From a9ee69bd2c0b101ff0bf80b474d68404209499e2 Mon Sep 17 00:00:00 2001 From: delarea Date: Tue, 29 Apr 2025 11:24:20 +0300 Subject: [PATCH 01/45] add logs --- lib/oidc-utils.js | 6 +++++- src/oidc-utils.ts | 7 +++++-- src/utils.ts | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index b5e5db15c..9d9e95ba2 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -90,7 +90,11 @@ class OidcUtils { if (creds.oidcProviderName === undefined || creds.oidcTokenId === undefined || creds.jfrogUrl === undefined) { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } - output = yield utils_1.Utils.runCliAndGetOutput(['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience || 'jfrog-github'], { silent: true }); + core.info("---------------------------------"); + core.info("audience: " + creds.oidcAudience); + core.info("provider name: " + creds.oidcProviderName); + core.info("---------------------------------"); + output = yield utils_1.Utils.runCliAndGetOutput(['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience || utils_1.Utils.DEFAULT_OIDC_AUDIENCE], { silent: true }); const { accessToken, username } = this.extractValuesFromOIDCToken(output); this.setOidcStepOutputs(username, accessToken); return accessToken; diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 67c5491ea..d174e131d 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -68,9 +68,12 @@ export class OidcUtils { if (creds.oidcProviderName === undefined || creds.oidcTokenId === undefined || creds.jfrogUrl === undefined) { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } - + core.info("---------------------------------") + core.info("audience: " + creds.oidcAudience); + core.info("provider name: " + creds.oidcProviderName); + core.info("---------------------------------") output = await Utils.runCliAndGetOutput( - ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience || 'jfrog-github'], + ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience || Utils.DEFAULT_OIDC_AUDIENCE], { silent: true }, ); diff --git a/src/utils.ts b/src/utils.ts index 32de63c85..9107d50b9 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -52,7 +52,7 @@ export class Utils { public static readonly AUTO_BUILD_PUBLISH_DISABLE: string = 'disable-auto-build-publish'; // Custom server ID input private static readonly CUSTOM_SERVER_ID: string = 'custom-server-id'; - private static DEFAULT_OIDC_AUDIENCE: string = 'jfrog-github'; + public static DEFAULT_OIDC_AUDIENCE: string = 'jfrog-github'; /** * Gathers JFrog's credentials from environment variables and delivers them in a JfrogCredentials structure From 799aeb937891155e05f2ed6023b922e7dd6daa8f Mon Sep 17 00:00:00 2001 From: delarea Date: Tue, 29 Apr 2025 11:59:51 +0300 Subject: [PATCH 02/45] add logs --- .github/workflows/oidc-integration-test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 172673834..728beb0a4 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -9,7 +9,7 @@ name: OIDC Integration Test on: push: branches: - - master + - "**" # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] @@ -29,6 +29,7 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] + audience_value: [ '' ,'','test-assigned' ] runs-on: ${{ matrix.os }}-latest name: OIDC Test - ${{ matrix.cli-version }} on ${{ matrix.os }} env: @@ -58,6 +59,7 @@ jobs: "name": "${{ steps.gen-oidc.outputs.oidc_provider_name }}", "issuer_url": "https://token.actions.githubusercontent.com", "provider_type": "GitHub", + "audience": ${{ matrix.audience_value }},", "enable_permissive_configuration": "true", "description": "Test configuration for CLI version ${{ matrix.cli-version }}" }' @@ -76,7 +78,7 @@ jobs: }, "token_spec": { "scope": "applied-permissions/groups:readers", - "expires_in": 30 + "expires_in": 10 } }' @@ -89,6 +91,7 @@ jobs: with: version: ${{ matrix.cli-version }} oidc-provider-name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} + oidc-audience: ${{ matrix.audience_value }} # validate successful OIDC configuration - name: Test JFrog CLI connectivity From a3ecdb47d0fe24845a4360ec3d238fc7b2e3e5b0 Mon Sep 17 00:00:00 2001 From: delarea Date: Tue, 29 Apr 2025 16:11:26 +0300 Subject: [PATCH 03/45] Default audience --- lib/oidc-utils.js | 8 ++------ lib/utils.js | 3 +-- src/oidc-utils.ts | 8 ++------ src/types.ts | 2 +- src/utils.ts | 3 +-- test/oidc-utils.spec.ts | 1 + 6 files changed, 8 insertions(+), 17 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index 9d9e95ba2..c4da6bec9 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -64,7 +64,7 @@ class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - jfrogCredentials.oidcTokenId = yield this.getIdToken(jfrogCredentials.oidcAudience || ''); + jfrogCredentials.oidcTokenId = yield this.getIdToken(jfrogCredentials.oidcAudience); // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. if (this.isCLIVersionOidcSupported() && !core.getInput(utils_1.Utils.CLI_REMOTE_ARG)) { @@ -90,11 +90,7 @@ class OidcUtils { if (creds.oidcProviderName === undefined || creds.oidcTokenId === undefined || creds.jfrogUrl === undefined) { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } - core.info("---------------------------------"); - core.info("audience: " + creds.oidcAudience); - core.info("provider name: " + creds.oidcProviderName); - core.info("---------------------------------"); - output = yield utils_1.Utils.runCliAndGetOutput(['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience || utils_1.Utils.DEFAULT_OIDC_AUDIENCE], { silent: true }); + output = yield utils_1.Utils.runCliAndGetOutput(['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience], { silent: true }); const { accessToken, username } = this.extractValuesFromOIDCToken(output); this.setOidcStepOutputs(username, accessToken); return accessToken; diff --git a/lib/utils.js b/lib/utils.js index 0356c1588..98befec32 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -55,7 +55,7 @@ class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || Utils.DEFAULT_OIDC_AUDIENCE, + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG), oidcTokenId: '', }; if (jfrogCredentials.password && !jfrogCredentials.username) { @@ -474,4 +474,3 @@ Utils.JOB_SUMMARY_DISABLE = 'disable-job-summary'; Utils.AUTO_BUILD_PUBLISH_DISABLE = 'disable-auto-build-publish'; // Custom server ID input Utils.CUSTOM_SERVER_ID = 'custom-server-id'; -Utils.DEFAULT_OIDC_AUDIENCE = 'jfrog-github'; diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index d174e131d..da07a0b93 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -41,7 +41,7 @@ export class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - jfrogCredentials.oidcTokenId = await this.getIdToken(jfrogCredentials.oidcAudience || ''); + jfrogCredentials.oidcTokenId = await this.getIdToken(jfrogCredentials.oidcAudience); // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. @@ -68,12 +68,8 @@ export class OidcUtils { if (creds.oidcProviderName === undefined || creds.oidcTokenId === undefined || creds.jfrogUrl === undefined) { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } - core.info("---------------------------------") - core.info("audience: " + creds.oidcAudience); - core.info("provider name: " + creds.oidcProviderName); - core.info("---------------------------------") output = await Utils.runCliAndGetOutput( - ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience || Utils.DEFAULT_OIDC_AUDIENCE], + ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience], { silent: true }, ); diff --git a/src/types.ts b/src/types.ts index e998432fb..ff5c5524c 100644 --- a/src/types.ts +++ b/src/types.ts @@ -12,7 +12,7 @@ export interface JfrogCredentials { accessToken?: string; oidcProviderName?: string; oidcTokenId?: string; - oidcAudience?: string; + oidcAudience : string; } /** diff --git a/src/utils.ts b/src/utils.ts index 9107d50b9..314652a51 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -52,7 +52,6 @@ export class Utils { public static readonly AUTO_BUILD_PUBLISH_DISABLE: string = 'disable-auto-build-publish'; // Custom server ID input private static readonly CUSTOM_SERVER_ID: string = 'custom-server-id'; - public static DEFAULT_OIDC_AUDIENCE: string = 'jfrog-github'; /** * Gathers JFrog's credentials from environment variables and delivers them in a JfrogCredentials structure @@ -66,7 +65,7 @@ export class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || Utils.DEFAULT_OIDC_AUDIENCE, + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG), oidcTokenId: '', } as JfrogCredentials; diff --git a/test/oidc-utils.spec.ts b/test/oidc-utils.spec.ts index 027d0b876..d04da5491 100644 --- a/test/oidc-utils.spec.ts +++ b/test/oidc-utils.spec.ts @@ -88,6 +88,7 @@ describe('OidcUtils', (): void => { it('should throw if creds are missing required fields', async (): Promise => { const incompleteCreds: JfrogCredentials = { jfrogUrl: 'https://example.jfrog.io', + oidcAudience: '' // missing provider and token ID }; From a765ad8cbf1d073560908098e8df4cd8eda0c6ba Mon Sep 17 00:00:00 2001 From: delarea Date: Tue, 29 Apr 2025 16:22:00 +0300 Subject: [PATCH 04/45] dont pass audience to exchange command --- lib/oidc-utils.js | 8 ++++++-- lib/utils.js | 1 - src/oidc-utils.ts | 8 ++++++-- src/utils.ts | 1 - 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index c4da6bec9..6b93bbd36 