From 921f6290ce22866a6faff985427d60552eac2305 Mon Sep 17 00:00:00 2001 From: Steve Manuel Date: Fri, 19 Jan 2024 11:00:12 -0700 Subject: [PATCH] chore: try alt auth method --- .github/workflows/test.yml | 2 +- action.yml | 5 +- index.js | 22 ++- node_modules/.package-lock.json | 16 +- node_modules/@octokit/auth-action/LICENSE | 21 ++ node_modules/@octokit/auth-action/README.md | 179 ++++++++++++++++++ .../@octokit/auth-action/dist-node/index.js | 54 ++++++ .../auth-action/dist-node/index.js.map | 7 + .../@octokit/auth-action/dist-src/index.js | 30 +++ .../auth-action/dist-types/index.d.ts | 10 + .../@octokit/auth-action/package.json | 46 +++++ package-lock.json | 21 +- package.json | 5 +- 13 files changed, 398 insertions(+), 20 deletions(-) create mode 100644 node_modules/@octokit/auth-action/LICENSE create mode 100644 node_modules/@octokit/auth-action/README.md create mode 100644 node_modules/@octokit/auth-action/dist-node/index.js create mode 100644 node_modules/@octokit/auth-action/dist-node/index.js.map create mode 100644 node_modules/@octokit/auth-action/dist-src/index.js create mode 100644 node_modules/@octokit/auth-action/dist-types/index.d.ts create mode 100644 node_modules/@octokit/auth-action/package.json diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a082eef..e8c3e81 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -48,6 +48,6 @@ jobs: wasi: true input: '' output_type: text - github_token: ${{ github.token }} + token: ${{ github.token }} steps: |- test open issue | https://cdn.modsurfer.dylibso.com/api/v1/module/2ab8f671a0334e7da92c9cd8e0cca0dd710930e6019319126b6bed06aad342e9.wasm | test_open_issue diff --git a/action.yml b/action.yml index d2cf095..5224384 100644 --- a/action.yml +++ b/action.yml @@ -17,10 +17,9 @@ inputs: description: 'A line-delimited, "|"-segmented list of Extism plug-ins to run in a pipeline. Components are: name | source (url or path) | function (optional export to call, default = run)' required: true default: '' - github_token: - description: 'The access token to use with authorized GitHub API calls.' + token: + description: 'The access token to use with authenticated GitHub API calls.' required: false - default: '' outputs: output: description: 'Final output of the last plugin run in this pipeline.' diff --git a/index.js b/index.js index 72ae1c7..dafcbd7 100644 --- a/index.js +++ b/index.js @@ -1,5 +1,6 @@ const core = require('@actions/core'); const github = require('@actions/github'); +const { createActionAuth } = require("@octokit/auth-action"); const createPlugin = require("@extism/extism"); async function actism(input, steps, wasi, outputType, test) { @@ -18,8 +19,6 @@ async function actism(input, steps, wasi, outputType, test) { } steps = steps.trim(); outputType = outputType.trim(); - - const githubToken = core.getInput('github_token').trim(); // for each step, run the step() function in the module with the input from the previous step let pipelineData = input; @@ -34,7 +33,7 @@ async function actism(input, steps, wasi, outputType, test) { core.info("Starting step: \u001b[1;95m\033[4m" + step.name + "\033[24m\033[0m (" + step.source + ")") const plugin = await createPlugin(step.source, { useWasi: wasi, - functions: { "extism:host/user": ActionsBindings(githubToken) } + functions: { "extism:host/user": await ActionsBindings() } }); const output = await plugin.call(step.entrypoint, pipelineData); pipelineData = output.bytes(); @@ -78,7 +77,16 @@ const Steps = (input) => { }) } -const ActionsBindings = (githubToken) => { +const ActionsBindings = async () => { + let octokit; + try { + const auth = createActionAuth(); + const authentication = await auth(); + octokit = github.getOctokit({ auth: auth.token }); + } catch (e) { + core.debug(e); + octokit = undefined; + } const hostFuncs = {}; hostFuncs.github_context = (plugin) => { @@ -86,13 +94,11 @@ const ActionsBindings = (githubToken) => { }; hostFuncs.github_open_issue = (plugin, titleOffs, bodyOffs) => { - if (githubToken.length === 0) { - core.setFailed(`Actism error: cannot call "gitub_open_issue" without token.