Support trusted publishers (#138)

.github/workflows/check-dist.yml

@@ -23,10 +23,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set Node.js 16.x
+      - name: Set up Node.js
         uses: actions/[email protected]
         with:
-          node-version: 16.x
+          node-version-file: .nvmrc
 
       - name: Install dependencies
         run: npm ci

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
           npm install
       - run: |
           npm run all
-  test: # make sure the action works on a clean machine without building
+  test-oidc: # make sure the action works on a clean machine without building
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -42,8 +42,32 @@ jobs:
       - name: Test token
         run: |
           curl -v --fail '${{ matrix.gem-server }}/api/v1/oidc/api_key_roles/${{ matrix.roleToken }}' -H 'Authorization: ${{ env.RUBYGEMS_API_KEY }}'
+  test-trusted-publisher: # make sure the action works on a clean machine without building
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        gem-server:
+          - 'rubygems.org'
+          - 'staging.rubygems.org'
+          - 'oidc-api-token.rubygems.org'
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./
+        with:
+          gem-server: 'https://${{ matrix.gem-server }}'
+          audience: '${{ matrix.gem-server }}'
+      - name: Test token
+        run: |
+          output="$(curl -s -w "\n\n%{http_code}" -v -X POST 'https://${{ matrix.gem-server }}/api/v1/gems' -H 'Authorization: ${{ env.RUBYGEMS_API_KEY }}' -H 'Accept: application/json')"
+          expected="$(printf "RubyGems.org cannot process this gem.\nPlease try rebuilding it and installing it locally to make sure it's valid.\nError:\npackage metadata is missing\n\n\n422")"
+          test "$output" = "$expected" || (echo "$output" && exit 1)
   test-all:
-    needs: test
+    needs: [test-oidc, test-trusted-publisher]
     runs-on: ubuntu-latest
     steps:
       - run: |

.nvmrc

@@ -0,0 +1 @@
+20

__tests__/main.test.ts

@@ -15,6 +15,7 @@ import * as core from '@actions/core'
 
 import {configureApiToken} from '../src/configure-api-token'
 import {assumeRole} from '../src/oidc/assumeRole'
+import {exchangeToken} from '../src/oidc/trustedPublisher'
 
 jest.mock('os', () => {
   const originalModule = jest.requireActual('os') as any
@@ -125,6 +126,51 @@ describe('assumeRole', () => {
   })
 })
 
+describe('exchangeToken', () => {
+  test('works', async () => {
+    jest.spyOn(core, 'getIDToken').mockReturnValue(Promise.resolve('ID_TOKEN'))
+
+    nock('https://rubygems.org')
+      .post('/api/v1/oidc/trusted_publisher/exchange_token', {
+        jwt: 'ID_TOKEN'
+      })
+      .reply(201, {
+        name: 'role name',
+        rubygems_api_key: 'API_KEY',
+        expires_at: '2021-01-01T00:00:00Z',
+        scopes: ['push_rubygem']
+      })
+
+    await expect(
+      exchangeToken('rubygems.org', 'https://rubygems.org')
+    ).resolves.toEqual({
+      expiresAt: '2021-01-01T00:00:00Z',
+      gem: undefined,
+      name: 'role name',
+      rubygemsApiKey: 'API_KEY',
+      scopes: ['push_rubygem']
+    })
+  })
+
+  test('handles a 404', async () => {
+    jest.spyOn(core, 'getIDToken').mockReturnValue(Promise.resolve('ID_TOKEN'))
+
+    nock('https://rubygems.org')
+      .post('/api/v1/oidc/trusted_publisher/exchange_token', {
+        jwt: 'ID_TOKEN'
+      })
+      .reply(404, '')
+
+    await expect(
+      exchangeToken('rubygems.org', 'https://rubygems.org')
+    ).rejects.toEqual(
+      new Error(
+        'No trusted publisher configured for this workflow found on https://rubygems.org for audience rubygems.org'
+      )
+    )
+  })
+})
+
 function mockHomedir(homedir: string) {
   mockOf(os.homedir).mockReturnValue(homedir)
 }

action.yml

@@ -22,6 +22,10 @@ inputs:
   api-token:
     description: 'The rubygems api token to use for authentication.'
     required: false
+  trusted-publisher:
+    description: >-
+      Whether to configure the credentials as a trusted publisher. Defaults to true if no other configuration is given.
+    required: false
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'

src/main.ts

@@ -1,13 +1,25 @@
 import * as core from '@actions/core'
 import {configureApiToken} from './configure-api-token'
 import {assumeRole} from './oidc/assumeRole'
+import {exchangeToken} from './oidc/trustedPublisher'
 
 async function run(): Promise<void> {
   try {
     const gemServer = core.getInput('gem-server')
     const audience = core.getInput('audience')
     const roleToAssume = core.getInput('role-to-assume')
     const apiToken = core.getInput('api-token')
+    const trustedPublisher: boolean = (() => {
+      const trustedPublisherConfigured = !!core.getInput('trusted-publisher')
+      if (!trustedPublisherConfigured && !apiToken && !roleToAssume) {
+        // default to trusted publishing if no api-token or role-to-assume is specified and trusted-publisher is not configured
+        return true
+      } else if (trustedPublisherConfigured) {
+        return core.getBooleanInput('trusted-publisher')
+      } else {
+        return false
+      }
+    })()
 
     if (!gemServer) throw new Error('Missing gem-server input')
 
@@ -16,13 +28,24 @@ async function run(): Promise<void> {
         throw new Error('Cannot specify audience when using api-token')
       if (roleToAssume)
         throw new Error('Cannot specify role-to-assume when using api-token')
+      if (trustedPublisher)
+        throw new Error('Cannot specify trusted-publisher when using api-token')
 
       await configureApiToken(apiToken, gemServer)
     } else if (roleToAssume) {
       if (!audience) throw new Error('Missing audience input')
+      if (trustedPublisher)
+        throw new Error(
+          'Cannot specify trusted-publisher when using role-to-assume'
+        )
 
       const oidcIdToken = await assumeRole(roleToAssume, audience, gemServer)
       await configureApiToken(oidcIdToken.rubygemsApiKey, gemServer)
+    } else if (trustedPublisher) {
+      if (!audience) throw new Error('Missing audience input')
+
+      const oidcIdToken = await exchangeToken(audience, gemServer)
+      await configureApiToken(oidcIdToken.rubygemsApiKey, gemServer)
     } else {
       throw new Error('Missing api-token or role-to-assume input')
     }

src/oidc/assumeRole.ts

@@ -1,28 +1,6 @@
 import * as core from '@actions/core'
 import {HttpClient} from '@actions/http-client'
-import {z} from 'zod'
-
-const RubygemSchema = z.object({
-  name: z.string()
-})
-
-const IdTokenSchema = z
-  .object({
-    rubygems_api_key: z.string(),
-    name: z.string(),
-    scopes: z.array(z.string()),
-    gem: RubygemSchema.optional(),
-    expires_at: z.string().datetime({offset: true})
-  })
-  .transform(({rubygems_api_key, expires_at, ...rest}) => {
-    return {
-      rubygemsApiKey: rubygems_api_key,
-      expiresAt: expires_at,
-      ...rest
-    }
-  })
-
-type IdToken = z.infer<typeof IdTokenSchema>
+import {IdToken, IdTokenSchema} from './responses'
 
 export async function assumeRole(
   roleToAssume: string,