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -64,7 +64,11 @@ class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - jfrogCredentials.oidcTokenId = yield this.getIdToken(jfrogCredentials.oidcAudience); + core.info(" THIS IS THE creds:"); + core.info(jfrogCredentials.oidcAudience); + core.info(" THIS IS THE INPUT:"); + core.info(core.getInput(utils_1.Utils.OIDC_AUDIENCE_ARG)); + jfrogCredentials.oidcTokenId = yield this.getIdToken(core.getInput(utils_1.Utils.OIDC_AUDIENCE_ARG)); // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. if (this.isCLIVersionOidcSupported() && !core.getInput(utils_1.Utils.CLI_REMOTE_ARG)) { @@ -90,7 +94,7 @@ class OidcUtils { if (creds.oidcProviderName === undefined || creds.oidcTokenId === undefined || creds.jfrogUrl === undefined) { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } - output = yield utils_1.Utils.runCliAndGetOutput(['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience], { silent: true }); + output = yield utils_1.Utils.runCliAndGetOutput(['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl], { silent: true }); const { accessToken, username } = this.extractValuesFromOIDCToken(output); this.setOidcStepOutputs(username, accessToken); return accessToken; diff --git a/lib/utils.js b/lib/utils.js index 98befec32..7682770d9 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -184,7 +184,6 @@ class Utils { * @name password - JFrog Platform basic authentication * @name accessToken - Jfrog Platform access token * @name oidcProviderName - OpenID Connect provider name defined in the JFrog Platform - * @name oidcAudience - JFrog Platform OpenID Connect audience */ let url = jfrogCredentials.jfrogUrl; let user = jfrogCredentials.username; diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index da07a0b93..4549a7036 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -41,7 +41,11 @@ export class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - jfrogCredentials.oidcTokenId = await this.getIdToken(jfrogCredentials.oidcAudience); + core.info(" THIS IS THE creds:") + core.info(jfrogCredentials.oidcAudience) + core.info(" THIS IS THE INPUT:") + core.info(core.getInput(Utils.OIDC_AUDIENCE_ARG)) + jfrogCredentials.oidcTokenId = await this.getIdToken(core.getInput(Utils.OIDC_AUDIENCE_ARG)); // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. @@ -69,7 +73,7 @@ export class OidcUtils { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } output = await Utils.runCliAndGetOutput( - ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl, '--oidc-audience', creds.oidcAudience], + ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl], { silent: true }, ); diff --git a/src/utils.ts b/src/utils.ts index 314652a51..6a522ade8 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -203,7 +203,6 @@ export class Utils { * @name password - JFrog Platform basic authentication * @name accessToken - Jfrog Platform access token * @name oidcProviderName - OpenID Connect provider name defined in the JFrog Platform - * @name oidcAudience - JFrog Platform OpenID Connect audience */ let url: string | undefined = jfrogCredentials.jfrogUrl; let user: string | undefined = jfrogCredentials.username; From cc0efe98aa97667d82e3c025a8916511cd898f00 Mon Sep 17 00:00:00 2001 From: delarea Date: Wed, 30 Apr 2025 09:12:24 +0300 Subject: [PATCH 05/45] Change audience default value --- lib/oidc-utils.js | 12 ++++++------ src/oidc-utils.ts | 16 +++++++--------- test/main.spec.ts | 18 ++++++++++++++++++ 3 files changed, 31 insertions(+), 15 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index 6b93bbd36..4ab484624 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -64,11 +64,7 @@ class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - core.info(" THIS IS THE creds:"); - core.info(jfrogCredentials.oidcAudience); - core.info(" THIS IS THE INPUT:"); - core.info(core.getInput(utils_1.Utils.OIDC_AUDIENCE_ARG)); - jfrogCredentials.oidcTokenId = yield this.getIdToken(core.getInput(utils_1.Utils.OIDC_AUDIENCE_ARG)); + jfrogCredentials.oidcTokenId = yield this.getIdToken(jfrogCredentials.oidcAudience); // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. if (this.isCLIVersionOidcSupported() && !core.getInput(utils_1.Utils.CLI_REMOTE_ARG)) { @@ -94,7 +90,11 @@ class OidcUtils { if (creds.oidcProviderName === undefined || creds.oidcTokenId === undefined || creds.jfrogUrl === undefined) { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } - output = yield utils_1.Utils.runCliAndGetOutput(['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl], { silent: true }); + const args = ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl]; + if (creds.oidcAudience) { + args.push('--oidc-audience', creds.oidcAudience); + } + output = yield utils_1.Utils.runCliAndGetOutput(args, { silent: true }); const { accessToken, username } = this.extractValuesFromOIDCToken(output); this.setOidcStepOutputs(username, accessToken); return accessToken; diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 4549a7036..94249bccd 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -41,11 +41,7 @@ export class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - core.info(" THIS IS THE creds:") - core.info(jfrogCredentials.oidcAudience) - core.info(" THIS IS THE INPUT:") - core.info(core.getInput(Utils.OIDC_AUDIENCE_ARG)) - jfrogCredentials.oidcTokenId = await this.getIdToken(core.getInput(Utils.OIDC_AUDIENCE_ARG)); + jfrogCredentials.oidcTokenId = await this.getIdToken(jfrogCredentials. oidcAudience); // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. @@ -72,10 +68,12 @@ export class OidcUtils { if (creds.oidcProviderName === undefined || creds.oidcTokenId === undefined || creds.jfrogUrl === undefined) { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } - output = await Utils.runCliAndGetOutput( - ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl], - { silent: true }, - ); + + const args = ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl]; + if (creds.oidcAudience) { + args.push('--oidc-audience', creds.oidcAudience); + } + output = await Utils.runCliAndGetOutput(args, { silent: true }); const { accessToken, username }: CliExchangeTokenResponse = this.extractValuesFromOIDCToken(output); this.setOidcStepOutputs(username, accessToken); diff --git a/test/main.spec.ts b/test/main.spec.ts index d24575841..393433d2e 100644 --- a/test/main.spec.ts +++ b/test/main.spec.ts @@ -111,6 +111,24 @@ describe('Collect JFrog Credentials from env vars exceptions', () => { process.env['JF_PASSWORD'] = password; expect(() => Utils.collectJfrogCredentialsFromEnvVars()).toThrow(new Error(exception)); }); + + test('collectJfrogCredentialsFromEnvVars should return default values when no environment variables are set', () => { + // Ensure no relevant environment variables are set + delete process.env['JF_URL']; + delete process.env['JF_ACCESS_TOKEN']; + delete process.env['JF_USER']; + delete process.env['JF_PASSWORD']; + + // Call the function + const jfrogCredentials: JfrogCredentials = Utils.collectJfrogCredentialsFromEnvVars(); + + // Verify default values + expect(jfrogCredentials.jfrogUrl).toBeUndefined(); + expect(jfrogCredentials.accessToken).toBeUndefined(); + expect(jfrogCredentials.username).toBeUndefined(); + expect(jfrogCredentials.password).toBeUndefined(); + expect(jfrogCredentials.oidcAudience).toBeUndefined() + }); }); async function testConfigCommand(expectedServerId: string) { From 119f08fd141e34f4897367056f619c6058ccc0e0 Mon Sep 17 00:00:00 2001 From: delarea Date: Wed, 30 Apr 2025 10:32:56 +0300 Subject: [PATCH 06/45] Test --- .github/workflows/oidc-integration-test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 728beb0a4..517fbf0a2 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -29,7 +29,6 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] - audience_value: [ '' ,'','test-assigned' ] runs-on: ${{ matrix.os }}-latest name: OIDC Test - ${{ matrix.cli-version }} on ${{ matrix.os }} env: From 5f4b8e1663f64cd36bb60b563b51dae5c335305e Mon Sep 17 00:00:00 2001 From: delarea Date: Wed, 30 Apr 2025 10:34:11 +0300 Subject: [PATCH 07/45] Test --- .github/workflows/oidc-integration-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 517fbf0a2..54492f5e8 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -29,6 +29,7 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] + audience_value: [ '' ,'','github-jfrog' ] runs-on: ${{ matrix.os }}-latest name: OIDC Test - ${{ matrix.cli-version }} on ${{ matrix.os }} env: From 44c0113450ce701e765ce8e573bf675df3332915 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 11:19:01 +0300 Subject: [PATCH 08/45] Test --- .github/workflows/oidc-integration-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 54492f5e8..20f3c8fb4 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -29,7 +29,7 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] - audience_value: [ '' ,'','github-jfrog' ] + audience_value: [ '' ,'test-audience','github-jfrog' ] runs-on: ${{ matrix.os }}-latest name: OIDC Test - ${{ matrix.cli-version }} on ${{ matrix.os }} env: @@ -59,7 +59,7 @@ jobs: "name": "${{ steps.gen-oidc.outputs.oidc_provider_name }}", "issuer_url": "https://token.actions.githubusercontent.com", "provider_type": "GitHub", - "audience": ${{ matrix.audience_value }},", + "audience": "${{ matrix.audience_value }},", "enable_permissive_configuration": "true", "description": "Test configuration for CLI version ${{ matrix.cli-version }}" }' From c5a21ca370f1db9edbcdc35deb00138319386c7d Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 11:39:39 +0300 Subject: [PATCH 09/45] Test --- .github/workflows/oidc-integration-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 20f3c8fb4..14c8045ff 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -59,7 +59,7 @@ jobs: "name": "${{ steps.gen-oidc.outputs.oidc_provider_name }}", "issuer_url": "https://token.actions.githubusercontent.com", "provider_type": "GitHub", - "audience": "${{ matrix.audience_value }},", + "audience": "${{ matrix.audience_value }}", "enable_permissive_configuration": "true", "description": "Test configuration for CLI version ${{ matrix.cli-version }}" }' From bbafc02811907befe626a795c5d979061651aa9a Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 11:43:30 +0300 Subject: [PATCH 10/45] Test --- .github/workflows/oidc-integration-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 14c8045ff..9c0f6cf41 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -47,7 +47,7 @@ jobs: shell: bash run: | cli_version="${{ matrix.cli-version }}" && cli_version="${cli_version//./-}" - echo "oidc_provider_name=oidc-integration-${cli_version}-${{ matrix.os }}-$(date +%s)" >> "$GITHUB_OUTPUT" + echo "oidc_provider_name=oidc-integration-${cli_version}-${{ matrix.os }}-${{ github.run_id }}" >> "$GITHUB_OUTPUT" - name: Create OpenID Connect integration shell: bash From c49d377be8c9fc37691e0f72369d6c293ed3585e Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 11:48:04 +0300 Subject: [PATCH 11/45] Test --- .github/workflows/oidc-integration-test.yml | 60 ++++++++++++--------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 9c0f6cf41..2ce70cc0e 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -23,31 +23,19 @@ permissions: contents: read jobs: - oidc-test: + generate-oidc-integration: strategy: - fail-fast: false matrix: - os: [ ubuntu, macos, windows ] - cli-version: [ '2.74.1', '2.75.0','latest' ] audience_value: [ '' ,'test-audience','github-jfrog' ] - runs-on: ${{ matrix.os }}-latest - name: OIDC Test - ${{ matrix.cli-version }} on ${{ matrix.os }} - env: - JFROG_CLI_LOG_LEVEL: DEBUG - + runs-on: ubuntu-latest + outputs: + oidc_provider_name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} steps: - - name: Checkout Repository - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - - # Setup OIDC platform integration - name: Generate unique OIDC provider name id: gen-oidc shell: bash run: | - cli_version="${{ matrix.cli-version }}" && cli_version="${cli_version//./-}" - echo "oidc_provider_name=oidc-integration-${cli_version}-${{ matrix.os }}-${{ github.run_id }}" >> "$GITHUB_OUTPUT" + echo "oidc_provider_name=oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}" >> "$GITHUB_OUTPUT" - name: Create OpenID Connect integration shell: bash @@ -61,7 +49,7 @@ jobs: "provider_type": "GitHub", "audience": "${{ matrix.audience_value }}", "enable_permissive_configuration": "true", - "description": "Test configuration for CLI version ${{ matrix.cli-version }}" + "description": "Test configuration for audience ${{ matrix.audience_value }}" }' - name: Create OIDC Identity Mapping @@ -82,7 +70,27 @@ jobs: } }' - # Setup + - name: Save OIDC provider name + shell: bash + run: echo "oidc_provider_name=${{ steps.gen-oidc.outputs.oidc_provider_name }}" >> "$GITHUB_ENV" + + oidc-test: + needs: generate-oidc-integration + strategy: + fail-fast: false + matrix: + os: [ ubuntu, macos, windows ] + cli-version: [ '2.74.1', '2.75.0','latest' ] + audience_value: [ '' ,'test-audience','github-jfrog' ] + runs-on: ${{ matrix.os }}-latest + env: + JFROG_CLI_LOG_LEVEL: DEBUG + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup JFrog CLI id: setup-jfrog-cli uses: ./ @@ -90,14 +98,12 @@ jobs: JF_URL: ${{ secrets.JFROG_PLATFORM_URL }} with: version: ${{ matrix.cli-version }} - oidc-provider-name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} + oidc-provider-name: ${{ needs.generate-oidc-integration.outputs.oidc_provider_name }} oidc-audience: ${{ matrix.audience_value }} - # validate successful OIDC configuration - name: Test JFrog CLI connectivity run: jf rt ping - # Validate step outputs - name: Validate user output shell: bash run: test -n "${{ steps.setup-jfrog-cli.outputs.oidc-user }}" @@ -106,10 +112,12 @@ jobs: shell: bash run: test -n "${{ steps.setup-jfrog-cli.outputs.oidc-token }}" - # Cleanup + cleanup-oidc-integration: + needs: oidc-test + runs-on: ubuntu-latest + steps: - name: Delete OIDC integration shell: bash - if: always() run: | - curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ steps.gen-oidc.outputs.oidc_provider_name }}" \ - -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" + curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ needs.generate-oidc-integration.outputs.oidc_provider_name }}" \ + -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ No newline at end of file From 764091804dd8f83435954f9faeaef19e8879a9b3 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 11:51:15 +0300 Subject: [PATCH 12/45] Extract audience values --- .github/workflows/oidc-integration-test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 2ce70cc0e..a58850425 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -18,6 +18,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} cancel-in-progress: true +env: + AUDIENCE_VALUES: "['', 'test-audience', 'github-jfrog']" + permissions: id-token: write contents: read @@ -26,7 +29,7 @@ jobs: generate-oidc-integration: strategy: matrix: - audience_value: [ '' ,'test-audience','github-jfrog' ] + audience_value: ${{ env.AUDIENCE_VALUES }} runs-on: ubuntu-latest outputs: oidc_provider_name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} @@ -81,7 +84,7 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] - audience_value: [ '' ,'test-audience','github-jfrog' ] + audience_value: ${{ env.AUDIENCE_VALUES }} runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG From abe4d6df61e549b71967936fca71a6f311bca188 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 11:54:02 +0300 Subject: [PATCH 13/45] Extract audience values --- .github/workflows/oidc-integration-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index a58850425..2dc574e6d 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -29,7 +29,7 @@ jobs: generate-oidc-integration: strategy: matrix: - audience_value: ${{ env.AUDIENCE_VALUES }} + audience_value: ${{ fromJson(env.AUDIENCE_VALUES) }} runs-on: ubuntu-latest outputs: oidc_provider_name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} @@ -84,7 +84,7 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] - audience_value: ${{ env.AUDIENCE_VALUES }} + audience_value: ${{ fromJson(env.AUDIENCE_VALUES) }} runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG From f48402a58c234bb47a396c8fe14767280dc479fb Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 11:58:15 +0300 Subject: [PATCH 14/45] test --- .github/workflows/oidc-integration-test.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 2dc574e6d..e89a309ca 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -18,9 +18,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} cancel-in-progress: true -env: - AUDIENCE_VALUES: "['', 'test-audience', 'github-jfrog']" - permissions: id-token: write contents: read @@ -29,7 +26,7 @@ jobs: generate-oidc-integration: strategy: matrix: - audience_value: ${{ fromJson(env.AUDIENCE_VALUES) }} + audience_value: ${{ fromJson('["", "test-audience", "github-jfrog"]') }} runs-on: ubuntu-latest outputs: oidc_provider_name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} @@ -83,8 +80,8 @@ jobs: fail-fast: false matrix: os: [ ubuntu, macos, windows ] - cli-version: [ '2.74.1', '2.75.0','latest' ] - audience_value: ${{ fromJson(env.AUDIENCE_VALUES) }} + cli-version: [ '2.74.1', '2.75.0', 'latest' ] + audience_value: ${{ fromJson('["", "test-audience", "github-jfrog"]') }} runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG From 7cf343aaf6fa88f918f5fa50b2f31c8de9eef34a Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 12:01:01 +0300 Subject: [PATCH 15/45] test --- .github/workflows/oidc-integration-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index e89a309ca..2ce70cc0e 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -26,7 +26,7 @@ jobs: generate-oidc-integration: strategy: matrix: - audience_value: ${{ fromJson('["", "test-audience", "github-jfrog"]') }} + audience_value: [ '' ,'test-audience','github-jfrog' ] runs-on: ubuntu-latest outputs: oidc_provider_name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} @@ -80,8 +80,8 @@ jobs: fail-fast: false matrix: os: [ ubuntu, macos, windows ] - cli-version: [ '2.74.1', '2.75.0', 'latest' ] - audience_value: ${{ fromJson('["", "test-audience", "github-jfrog"]') }} + cli-version: [ '2.74.1', '2.75.0','latest' ] + audience_value: [ '' ,'test-audience','github-jfrog' ] runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG From 308692bb9165d4d25574426577ec5420e7ee3583 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 12:04:50 +0300 Subject: [PATCH 16/45] test --- .github/workflows/oidc-integration-test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 2ce70cc0e..7f2e04392 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -26,6 +26,7 @@ jobs: generate-oidc-integration: strategy: matrix: + # This has to match the second audience value in the workflow audience_value: [ '' ,'test-audience','github-jfrog' ] runs-on: ubuntu-latest outputs: @@ -81,6 +82,7 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] + # This has to match the second audience value in the workflow audience_value: [ '' ,'test-audience','github-jfrog' ] runs-on: ${{ matrix.os }}-latest env: From e6c5b6fc4c37bdee13494f24efd6ab10324c65db Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 15:20:14 +0300 Subject: [PATCH 17/45] Update test workflow --- .github/workflows/oidc-integration-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 7f2e04392..d9b5f35ff 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -9,7 +9,7 @@ name: OIDC Integration Test on: push: branches: - - "**" + - "master" # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] @@ -26,7 +26,7 @@ jobs: generate-oidc-integration: strategy: matrix: - # This has to match the second audience value in the workflow + # This has to match the second audience value in the workflow, under oidc-test matrix. audience_value: [ '' ,'test-audience','github-jfrog' ] runs-on: ubuntu-latest outputs: @@ -82,7 +82,7 @@ jobs: matrix: os: [ ubuntu, macos, windows ] cli-version: [ '2.74.1', '2.75.0','latest' ] - # This has to match the second audience value in the workflow + # This has to match the second audience value in the workflow under generate-oidc-integration matrix. audience_value: [ '' ,'test-audience','github-jfrog' ] runs-on: ${{ matrix.os }}-latest env: From 394b82e4272217a64be6e6d8b60f4df4923ac24d Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 15:24:49 +0300 Subject: [PATCH 18/45] Update workflow --- .github/workflows/oidc-integration-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index d9b5f35ff..afecfed5a 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -9,7 +9,7 @@ name: OIDC Integration Test on: push: branches: - - "master" + - master # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] @@ -23,7 +23,7 @@ permissions: contents: read jobs: - generate-oidc-integration: + generate-platform-oidc-integration: strategy: matrix: # This has to match the second audience value in the workflow, under oidc-test matrix. @@ -76,7 +76,7 @@ jobs: run: echo "oidc_provider_name=${{ steps.gen-oidc.outputs.oidc_provider_name }}" >> "$GITHUB_ENV" oidc-test: - needs: generate-oidc-integration + needs: generate-platform-oidc-integration strategy: fail-fast: false matrix: From 10390a3a9882646aa3753a3c868b837b15c0be43 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 15:29:08 +0300 Subject: [PATCH 19/45] Update description --- .github/workflows/oidc-integration-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index afecfed5a..def015869 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -50,7 +50,7 @@ jobs: "provider_type": "GitHub", "audience": "${{ matrix.audience_value }}", "enable_permissive_configuration": "true", - "description": "Test configuration for audience ${{ matrix.audience_value }}" + "description": "Temp integration for testing OIDC with audience: ${{ matrix.audience_value }}" }' - name: Create OIDC Identity Mapping From 0969cbdb7f603db71d41b864239f05243de4c35b Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 15:32:39 +0300 Subject: [PATCH 20/45] Run local tests --- .github/workflows/oidc-integration-test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index def015869..5056f3c9b 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -9,7 +9,9 @@ name: OIDC Integration Test on: push: branches: - - master + # - master + # TODO remove this before merge + - "**" # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] From 74a50105c074b783016d9922145d985cdbaca199 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 15:49:36 +0300 Subject: [PATCH 21/45] Run local tests --- .github/workflows/oidc-integration-test.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 5056f3c9b..26f78ca2e 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -102,7 +102,7 @@ jobs: JF_URL: ${{ secrets.JFROG_PLATFORM_URL }} with: version: ${{ matrix.cli-version }} - oidc-provider-name: ${{ needs.generate-oidc-integration.outputs.oidc_provider_name }} + oidc-provider-name: ${{ needs.generate-platform-oidc-integration.outputs.oidc_provider_name }} oidc-audience: ${{ matrix.audience_value }} - name: Test JFrog CLI connectivity @@ -119,9 +119,10 @@ jobs: cleanup-oidc-integration: needs: oidc-test runs-on: ubuntu-latest + if: always() steps: - name: Delete OIDC integration shell: bash run: | - curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ needs.generate-oidc-integration.outputs.oidc_provider_name }}" \ + curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ needs.generate-platform-oidc-integration.outputs.oidc_provider_name }}" \ -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ No newline at end of file From ae3fcd9dd878418c6f78ef5d9d63e9238b809eda Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 15:56:50 +0300 Subject: [PATCH 22/45] Test --- .github/workflows/oidc-integration-test.yml | 29 +++++++++------------ 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 26f78ca2e..6bcdd567c 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -1,21 +1,12 @@ name: OIDC Integration Test -# This workflow tests the setup-jfrog-cli GitHub Action's OpenID Connect integration across OSes and CLI versions. -# It ensures backward compatibility with older CLI versions and validates step outputs and connectivity. -# CLI versions used: -# - 2.74.1: Does not support `jf eot` command, validates manual fallback logic. -# - 2.75.0: Introduced native OIDC token exchange. -# - Latest: Ensures ongoing compatibility with the most recent CLI build. on: push: branches: - # - master - # TODO remove this before merge - "**" - # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] -# Ensures that only the latest commit is running for each PR at a time. + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} cancel-in-progress: true @@ -24,12 +15,16 @@ permissions: id-token: write contents: read +audience_values: &audience_values + - '' + - 'test-audience' + - 'github-jfrog' + jobs: generate-platform-oidc-integration: strategy: matrix: - # This has to match the second audience value in the workflow, under oidc-test matrix. - audience_value: [ '' ,'test-audience','github-jfrog' ] + audience_value: *audience_values runs-on: ubuntu-latest outputs: oidc_provider_name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} @@ -83,9 +78,8 @@ jobs: fail-fast: false matrix: os: [ ubuntu, macos, windows ] - cli-version: [ '2.74.1', '2.75.0','latest' ] - # This has to match the second audience value in the workflow under generate-oidc-integration matrix. - audience_value: [ '' ,'test-audience','github-jfrog' ] + cli-version: [ '2.74.1', '2.75.0', 'latest' ] + audience_value: *audience_values runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG @@ -118,11 +112,14 @@ jobs: cleanup-oidc-integration: needs: oidc-test + strategy: + matrix: + audience_value: *audience_values runs-on: ubuntu-latest if: always() steps: - name: Delete OIDC integration shell: bash run: | - curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ needs.generate-platform-oidc-integration.outputs.oidc_provider_name }}" \ + curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}" \ -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ No newline at end of file From 1b779a5cd158ce5f3e913336a571b1e38584e8b9 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 15:59:02 +0300 Subject: [PATCH 23/45] Test --- .github/workflows/oidc-integration-test.yml | 42 ++++++++------------- 1 file changed, 15 insertions(+), 27 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 6bcdd567c..a15242b05 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -5,7 +5,7 @@ on: branches: - "**" pull_request_target: - types: [ labeled ] + types: [labeled] concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} @@ -15,25 +15,17 @@ permissions: id-token: write contents: read -audience_values: &audience_values - - '' - - 'test-audience' - - 'github-jfrog' - jobs: generate-platform-oidc-integration: strategy: matrix: - audience_value: *audience_values + audience_value: ['', 'test-audience', 'github-jfrog'] runs-on: ubuntu-latest - outputs: - oidc_provider_name: ${{ steps.gen-oidc.outputs.oidc_provider_name }} steps: - name: Generate unique OIDC provider name id: gen-oidc shell: bash - run: | - echo "oidc_provider_name=oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}" >> "$GITHUB_OUTPUT" + run: echo "oidc_provider_name=oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}" >> "$GITHUB_OUTPUT" - name: Create OpenID Connect integration shell: bash @@ -42,23 +34,23 @@ jobs: -H "Content-Type: application/json" \ -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ -d '{ - "name": "${{ steps.gen-oidc.outputs.oidc_provider_name }}", + "name": "oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}", "issuer_url": "https://token.actions.githubusercontent.com", "provider_type": "GitHub", "audience": "${{ matrix.audience_value }}", - "enable_permissive_configuration": "true", + "enable_permissive_configuration": true, "description": "Temp integration for testing OIDC with audience: ${{ matrix.audience_value }}" }' - name: Create OIDC Identity Mapping shell: bash run: | - curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ steps.gen-oidc.outputs.oidc_provider_name }}/identity_mappings" \ - -H 'Content-Type: application/json' \ + curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}/identity_mappings" \ + -H "Content-Type: application/json" \ -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ -d '{ "name": "oidc-test-mapping", - "priority": "1", + "priority": 1, "claims": { "repository": "${{ github.repository_owner }}/setup-jfrog-cli" }, @@ -68,18 +60,14 @@ jobs: } }' - - name: Save OIDC provider name - shell: bash - run: echo "oidc_provider_name=${{ steps.gen-oidc.outputs.oidc_provider_name }}" >> "$GITHUB_ENV" - oidc-test: needs: generate-platform-oidc-integration strategy: fail-fast: false matrix: - os: [ ubuntu, macos, windows ] - cli-version: [ '2.74.1', '2.75.0', 'latest' ] - audience_value: *audience_values + os: [ubuntu, macos, windows] + cli-version: ['2.74.1', '2.75.0', 'latest'] + audience_value: ['', 'test-audience', 'github-jfrog'] runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG @@ -96,7 +84,7 @@ jobs: JF_URL: ${{ secrets.JFROG_PLATFORM_URL }} with: version: ${{ matrix.cli-version }} - oidc-provider-name: ${{ needs.generate-platform-oidc-integration.outputs.oidc_provider_name }} + oidc-provider-name: oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }} oidc-audience: ${{ matrix.audience_value }} - name: Test JFrog CLI connectivity @@ -112,14 +100,14 @@ jobs: cleanup-oidc-integration: needs: oidc-test + if: always() strategy: matrix: - audience_value: *audience_values + audience_value: ['', 'test-audience', 'github-jfrog'] runs-on: ubuntu-latest - if: always() steps: - name: Delete OIDC integration shell: bash run: | curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}" \ - -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ No newline at end of file + -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" From 9173db986c5c9747e9d4e3be05d62e09d6d08cde Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:01:11 +0300 Subject: [PATCH 24/45] Ready to merge --- .github/workflows/oidc-integration-test.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index a15242b05..770b1d66f 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -1,12 +1,19 @@ name: OIDC Integration Test +# This workflow tests the setup-jfrog-cli GitHub Action's OpenID Connect integration across OSes and CLI versions. +# It ensures backward compatibility with older CLI versions and validates step outputs and connectivity. +# CLI versions used: +# - 2.74.1: Does not support `jf eot` command, validates manual fallback logic. +# - 2.75.0: Introduced native OIDC token exchange. +# - Latest: Ensures ongoing compatibility with the most recent CLI build. on: push: branches: - - "**" + - master + # Triggers the workflow on labeled PRs only. pull_request_target: - types: [labeled] - + types: [ labeled ] +# Ensures that only the latest commit is running for each PR at a time. concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} cancel-in-progress: true From ca3e7a811112066fd5cd7ad805e1d9b1a74851f1 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:20:31 +0300 Subject: [PATCH 25/45] CR --- .github/workflows/oidc-integration-test.yml | 3 ++- lib/oidc-utils.js | 2 +- lib/utils.js | 2 +- src/oidc-utils.ts | 2 +- src/utils.ts | 2 +- test/main.spec.ts | 2 +- 6 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 770b1d66f..5816afb4d 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -9,7 +9,8 @@ name: OIDC Integration Test on: push: branches: - - master + #- master + - "**" # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index 4ab484624..fd9cce77c 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -91,7 +91,7 @@ class OidcUtils { throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.'); } const args = ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl]; - if (creds.oidcAudience) { + if (creds.oidcAudience !== "") { args.push('--oidc-audience', creds.oidcAudience); } output = yield utils_1.Utils.runCliAndGetOutput(args, { silent: true }); diff --git a/lib/utils.js b/lib/utils.js index 7682770d9..c9673c73c 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -55,7 +55,7 @@ class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG), + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || '', oidcTokenId: '', }; if (jfrogCredentials.password && !jfrogCredentials.username) { diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 94249bccd..ce6a3ee9d 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -70,7 +70,7 @@ export class OidcUtils { } const args = ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl]; - if (creds.oidcAudience) { + if (creds.oidcAudience !== "") { args.push('--oidc-audience', creds.oidcAudience); } output = await Utils.runCliAndGetOutput(args, { silent: true }); diff --git a/src/utils.ts b/src/utils.ts index 6a522ade8..a2bf08c6f 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -65,7 +65,7 @@ export class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG), + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || '', oidcTokenId: '', } as JfrogCredentials; diff --git a/test/main.spec.ts b/test/main.spec.ts index 393433d2e..7fbbb1b8e 100644 --- a/test/main.spec.ts +++ b/test/main.spec.ts @@ -127,7 +127,7 @@ describe('Collect JFrog Credentials from env vars exceptions', () => { expect(jfrogCredentials.accessToken).toBeUndefined(); expect(jfrogCredentials.username).toBeUndefined(); expect(jfrogCredentials.password).toBeUndefined(); - expect(jfrogCredentials.oidcAudience).toBeUndefined() + expect(jfrogCredentials.oidcAudience).toEqual("") }); }); From 84750a1eb867de3ea60eb544487c3d6cf5d69e18 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:23:10 +0300 Subject: [PATCH 26/45] CR --- .github/workflows/oidc-integration-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 5816afb4d..7b402f889 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -27,7 +27,7 @@ jobs: generate-platform-oidc-integration: strategy: matrix: - audience_value: ['', 'test-audience', 'github-jfrog'] + audience_value: ['', 'test-audience'] runs-on: ubuntu-latest steps: - name: Generate unique OIDC provider name @@ -75,7 +75,7 @@ jobs: matrix: os: [ubuntu, macos, windows] cli-version: ['2.74.1', '2.75.0', 'latest'] - audience_value: ['', 'test-audience', 'github-jfrog'] + audience_value: ['', 'test-audience'] runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG From e9c6e84174bc73aeddb28fa737b2552dd708b01e Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:24:27 +0300 Subject: [PATCH 27/45] Fix matrix --- .github/workflows/oidc-integration-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 7b402f889..2e65fca55 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -111,7 +111,7 @@ jobs: if: always() strategy: matrix: - audience_value: ['', 'test-audience', 'github-jfrog'] + audience_value: ['', 'test-audience'] runs-on: ubuntu-latest steps: - name: Delete OIDC integration From 8a0f1004317ad33860e42f4095a4fce4e2e447aa Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:25:02 +0300 Subject: [PATCH 28/45] Fix matrix --- .github/workflows/oidc-integration-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 2e65fca55..3e39d2a78 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -27,6 +27,7 @@ jobs: generate-platform-oidc-integration: strategy: matrix: + # Test with a default and provided audience value audience_value: ['', 'test-audience'] runs-on: ubuntu-latest steps: From e58752c289100cb2f31c2488bf48761b7b83062a Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:31:33 +0300 Subject: [PATCH 29/45] Remove unneeded step --- .github/workflows/oidc-integration-test.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 3e39d2a78..04e95af6e 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -31,11 +31,6 @@ jobs: audience_value: ['', 'test-audience'] runs-on: ubuntu-latest steps: - - name: Generate unique OIDC provider name - id: gen-oidc - shell: bash - run: echo "oidc_provider_name=oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}" >> "$GITHUB_OUTPUT" - - name: Create OpenID Connect integration shell: bash run: | From 4e87feafe7a0ea6b9402f6e0015a055eeebeb505 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:40:21 +0300 Subject: [PATCH 30/45] Test change default --- lib/utils.js | 2 +- src/utils.