`); + if (!octokit) { + core.setFailed(`Actism error: cannot call "gitub_open_issue" without providing 'token' in action params.`); return; } - console.log(`github_open_issue called, tmp token: ${btoa(githubToken)} size: ${githubToken.length}`); - const octokit = github.getOctokit({ auth: githubToken }); const title = plugin.read(titleOffs).text(); const body = plugin.read(bodyOffs).text(); diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index 558de70..16aa769 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -1,5 +1,5 @@ { - "name": "actism", + "name": "Actism", "version": "0.0.1", "lockfileVersion": 3, "requires": true, @@ -46,6 +46,18 @@ "node": ">=14" } }, + "node_modules/@octokit/auth-action": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@octokit/auth-action/-/auth-action-4.0.1.tgz", + "integrity": "sha512-mJLOcFFafIivLZ7BEkGDCTFoHPJv7BeL5Zwy7j5qMDU0b/DKshhi6GCU9tw3vmKhOxTNquYfvwqsEfPpemaaxg==", + "dependencies": { + "@octokit/auth-token": "^4.0.0", + "@octokit/types": "^12.0.0" + }, + "engines": { + "node": ">= 18" + } + }, "node_modules/@octokit/auth-token": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz", @@ -220,4 +232,4 @@ "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } -} \ No newline at end of file +} diff --git a/node_modules/@octokit/auth-action/LICENSE b/node_modules/@octokit/auth-action/LICENSE new file mode 100644 index 0000000..ef2c18e --- /dev/null +++ b/node_modules/@octokit/auth-action/LICENSE @@ -0,0 +1,21 @@ +The MIT License + +Copyright (c) 2019 Octokit contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/node_modules/@octokit/auth-action/README.md b/node_modules/@octokit/auth-action/README.md new file mode 100644 index 0000000..978262f --- /dev/null +++ b/node_modules/@octokit/auth-action/README.md @@ -0,0 +1,179 @@ +# auth-action.js + +> GitHub API token authentication for GitHub Actions + +[![@latest](https://img.shields.io/npm/v/@octokit/auth-action.svg)](https://www.npmjs.com/package/@octokit/auth-action) +[![Build Status](https://github.com/octokit/auth-action.js/workflows/Test/badge.svg)](https://github.com/octokit/auth-action.js/actions?query=workflow%3ATest) + +`@octokit/auth-action` is one of [GitHub’s authentication strategies](https://github.com/octokit/auth.js). + +It does not require any configuration, but instead reads [the `GITHUB_TOKEN` environment variable](https://help.github.com/en/articles/virtual-environments-for-github-actions#github_token-secret) that is provided to GitHub Actions. + + + +- [Usage](#usage) +- [`createActionAuth()`](#createactionauth) +- [`auth()`](#auth) +- [Authentication object](#authentication-object) +- [`auth.hook(request, route, options)` or `auth.hook(request, options)`](#authhookrequest-route-options-or-authhookrequest-options) +- [Find more information](#find-more-information) +- [License](#license) + + + +## Usage + +Install with npm install @octokit/auth-action + +```js +const { createActionAuth } = require("@octokit/auth-action"); +// or: import { createActionAuth } from "@octokit/auth-action"; + +const auth = createActionAuth(); +const authentication = await auth(); +// { +// type: 'token', +// token: 'v1.1234567890abcdef1234567890abcdef12345678', +// tokenType: 'oauth' +// } +``` + +## `createActionAuth()` + +The `createActionAuth()` method has no options. + +It expects the `GITHUB_TOKEN` variable to be set which is provided to GitHub Actions, but [has to be configured explicitly](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token). + +`GITHUB_TOKEN` can be passed as environment variable using [`env:`](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#env) + +```yml +steps: + - name: My action + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +``` + +or using [`with:`](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith) + +```yml +steps: + - name: My action + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +``` + +or named `token` using [`with:`](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith) + +```yml +steps: + - name: My action + with: + token: ${{ secrets.GITHUB_TOKEN }} +``` + +`GITHUB_TOKEN` can be set to any of the repository's secret, e.g. if you want to use a personal access token. + +```yml +steps: + - name: My first action + env: + GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} +``` + +`createActionAuth()` is also checking for the `GITHUB_ACTION` variable to be present to make sure that it runs within a GitHub Action. + +If `GITHUB_ACTION` or neither `GITHUB_TOKEN`, `INPUT_GITHUB_TOKEN` or `INPUT_TOKEN` are set an error is thrown. + +## `auth()` + +The `auth()` method has no options. It returns a promise which resolves with the the authentication object. + +## Authentication object + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ name + + type + + description +
+ type + + string + + "token" +
+ token + + string + + The provided token. +
+ tokenType + + string + + Can be either "oauth" for personal access tokens and OAuth tokens, or "installation" for installation access tokens (includes GITHUB_TOKEN provided to GitHub Actions) +
+ +## `auth.hook(request, route, options)` or `auth.hook(request, options)` + +`auth.hook()` hooks directly into the request life cycle. It authenticates the request using the provided token. + +The `request` option is an instance of [`@octokit/request`](https://github.com/octokit/request.js#readme). The `route`/`options` parameters are the same as for the [`request()` method](https://github.com/octokit/request.js#request). + +`auth.hook()` can be called directly to send an authenticated request + +```js +const { data: authorizations } = await auth.hook( + request, + "GET /authorizations", +); +``` + +Or it can be passed as option to [`request()`](https://github.com/octokit/request.js#request). + +```js +const requestWithAuth = request.defaults({ + request: { + hook: auth.hook, + }, +}); + +const { data: authorizations } = await requestWithAuth("GET /authorizations"); +``` + +## Find more information + +`auth()` does not send any requests, it only retrieves the token from the environment variable and transforms the provided token string into an authentication object. + +The `GITHUB_TOKEN` provided to GitHub Actions is an installation token with all permissions provided. You can use it for `git` commands, too. Learn more about the differences in token authentication at [@octokit/auth-action](https://github.com/octokit/auth-action.js#find-more-information). + +## License + +[MIT](LICENSE) diff --git a/node_modules/@octokit/auth-action/dist-node/index.js b/node_modules/@octokit/auth-action/dist-node/index.js new file mode 100644 index 0000000..f4e6081 --- /dev/null +++ b/node_modules/@octokit/auth-action/dist-node/index.js @@ -0,0 +1,54 @@ +"use strict"; +var __defProp = Object.defineProperty; +var __getOwnPropDesc = Object.getOwnPropertyDescriptor; +var __getOwnPropNames = Object.getOwnPropertyNames; +var __hasOwnProp = Object.prototype.hasOwnProperty; +var __export = (target, all) => { + for (var name in all) + __defProp(target, name, { get: all[name], enumerable: true }); +}; +var __copyProps = (to, from, except, desc) => { + if (from && typeof from === "object" || typeof from === "function") { + for (let key of __getOwnPropNames(from)) + if (!__hasOwnProp.call(to, key) && key !