@@ -50,12 +50,61 @@ jobs:
5050 with :
5151 node-version : 22
5252 cache : ' npm'
53+ registry-url : ' https://registry.npmjs.org'
5354
5455 - name : Update npm
5556 run : |
5657 npm install -g npm@11.7.0
5758 npm -v
5859
60+ name : Diagnostic info
61+ run : |
62+ echo "node=$(node -v)"
63+ echo "npm=$(npm -v)"
64+ if [ -n "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" ]; then
65+ echo "oidc=available"
66+ else
67+ echo "oidc=missing"
68+ fi
69+
70+ name : Inspect OIDC claims
71+ run : |
72+ if [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL}" ]; then
73+ echo "OIDC token request env vars are missing"
74+ exit 1
75+ fi
76+
77+ RESPONSE="$(curl -sSf -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org")"
78+ OIDC_TOKEN="$(node -e 'const fs = require("fs"); const input = fs.readFileSync(0, "utf8"); process.stdout.write(JSON.parse(input).value);' <<< "$RESPONSE")"
79+
80+ node - <<'EOF' "$OIDC_TOKEN"
81+ const token = process.argv[2];
82+ const payload = token.split(".")[1];
83+
84+ if (!payload) {
85+ throw new Error("Unable to decode OIDC token payload");
86+ }
87+
88+ const claims = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
89+ const out = {
90+ aud: claims.aud,
91+ repository: claims.repository,
92+ repository_owner: claims.repository_owner,
93+ ref: claims.ref,
94+ sha: claims.sha,
95+ event_name: claims.event_name,
96+ workflow: claims.workflow,
97+ workflow_ref: claims.workflow_ref,
98+ job_workflow_ref: claims.job_workflow_ref,
99+ runner_environment: claims.runner_environment,
100+ environment: claims.environment,
101+ actor: claims.actor,
102+ sub: claims.sub,
103+ };
104+
105+ console.log(JSON.stringify(out, null, 2));
106+ EOF
107+
59108name : Install dependencies
60109 run : npm ci
61110
0 commit comments