '');
+        Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', (_j = process.env.JF_GIT_TOKEN) !== null && _j !== void 0 ? _j : '');
+    }
+    static buildVcsUrl() {
+        const serverUrl = process.env.GITHUB_SERVER_URL;
+        const repo = process.env.GITHUB_REPOSITORY;
+        return serverUrl && repo ? `${serverUrl}/${repo}` : '';
     }
     static exportVariableIfNotSet(key, value) {
         if (!process.env[key]) {

src/oidc-utils.ts

@@ -211,35 +211,42 @@ export class OidcUtils {
         core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE');
     }
 
+    /**
+     * Constructs the payload for the OIDC token exchange request.
+     * NOTE: This structure is intended for legacy CLI versions and matches the access API format.
+     * The payload includes a context object and some duplicated parameters for backward compatibility.
+     * Future updates will move all additional parameters into the context object.
+     * @param jwt
+     * @param providerName
+     * @param applicationKey
+     * @private
+     */
     private static buildOidcTokenExchangePayload(jwt: string, providerName: string, applicationKey: string): Record<string, any> {
         return {
             grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
             subject_token_type: 'urn:ietf:params:oauth:token-type:id_token',
             subject_token: jwt,
             provider_name: providerName,
             project_key: process.env.JF_PROJECT ?? '',
+            // gh_* params are used for usage tracking
             gh_job_id: process.env.GITHUB_JOB ?? '',
             gh_run_id: process.env.GITHUB_RUN_ID ?? '',
             gh_repo: process.env.GITHUB_REPOSITORY ?? '',
             gh_revision: process.env.GITHUB_SHA ?? '',
             gh_branch: process.env.GITHUB_REF_NAME ?? '',
             application_key: applicationKey,
+            // This object is planned to be expanded as needed
+            // even though currently it contains some duplicated parameters
             context: {
                 vcs_commit: {
-                    vcs_url: this.buildVcsUrl(),
+                    vcs_url: Utils.buildVcsUrl(),
                     branch: process.env.GITHUB_REF_NAME ?? '',
                     revision: process.env.GITHUB_SHA ?? '',
                 },
             },
         };
     }
 
-    private static buildVcsUrl(): string {
-        const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL;
-        const repo: string | undefined = process.env.GITHUB_REPOSITORY;
-        return serverUrl && repo ? `${serverUrl}/${repo}` : '';
-    }
-
     /**
      * Retrieves the application key from .jfrog/config file.
      *

src/utils.ts

@@ -287,6 +287,11 @@ export class Utils {
         Utils.exportVariableIfNotSet('JFROG_CLI_CI_RUN_ID', process.env.GITHUB_RUN_ID ?? '');
         Utils.exportVariableIfNotSet('JFROG_CLI_GITHUB_TOKEN', process.env.GITHUB_TOKEN ?? '');
 
+        // Used for OIDC token exchange extra params
+        Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', process.env.GITHUB_SHA ?? '' ?? '');
+        Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', process.env.GITHUB_REF_NAME ?? '' ?? '');
+        Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl());
+
         let buildNameEnv: string | undefined = process.env.GITHUB_WORKFLOW;
         if (buildNameEnv) {
             Utils.exportVariableIfNotSet('JFROG_CLI_BUILD_NAME', buildNameEnv);
@@ -316,6 +321,12 @@ export class Utils {
         Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', process.env.JF_GIT_TOKEN ?? '');
     }
 
+    public static buildVcsUrl(): string {
+        const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL;
+        const repo: string | undefined = process.env.GITHUB_REPOSITORY;
+        return serverUrl && repo ? `${serverUrl}/${repo}` : '';
+    }
+
     public static exportVariableIfNotSet(key: string, value: string) {
         if (!process.env[key]) {
             core.exportVariable(key, value);