== except) + __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); + } + return to; +}; +var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); + +// pkg/dist-src/index.js +var dist_src_exports = {}; +__export(dist_src_exports, { + createActionAuth: () => createActionAuth +}); +module.exports = __toCommonJS(dist_src_exports); +var import_auth_token = require("@octokit/auth-token"); +var createActionAuth = function createActionAuth2() { + if (!process.env.GITHUB_ACTION) { + throw new Error( + "[@octokit/auth-action] `GITHUB_ACTION` environment variable is not set. @octokit/auth-action is meant to be used in GitHub Actions only." + ); + } + const definitions = [ + process.env.GITHUB_TOKEN, + process.env.INPUT_GITHUB_TOKEN, + process.env.INPUT_TOKEN + ].filter(Boolean); + if (definitions.length === 0) { + throw new Error( + "[@octokit/auth-action] `GITHUB_TOKEN` variable is not set. It must be set on either `env:` or `with:`. See https://github.com/octokit/auth-action.js#createactionauth" + ); + } + if (definitions.length > 1) { + throw new Error( + "[@octokit/auth-action] The token variable is specified more than once. Use either `with.token`, `with.GITHUB_TOKEN`, or `env.GITHUB_TOKEN`. See https://github.com/octokit/auth-action.js#createactionauth" + ); + } + const token = definitions.pop(); + return (0, import_auth_token.createTokenAuth)(token); +}; +// Annotate the CommonJS export names for ESM import in node: +0 && (module.exports = { + createActionAuth +}); diff --git a/node_modules/@octokit/auth-action/dist-node/index.js.map b/node_modules/@octokit/auth-action/dist-node/index.js.map new file mode 100644 index 0000000..a8c4c0e --- /dev/null +++ b/node_modules/@octokit/auth-action/dist-node/index.js.map @@ -0,0 +1,7 @@ +{ + "version": 3, + "sources": ["../dist-src/index.js"], + "sourcesContent": ["import {\n createTokenAuth\n} from \"@octokit/auth-token\";\nconst createActionAuth = function createActionAuth2() {\n if (!process.env.GITHUB_ACTION) {\n throw new Error(\n \"[@octokit/auth-action] `GITHUB_ACTION` environment variable is not set. @octokit/auth-action is meant to be used in GitHub Actions only.\"\n );\n }\n const definitions = [\n process.env.GITHUB_TOKEN,\n process.env.INPUT_GITHUB_TOKEN,\n process.env.INPUT_TOKEN\n ].filter(Boolean);\n if (definitions.length === 0) {\n throw new Error(\n \"[@octokit/auth-action] `GITHUB_TOKEN` variable is not set. It must be set on either `env:` or `with:`. See https://github.com/octokit/auth-action.js#createactionauth\"\n );\n }\n if (definitions.length > 1) {\n throw new Error(\n \"[@octokit/auth-action] The token variable is specified more than once. Use either `with.token`, `with.GITHUB_TOKEN`, or `env.GITHUB_TOKEN`. See https://github.com/octokit/auth-action.js#createactionauth\"\n );\n }\n const token = definitions.pop();\n return createTokenAuth(token);\n};\nexport {\n createActionAuth\n};\n"], + "mappings": ";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAEO;AACP,IAAM,mBAAmB,SAAS,oBAAoB;AACpD,MAAI,CAAC,QAAQ,IAAI,eAAe;AAC9B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,cAAc;AAAA,IAClB,QAAQ,IAAI;AAAA,IACZ,QAAQ,IAAI;AAAA,IACZ,QAAQ,IAAI;AAAA,EACd,EAAE,OAAO,OAAO;AAChB,MAAI,YAAY,WAAW,GAAG;AAC5B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,QAAQ,YAAY,IAAI;AAC9B,aAAO,mCAAgB,KAAK;AAC9B;", + "names": [] +} diff --git a/node_modules/@octokit/auth-action/dist-src/index.js b/node_modules/@octokit/auth-action/dist-src/index.js new file mode 100644 index 0000000..0873550 --- /dev/null +++ b/node_modules/@octokit/auth-action/dist-src/index.js @@ -0,0 +1,30 @@ +import { + createTokenAuth +} from "@octokit/auth-token"; +const createActionAuth = function createActionAuth2() { + if (!process.env.GITHUB_ACTION) { + throw new Error( + "[@octokit/auth-action] `GITHUB_ACTION` environment variable is not set. @octokit/auth-action is meant to be used in GitHub Actions only." + ); + } + const definitions = [ + process.env.GITHUB_TOKEN, + process.env.INPUT_GITHUB_TOKEN, + process.env.INPUT_TOKEN + ].filter(Boolean); + if (definitions.length === 0) { + throw new Error( + "[@octokit/auth-action] `GITHUB_TOKEN` variable