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/utils.js b/lib/utils.js index c9673c73c..6c59e165e 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -55,7 +55,7 @@ class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || '', + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || 'bad-default', oidcTokenId: '', }; if (jfrogCredentials.password && !jfrogCredentials.username) { diff --git a/src/utils.ts b/src/utils.ts index a2bf08c6f..c01f4f3ea 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -65,7 +65,7 @@ export class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || '', + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || 'bad-default', oidcTokenId: '', } as JfrogCredentials; From 8a6cf1cb17b3b89c51d9946e01fee373317f239f Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:47:08 +0300 Subject: [PATCH 31/45] Test change default --- lib/oidc-utils.js | 25 +++++++------------------ src/oidc-utils.ts | 22 ++++++---------------- 2 files changed, 13 insertions(+), 34 deletions(-) diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index fd9cce77c..6ba02e18f 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -64,7 +64,13 @@ class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - jfrogCredentials.oidcTokenId = yield this.getIdToken(jfrogCredentials.oidcAudience); + try { + core.debug('Attempting to fetch JSON Web Token (JWT) ID token with audience value: ' + jfrogCredentials.oidcAudience); + jfrogCredentials.oidcTokenId = yield core.getIDToken(jfrogCredentials.oidcAudience); + } + catch (error) { + throw new Error(`Failed to fetch OpenID Connect JSON Web Token: ${error.message}`); + } // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. if (this.isCLIVersionOidcSupported() && !core.getInput(utils_1.Utils.CLI_REMOTE_ARG)) { @@ -288,23 +294,6 @@ class OidcUtils { return yield fs_1.promises.readFile(configRelativePath, 'utf-8'); }); } - /** - * Fetches a JSON Web Token (JWT) ID token from GitHub's OIDC provider. - * @param audience - The intended audience for the token. - * @returns A promise that resolves to the JWT ID token as a string. - * @throws An error if fetching the token fails. - */ - static getIdToken(audience) { - return __awaiter(this, void 0, void 0, function* () { - core.debug('Attempting to fetch JSON Web Token (JWT) ID token...'); - try { - return yield core.getIDToken(audience); - } - catch (error) { - throw new Error(`Failed to fetch OpenID Connect JSON Web Token: ${error.message}`); - } - }); - } static isCLIVersionOidcSupported() { const version = core.getInput(utils_1.Utils.CLI_VERSION_ARG) || ''; if (version === '') { diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index ce6a3ee9d..f103aaccf 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -41,7 +41,12 @@ export class OidcUtils { throw new Error(`JF_URL must be provided when oidc-provider-name is specified`); } // Get OIDC token ID from GitHub - jfrogCredentials.oidcTokenId = await this.getIdToken(jfrogCredentials. oidcAudience); + try { + core.debug('Attempting to fetch JSON Web Token (JWT) ID token with audience value: ' + jfrogCredentials.oidcAudience); + jfrogCredentials.oidcTokenId = await core.getIDToken(jfrogCredentials.oidcAudience); + } catch (error: any) { + throw new Error(`Failed to fetch OpenID Connect JSON Web Token: ${error.message}`); + } // Version should be more than min version // If CLI_REMOTE_ARG specified, we have to fetch token before we can download the CLI. @@ -277,21 +282,6 @@ export class OidcUtils { return await fs.readFile(configRelativePath, 'utf-8'); } - /** - * Fetches a JSON Web Token (JWT) ID token from GitHub's OIDC provider. - * @param audience - The intended audience for the token. - * @returns A promise that resolves to the JWT ID token as a string. - * @throws An error if fetching the token fails. - */ - private static async getIdToken(audience: string): Promise { - core.debug('Attempting to fetch JSON Web Token (JWT) ID token...'); - try { - return await core.getIDToken(audience); - } catch (error: any) { - throw new Error(`Failed to fetch OpenID Connect JSON Web Token: ${error.message}`); - } - } - public static isCLIVersionOidcSupported(): boolean { const version: string = core.getInput(Utils.CLI_VERSION_ARG) || ''; if (version === '') { From 6b1493ba6f4c3c6f1e03a550ce5a84abbff9b543 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:54:40 +0300 Subject: [PATCH 32/45] Test --- .github/workflows/oidc-integration-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 04e95af6e..ebaa9dce4 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -28,7 +28,7 @@ jobs: strategy: matrix: # Test with a default and provided audience value - audience_value: ['', 'test-audience'] + audience_value: ['', 'test-audience','https://github.com/eyaldelarea'] runs-on: ubuntu-latest steps: - name: Create OpenID Connect integration @@ -43,7 +43,7 @@ jobs: "provider_type": "GitHub", "audience": "${{ matrix.audience_value }}", "enable_permissive_configuration": true, - "description": "Temp integration for testing OIDC with audience: ${{ matrix.audience_value }}" + "description": "Temp integration for testing OIDC with audience value: ${{ matrix.audience_value }}" }' - name: Create OIDC Identity Mapping From 41b1c2de8bb2e3a50171fb60ecbbac119d0dedee Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 16:55:49 +0300 Subject: [PATCH 33/45] Test --- .github/workflows/oidc-integration-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index ebaa9dce4..5682eeb83 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -71,7 +71,7 @@ jobs: matrix: os: [ubuntu, macos, windows] cli-version: ['2.74.1', '2.75.0', 'latest'] - audience_value: ['', 'test-audience'] + audience_value: ['', 'test-audience','https://github.com/eyaldelarea'] runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG @@ -107,7 +107,7 @@ jobs: if: always() strategy: matrix: - audience_value: ['', 'test-audience'] + audience_value: ['', 'test-audience','https://github.com/eyaldelarea'] runs-on: ubuntu-latest steps: - name: Delete OIDC integration From b7bf8922e1ed12d3be80774f77866bc561c9971a Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:06:56 +0300 Subject: [PATCH 34/45] Test --- .github/workflows/oidc-integration-test.yml | 54 ++++++++++++++------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 5682eeb83..015dba36e 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -1,20 +1,14 @@ name: OIDC Integration Test # This workflow tests the setup-jfrog-cli GitHub Action's OpenID Connect integration across OSes and CLI versions. # It ensures backward compatibility with older CLI versions and validates step outputs and connectivity. -# CLI versions used: -# - 2.74.1: Does not support `jf eot` command, validates manual fallback logic. -# - 2.75.0: Introduced native OIDC token exchange. -# - Latest: Ensures ongoing compatibility with the most recent CLI build. on: push: branches: - #- master - "**" - # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] -# Ensures that only the latest commit is running for each PR at a time. + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} cancel-in-progress: true @@ -27,8 +21,13 @@ jobs: generate-platform-oidc-integration: strategy: matrix: - # Test with a default and provided audience value - audience_value: ['', 'test-audience','https://github.com/eyaldelarea'] + include: + - audience_id: default + audience_value: '' + - audience_id: test + audience_value: 'test-audience' + - audience_id: github-default + audience_value: 'https://github.com/eyaldelarea' runs-on: ubuntu-latest steps: - name: Create OpenID Connect integration @@ -38,7 +37,7 @@ jobs: -H "Content-Type: application/json" \ -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ -d '{ - "name": "oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}", + "name": "oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }}", "issuer_url": "https://token.actions.githubusercontent.com", "provider_type": "GitHub", "audience": "${{ matrix.audience_value }}", @@ -49,7 +48,7 @@ jobs: - name: Create OIDC Identity Mapping shell: bash run: | - curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}/identity_mappings" \ + curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }}/identity_mappings" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \ -d '{ @@ -69,9 +68,27 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu, macos, windows] - cli-version: ['2.74.1', '2.75.0', 'latest'] - audience_value: ['', 'test-audience','https://github.com/eyaldelarea'] + include: + - os: ubuntu + cli-version: '2.74.1' + audience_id: default + audience_value: '' + - os: ubuntu + cli-version: '2.75.0' + audience_id: test + audience_value: 'test-audience' + - os: ubuntu + cli-version: latest + audience_id: github-default + audience_value: 'https://github.com/eyaldelarea' + - os: macos + cli-version: latest + audience_id: github-default + audience_value: 'https://github.com/eyaldelarea' + - os: windows + cli-version: latest + audience_id: github-default + audience_value: 'https://github.com/eyaldelarea' runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG @@ -88,7 +105,7 @@ jobs: JF_URL: ${{ secrets.JFROG_PLATFORM_URL }} with: version: ${{ matrix.cli-version }} - oidc-provider-name: oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }} + oidc-provider-name: oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }} oidc-audience: ${{ matrix.audience_value }} - name: Test JFrog CLI connectivity @@ -107,11 +124,14 @@ jobs: if: always() strategy: matrix: - audience_value: ['', 'test-audience','https://github.com/eyaldelarea'] + include: + - audience_id: default + - audience_id: test + - audience_id: github-default runs-on: ubuntu-latest steps: - name: Delete OIDC integration shell: bash run: | - curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_value }}-${{ github.run_id }}" \ + curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }}" \ -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" From e3d89770aec3499b88a75a4b3a8191c6a6988633 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:11:02 +0300 Subject: [PATCH 35/45] Test --- .github/workflows/oidc-integration-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 015dba36e..d2bddb0d5 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -80,7 +80,7 @@ jobs: - os: ubuntu cli-version: latest audience_id: github-default - audience_value: 'https://github.com/eyaldelarea' + audience_value: '' - os: macos cli-version: latest audience_id: github-default From 7ee09c3d7b2fc06331c45d4950f83ccee9ed9bab Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:15:10 +0300 Subject: [PATCH 36/45] Test --- lib/utils.js | 2 +- src/utils.