Skip to content

fix: improve permission error for provenance#6226

Merged
lukekarrys merged 1 commit intolatestfrom
bdehamer/provenance-oidc-error
Mar 8, 2023
Merged

fix: improve permission error for provenance#6226
lukekarrys merged 1 commit intolatestfrom
bdehamer/provenance-oidc-error

Conversation

@bdehamer
Copy link
Copy Markdown
Contributor

@bdehamer bdehamer commented Mar 7, 2023

Improves the error message returned when a user attempts to generate a provenance statement on publish but has not set the correct perissions in the GitHub Actions workflow.

Improves the error messaging if the user attempts to publish a package w/ provenance but has NOT set the necessary token permissions to create an OIDC token.

Currently, if the user omits the id-token: write permission, the error message reads:

Automatic provenance generation not supported outside of GitHub Actions

This is potentially confusing given that it may actually be running in GitHub Actions, just with incorrect permissions.

This change separates the CI == 'GitHub Actions' check from the ACTIONS_ID_TOKEN_REQUEST_URL check so we can provide more specific error messages in the two cases.

The new error message reads:

Provenance generation in GitHub Actions requires "write" access to the "id-token" permission

@bdehamer
fix: improve permission error for provenance
cb04873 
Improves the error message returned when a user attempts to generate a
provenance statement on publish but has not set the correct perissions
in the GitHub Actions workflow.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer requested a review from a team as a code owner March 7, 2023 20:28
@bdehamer bdehamer requested review from nlf and removed request for a team March 7, 2023 20:28
bdehamer
bdehamer commented Mar 7, 2023
View reviewed changes
workspaces/libnpmpublish/test/publish.js
'process.env': {
CI: false,
GITHUB_ACTIONS: false,
GITHUB_ACTIONS: undefined,
Copy link
Copy Markdown
Contributor Author

@bdehamer bdehamer Mar 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that setting this to false still causes ciInfo.name to evaluate to "GITHUB_ACTIONS". To properly simulate NOT running in GitHub Actions, this needs to be undefined.

Copy link
Copy Markdown
Contributor

@feelepxyz feelepxyz Mar 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, I guess it would be very surprising if this env var was set to anything on some other platform?

@bdehamer bdehamer requested a review from feelepxyz March 7, 2023 20:38
feelepxyz
feelepxyz approved these changes Mar 8, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@lukekarrys lukekarrys merged commit 26cbe99 into latest Mar 8, 2023
@lukekarrys lukekarrys deleted the bdehamer/provenance-oidc-error branch March 8, 2023 17:49
@github-actions github-actions bot mentioned this pull request Mar 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nlf nlf Awaiting requested review from nlf nlf is a code owner automatically assigned from npm/cli-team

2 more reviewers

@feelepxyz feelepxyz feelepxyz approved these changes

@lukekarrys lukekarrys lukekarrys approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bdehamer @feelepxyz @lukekarrys