is not set. It must be set on either `env:` or `with:`. See https://github.com/octokit/auth-action.js#createactionauth" + ); + } + if (definitions.length > 1) { + throw new Error( + "[@octokit/auth-action] The token variable is specified more than once. Use either `with.token`, `with.GITHUB_TOKEN`, or `env.GITHUB_TOKEN`. See https://github.com/octokit/auth-action.js#createactionauth" + ); + } + const token = definitions.pop(); + return createTokenAuth(token); +}; +export { + createActionAuth +}; diff --git a/node_modules/@octokit/auth-action/dist-types/index.d.ts b/node_modules/@octokit/auth-action/dist-types/index.d.ts new file mode 100644 index 0000000..7159157 --- /dev/null +++ b/node_modules/@octokit/auth-action/dist-types/index.d.ts @@ -0,0 +1,10 @@ +import { type Types as AuthTokenTypes } from "@octokit/auth-token"; +import type { StrategyInterface } from "@octokit/types"; +export type Types = { + StrategyOptions: never; + AuthOptions: never; + Authentication: AuthTokenTypes["Authentication"]; +}; +export declare const createActionAuth: StrategyInterface<[ +], [ +], Types["Authentication"]>; diff --git a/node_modules/@octokit/auth-action/package.json b/node_modules/@octokit/auth-action/package.json new file mode 100644 index 0000000..97efd69 --- /dev/null +++ b/node_modules/@octokit/auth-action/package.json @@ -0,0 +1,46 @@ +{ + "name": "@octokit/auth-action", + "publishConfig": { + "access": "public" + }, + "version": "4.0.1", + "description": "GitHub API token authentication for GitHub Actions", + "repository": "github:octokit/auth-action.js", + "keywords": [ + "github", + "octokit", + "authentication", + "github-action", + "api" + ], + "author": "Gregor Martynus (https://github.com/gr2m)", + "license": "MIT", + "dependencies": { + "@octokit/auth-token": "^4.0.0", + "@octokit/types": "^12.0.0" + }, + "devDependencies": { + "@octokit/request": "^8.0.2", + "@octokit/tsconfig": "^2.0.0", + "@types/jest": "^29.0.0", + "esbuild": "^0.19.0", + "fetch-mock": "npm:@gr2m/fetch-mock@9.11.0-pull-request-644.1", + "glob": "^10.2.5", + "jest": "^29.0.0", + "prettier": "3.0.3", + "ts-jest": "^29.0.0", + "typescript": "^5.0.0" + }, + "engines": { + "node": ">= 18" + }, + "files": [ + "dist-*/**", + "bin/**" + ], + "main": "dist-node/index.js", + "module": "dist-web/index.js", + "types": "dist-types/index.d.ts", + "source": "dist-src/index.js", + "sideEffects": false +} diff --git a/package-lock.json b/package-lock.json index c3c3699..5da3490 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,17 +1,18 @@ { - "name": "actism", + "name": "Actism", "version": "0.0.1", "lockfileVersion": 3, "requires": true, "packages": { "": { - "name": "actism", + "name": "Actism", "version": "0.0.1", "license": "Apache-2.0", "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@extism/extism": "^1.0.1" + "@extism/extism": "^1.0.1", + "@octokit/auth-action": "^4.0.1" } }, "node_modules/@actions/core": { @@ -56,6 +57,18 @@ "node": ">=14" } }, + "node_modules/@octokit/auth-action": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@octokit/auth-action/-/auth-action-4.0.1.tgz", + "integrity": "sha512-mJLOcFFafIivLZ7BEkGDCTFoHPJv7BeL5Zwy7j5qMDU0b/DKshhi6GCU9tw3vmKhOxTNquYfvwqsEfPpemaaxg==", + "dependencies": { + "@octokit/auth-token": "^4.0.0", + "@octokit/types": "^12.0.0" + }, + "engines": { + "node": ">= 18" + } + }, "node_modules/@octokit/auth-token": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz", @@ -230,4 +243,4 @@ "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } -} \ No newline at end of file +} diff --git a/package.json b/package.json index 7b1735a..3171ff3 100644 --- a/package.json +++ b/package.json @@ -11,6 +11,7 @@ "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@extism/extism": "^1.0.1" + "@extism/extism": "^1.0.1", + "@octokit/auth-action": "^4.0.1" } -} \ No newline at end of file +}