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/utils.js b/lib/utils.js index 6c59e165e..c9673c73c 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -55,7 +55,7 @@ class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || 'bad-default', + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || '', oidcTokenId: '', }; if (jfrogCredentials.password && !jfrogCredentials.username) { diff --git a/src/utils.ts b/src/utils.ts index c01f4f3ea..a2bf08c6f 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -65,7 +65,7 @@ export class Utils { username: process.env.JF_USER, password: process.env.JF_PASSWORD, oidcProviderName: core.getInput(Utils.OIDC_INTEGRATION_PROVIDER_NAME), - oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || 'bad-default', + oidcAudience: core.getInput(Utils.OIDC_AUDIENCE_ARG) || '', oidcTokenId: '', } as JfrogCredentials; From a8703c2b90dc3843760ddfdf4002be57afb5f677 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:35:53 +0300 Subject: [PATCH 37/45] local test --- .github/workflows/oidc-integration-test.yml | 40 +++++++++------------ lib/oidc-utils.js | 1 + src/oidc-utils.ts | 1 + 3 files changed, 18 insertions(+), 24 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index d2bddb0d5..32b9cc69f 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -81,14 +81,6 @@ jobs: cli-version: latest audience_id: github-default audience_value: '' - - os: macos - cli-version: latest - audience_id: github-default - audience_value: 'https://github.com/eyaldelarea' - - os: windows - cli-version: latest - audience_id: github-default - audience_value: 'https://github.com/eyaldelarea' runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG @@ -119,19 +111,19 @@ jobs: shell: bash run: test -n "${{ steps.setup-jfrog-cli.outputs.oidc-token }}" - cleanup-oidc-integration: - needs: oidc-test - if: always() - strategy: - matrix: - include: - - audience_id: default - - audience_id: test - - audience_id: github-default - runs-on: ubuntu-latest - steps: - - name: Delete OIDC integration - shell: bash - run: | - curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }}" \ - -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" +# cleanup-oidc-integration: +# needs: oidc-test +# if: always() +# strategy: +# matrix: +# include: +# - audience_id: default +# - audience_id: test +# - audience_id: github-default +# runs-on: ubuntu-latest +# steps: +# - name: Delete OIDC integration +# shell: bash +# run: | +# curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }}" \ +# -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index 6ba02e18f..845fcebbc 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -100,6 +100,7 @@ class OidcUtils { if (creds.oidcAudience !== "") { args.push('--oidc-audience', creds.oidcAudience); } + core.debug('Running CLI command: ' + args.join(' ')); output = yield utils_1.Utils.runCliAndGetOutput(args, { silent: true }); const { accessToken, username } = this.extractValuesFromOIDCToken(output); this.setOidcStepOutputs(username, accessToken); diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index f103aaccf..634c802ad 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -78,6 +78,7 @@ export class OidcUtils { if (creds.oidcAudience !== "") { args.push('--oidc-audience', creds.oidcAudience); } + core.debug('Running CLI command: ' + args.join(' ')); output = await Utils.runCliAndGetOutput(args, { silent: true }); const { accessToken, username }: CliExchangeTokenResponse = this.extractValuesFromOIDCToken(output); From 8341c09c6ab633d84648cbe3c0dcc7b40cdb8458 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:40:22 +0300 Subject: [PATCH 38/45] case sensitive default github --- .github/workflows/oidc-integration-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 32b9cc69f..1b835fa93 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -27,7 +27,7 @@ jobs: - audience_id: test audience_value: 'test-audience' - audience_id: github-default - audience_value: 'https://github.com/eyaldelarea' + audience_value: 'https://github.com/EyalDelarea' runs-on: ubuntu-latest steps: - name: Create OpenID Connect integration From c123c181f052a17c670e3cae10d4b6de8ff82cf4 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:47:22 +0300 Subject: [PATCH 39/45] Test all cases locally --- .github/workflows/oidc-integration-test.yml | 63 +++++++++++++-------- 1 file changed, 40 insertions(+), 23 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 1b835fa93..c58dfe0d7 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -26,6 +26,8 @@ jobs: audience_value: '' - audience_id: test audience_value: 'test-audience' + # When not provided, GitHub resolves the audience value to the URL of the GitHub repository owner. + # This test makes sure this issue won't happen again https://github.com/jfrog/setup-jfrog-cli/issues/270. - audience_id: github-default audience_value: 'https://github.com/EyalDelarea' runs-on: ubuntu-latest @@ -69,18 +71,33 @@ jobs: fail-fast: false matrix: include: - - os: ubuntu - cli-version: '2.74.1' + - cli-version: '2.74.1' audience_id: default audience_value: '' - - os: ubuntu - cli-version: '2.75.0' + - cli-version: '2.75.0' + audience_id: default + audience_value: '' + - cli-version: latest + audience_id: default + audience_value: '' + - cli-version: '2.74.1' + audience_id: test + audience_value: 'test-audience' + - cli-version: '2.75.0' audience_id: test audience_value: 'test-audience' - - os: ubuntu - cli-version: latest + - cli-version: latest + audience_id: test + audience_value: 'test-audience' + - cli-version: '2.74.1' audience_id: github-default - audience_value: '' + audience_value: 'https://github.com/eyaldelarea' + - cli-version: '2.75.0' + audience_id: github-default + audience_value: 'https://github.com/eyaldelarea' + - cli-version: latest + audience_id: github-default + audience_value: 'https://github.com/eyaldelarea' runs-on: ${{ matrix.os }}-latest env: JFROG_CLI_LOG_LEVEL: DEBUG @@ -111,19 +128,19 @@ jobs: shell: bash run: test -n "${{ steps.setup-jfrog-cli.outputs.oidc-token }}" -# cleanup-oidc-integration: -# needs: oidc-test -# if: always() -# strategy: -# matrix: -# include: -# - audience_id: default -# - audience_id: test -# - audience_id: github-default -# runs-on: ubuntu-latest -# steps: -# - name: Delete OIDC integration -# shell: bash -# run: | -# curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }}" \ -# -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" + cleanup-oidc-integration: + needs: oidc-test + if: always() + strategy: + matrix: + include: + - audience_id: default + - audience_id: test + - audience_id: github-default + runs-on: ubuntu-latest + steps: + - name: Delete OIDC integration + shell: bash + run: | + curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/oidc-integration-${{ matrix.audience_id }}-${{ github.run_id }}" \ + -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" From b634528d159db7b7fd8e6507e48e5f0cd387cbaa Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:49:55 +0300 Subject: [PATCH 40/45] Fix image name --- .github/workflows/oidc-integration-test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index c58dfe0d7..635925523 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -91,14 +91,14 @@ jobs: audience_value: 'test-audience' - cli-version: '2.74.1' audience_id: github-default - audience_value: 'https://github.com/eyaldelarea' + audience_value: '' - cli-version: '2.75.0' audience_id: github-default - audience_value: 'https://github.com/eyaldelarea' + audience_value: '' - cli-version: latest audience_id: github-default - audience_value: 'https://github.com/eyaldelarea' - runs-on: ${{ matrix.os }}-latest + audience_value: '' + runs-on: ubuntu-latest env: JFROG_CLI_LOG_LEVEL: DEBUG steps: From 0f899dfc8990aa0cb231fe71d1f9686313a5a617 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 17:53:08 +0300 Subject: [PATCH 41/45] Prepare workflow for merge --- .github/workflows/oidc-integration-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 635925523..f96d082b8 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -5,7 +5,7 @@ name: OIDC Integration Test on: push: branches: - - "**" + - master pull_request_target: types: [ labeled ] @@ -29,7 +29,7 @@ jobs: # When not provided, GitHub resolves the audience value to the URL of the GitHub repository owner. # This test makes sure this issue won't happen again https://github.com/jfrog/setup-jfrog-cli/issues/270. - audience_id: github-default - audience_value: 'https://github.com/EyalDelarea' + audience_value: 'https://github.com/jfrog' runs-on: ubuntu-latest steps: - name: Create OpenID Connect integration From 