Add GitHub context variables to OIDC token exchange payload (jfrog#283)

Author: MariaVinog

lib/oidc-utils.js

@@ -97,7 +97,7 @@ class OidcUtils {
                 throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.');
             }
             const args = ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl];
-            if (creds.oidcAudience !== "") {
+            if (creds.oidcAudience !== '') {
                 args.push('--oidc-audience', creds.oidcAudience);
             }
             core.debug('Running CLI command: ' + args.join(' '));
@@ -223,7 +223,7 @@ class OidcUtils {
         core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE');
     }
     static buildOidcTokenExchangePayload(jwt, providerName, applicationKey) {
-        var _a, _b, _c, _d;
+        var _a, _b, _c, _d, _e, _f, _g, _h;
         return {
             grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
             subject_token_type: 'urn:ietf:params:oauth:token-type:id_token',
@@ -233,9 +233,23 @@ class OidcUtils {
             gh_job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '',
             gh_run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '',
             gh_repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '',
+            gh_revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '',
+            gh_branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '',
             application_key: applicationKey,
+            context: {
+                vcs_commit: {
+                    vcs_url: this.buildVcsUrl(),
+                    branch: (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '',
+                    revision: (_h = process.env.GITHUB_SHA) !== null && _h !== void 0 ? _h : '',
+                },
+            },
         };
     }
+    static buildVcsUrl() {
+        const serverUrl = process.env.GITHUB_SERVER_URL;
+        const repo = process.env.GITHUB_REPOSITORY;
+        return serverUrl && repo ? `${serverUrl}/${repo}` : '';
+    }
     /**
      * Retrieves the application key from .jfrog/config file.
      *

src/oidc-utils.ts

@@ -74,8 +74,8 @@ export class OidcUtils {
             throw new Error('Missing one or more required fields: OIDC provider name, token ID, or JFrog Platform URL.');
         }
 
-        const args = ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl];
-        if (creds.oidcAudience !== "") {
+        const args: string[] = ['eot', creds.oidcProviderName, creds.oidcTokenId, '--url', creds.jfrogUrl];
+        if (creds.oidcAudience !== '') {
             args.push('--oidc-audience', creds.oidcAudience);
         }
         core.debug('Running CLI command: ' + args.join(' '));
@@ -211,7 +211,7 @@ export class OidcUtils {
         core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE');
     }
 
-    private static buildOidcTokenExchangePayload(jwt: string, providerName: string, applicationKey: string): Record<string, string> {
+    private static buildOidcTokenExchangePayload(jwt: string, providerName: string, applicationKey: string): Record<string, any> {
         return {
             grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
             subject_token_type: 'urn:ietf:params:oauth:token-type:id_token',
@@ -221,10 +221,25 @@ export class OidcUtils {
             gh_job_id: process.env.GITHUB_JOB ?? '',
             gh_run_id: process.env.GITHUB_RUN_ID ?? '',
             gh_repo: process.env.GITHUB_REPOSITORY ?? '',
+            gh_revision: process.env.GITHUB_SHA ?? '',
+            gh_branch: process.env.GITHUB_REF_NAME ?? '',
             application_key: applicationKey,
+            context: {
+                vcs_commit: {
+                    vcs_url: this.buildVcsUrl(),
+                    branch: process.env.GITHUB_REF_NAME ?? '',
+                    revision: process.env.GITHUB_SHA ?? '',
+                },
+            },
         };
     }
 
+    private static buildVcsUrl(): string {
+        const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL;
+        const repo: string | undefined = process.env.GITHUB_REPOSITORY;
+        return serverUrl && repo ? `${serverUrl}/${repo}` : '';
+    }
+
     /**
      * Retrieves the application key from .jfrog/config file.
      *

src/types.ts

@@ -12,7 +12,7 @@ export interface JfrogCredentials {
     accessToken?: string;
     oidcProviderName?: string;
     oidcTokenId?: string;
-    oidcAudience : string;
+    oidcAudience: string;
 }
 
 /**

test/main.spec.ts

@@ -127,7 +127,7 @@ describe('Collect JFrog Credentials from env vars exceptions', () => {
         expect(jfrogCredentials.accessToken).toBeUndefined();
         expect(jfrogCredentials.username).toBeUndefined();
         expect(jfrogCredentials.password).toBeUndefined();
-        expect(jfrogCredentials.oidcAudience).toEqual("")
+        expect(jfrogCredentials.oidcAudience).toEqual('');
     });
 });
 

test/oidc-utils.spec.ts

@@ -88,7 +88,7 @@ describe('OidcUtils', (): void => {
         it('should throw if creds are missing required fields', async (): Promise<void> => {
             const incompleteCreds: JfrogCredentials = {
                 jfrogUrl: 'https://example.jfrog.io',
-                oidcAudience: ''
+                oidcAudience: '',
                 // missing provider and token ID
             };