8d6dd55c0b3683c2b2282b1150797b3ee68b4c9f Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 18:04:24 +0300 Subject: [PATCH 42/45] test locally --- .github/workflows/oidc-integration-test.yml | 35 +++++++++++++++------ 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index f96d082b8..445269252 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -1,14 +1,19 @@ name: OIDC Integration Test # This workflow tests the setup-jfrog-cli GitHub Action's OpenID Connect integration across OSes and CLI versions. # It ensures backward compatibility with older CLI versions and validates step outputs and connectivity. - +# CLI versions used: +# - 2.74.1: Does not support `jf eot` command, validates manual fallback logic. +# - 2.75.0: Introduced native OIDC token exchange. +# - Latest: Ensures ongoing compatibility with the most recent CLI build. on: push: branches: - - master +# - master + - "**" + # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ] - +# Ensures that only the latest commit is running for each PR at a time. concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} cancel-in-progress: true @@ -20,6 +25,14 @@ permissions: jobs: generate-platform-oidc-integration: strategy: + # Using "include" here instead of a typical matrix of arrays gives us granular control over combinations. + # This is necessary because we need to generate different audience values, some of which contain characters + # not suitable for dynamic naming or matrix keys. + # Each audience represents a different real-world use case: + # - "default": no audience provided, tests implicit GitHub behavior. + # - "test": explicitly defined audience for testing purposes. + # - "github-explicit-default": GitHub's default audience (explicitly passed) to test edge behavior, + # when a user is defining the default audience in the platform but not in the action (leaving empty). matrix: include: - audience_id: default @@ -28,8 +41,8 @@ jobs: audience_value: 'test-audience' # When not provided, GitHub resolves the audience value to the URL of the GitHub repository owner. # This test makes sure this issue won't happen again https://github.com/jfrog/setup-jfrog-cli/issues/270. - - audience_id: github-default - audience_value: 'https://github.com/jfrog' + - audience_id: github-explicit-default + audience_value: 'https://github.com/EyalDelarea' runs-on: ubuntu-latest steps: - name: Create OpenID Connect integration @@ -69,6 +82,8 @@ jobs: needs: generate-platform-oidc-integration strategy: fail-fast: false + # Using include allows exact combinations of CLI version and audience ID to ensure coverage of edge cases. + # This avoids invalid audience strings in identifiers and ensures fallback logic is tested selectively. matrix: include: - cli-version: '2.74.1' @@ -90,13 +105,15 @@ jobs: audience_id: test audience_value: 'test-audience' - cli-version: '2.74.1' - audience_id: github-default + audience_id: github-explicit-default + # GitHub default audience value is resolved implicitly when omitted. + # These tests verify that the CLI handles an empty value correctly while GitHub sets the expected audience on its backend. audience_value: '' - cli-version: '2.75.0' - audience_id: github-default + audience_id: github-explicit-default audience_value: '' - cli-version: latest - audience_id: github-default + audience_id: github-explicit-default audience_value: '' runs-on: ubuntu-latest env: @@ -136,7 +153,7 @@ jobs: include: - audience_id: default - audience_id: test - - audience_id: github-default + - audience_id: github-explicit-default runs-on: ubuntu-latest steps: - name: Delete OIDC integration From 6175f37209f8bf1cf33211546e1dc0b65819fcf8 Mon Sep 17 00:00:00 2001 From: delarea Date: Mon, 5 May 2025 10:45:09 +0300 Subject: [PATCH 43/45] Edit comments --- .github/workflows/oidc-integration-test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 445269252..c3d8c8a50 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -32,7 +32,7 @@ jobs: # - "default": no audience provided, tests implicit GitHub behavior. # - "test": explicitly defined audience for testing purposes. # - "github-explicit-default": GitHub's default audience (explicitly passed) to test edge behavior, - # when a user is defining the default audience in the platform but not in the action (leaving empty). + # when a user is defining the default audience in the platform but not in the action. matrix: include: - audience_id: default @@ -74,7 +74,7 @@ jobs: }, "token_spec": { "scope": "applied-permissions/groups:readers", - "expires_in": 10 + "expires_in": 30 } }' @@ -104,10 +104,10 @@ jobs: - cli-version: latest audience_id: test audience_value: 'test-audience' - - cli-version: '2.74.1' - audience_id: github-explicit-default # GitHub default audience value is resolved implicitly when omitted. # These tests verify that the CLI handles an empty value correctly while GitHub sets the expected audience on its backend. + - cli-version: '2.74.1' + audience_id: github-explicit-default audience_value: '' - cli-version: '2.75.0' audience_id: github-explicit-default From 99d04f217ce1faa0048ef7a3f444f982699fcc20 Mon Sep 17 00:00:00 2001 From: delarea Date: Mon, 5 May 2025 11:08:54 +0300 Subject: [PATCH 44/45] Test renames --- .github/workflows/oidc-integration-test.yml | 41 ++++++++++----------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index c3d8c8a50..8615652d7 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -8,7 +8,7 @@ name: OIDC Integration Test on: push: branches: -# - master + - master - "**" # Triggers the workflow on labeled PRs only. pull_request_target: @@ -25,24 +25,23 @@ permissions: jobs: generate-platform-oidc-integration: strategy: - # Using "include" here instead of a typical matrix of arrays gives us granular control over combinations. - # This is necessary because we need to generate different audience values, some of which contain characters - # not suitable for dynamic naming or matrix keys. - # Each audience represents a different real-world use case: - # - "default": no audience provided, tests implicit GitHub behavior. - # - "test": explicitly defined audience for testing purposes. - # - "github-explicit-default": GitHub's default audience (explicitly passed) to test edge behavior, - # when a user is defining the default audience in the platform but not in the action. + # Using "include" instead of a matrix of arrays gives us fine-grained control over test combinations. + # This is needed because some audience values (e.g., URLs) contain characters not valid in matrix keys or job names. + # + # Each scenario represents a real-world case: + # - "default": No audience is set in the action or the platform integration. + # - "test": A custom audience is explicitly set in both the action and the platform integration. + # - "github-implicit-default": The platform integration is explicitly configured with GitHub's default audience, + # but the action does not pass any audience. + # This tests CLI behavior in case of mismatches — see https://github.com/jfrog/setup-jfrog-cli/issues/270 matrix: include: - audience_id: default audience_value: '' - audience_id: test - audience_value: 'test-audience' - # When not provided, GitHub resolves the audience value to the URL of the GitHub repository owner. - # This test makes sure this issue won't happen again https://github.com/jfrog/setup-jfrog-cli/issues/270. - - audience_id: github-explicit-default - audience_value: 'https://github.com/EyalDelarea' + audience_value: 'audience-value' + - audience_id: github-implicit-default + audience_value: 'https://github.com/jfrog' runs-on: ubuntu-latest steps: - name: Create OpenID Connect integration @@ -97,23 +96,23 @@ jobs: audience_value: '' - cli-version: '2.74.1' audience_id: test - audience_value: 'test-audience' + audience_value: 'audience-value' - cli-version: '2.75.0' audience_id: test - audience_value: 'test-audience' + audience_value: 'audience-value' - cli-version: latest audience_id: test - audience_value: 'test-audience' + audience_value: 'audience-value' # GitHub default audience value is resolved implicitly when omitted. # These tests verify that the CLI handles an empty value correctly while GitHub sets the expected audience on its backend. - cli-version: '2.74.1' - audience_id: github-explicit-default + audience_id: github-implicit-default audience_value: '' - cli-version: '2.75.0' - audience_id: github-explicit-default + audience_id: github-implicit-default audience_value: '' - cli-version: latest - audience_id: github-explicit-default + audience_id: github-implicit-default audience_value: '' runs-on: ubuntu-latest env: @@ -153,7 +152,7 @@ jobs: include: - audience_id: default - audience_id: test - - audience_id: github-explicit-default + - audience_id: github-implicit-default runs-on: ubuntu-latest steps: - name: Delete OIDC integration From 48afeaa41e81832c355cd6f92da4e134a80eaacc Mon Sep 17 00:00:00 2001 From: delarea Date: Mon, 5 May 2025 11:12:34 +0300 Subject: [PATCH 45/45] Prepare action for merge --- .github/workflows/oidc-integration-test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index 8615652d7..099767e6c 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -9,7 +9,6 @@ on: push: branches: - master - - "**" # Triggers the workflow on labeled PRs only. pull_request_target: types: [ labeled ]