aws-actions/configure-aws-credentials
1
0
Fork 0
mirror of synced 2026-06-05 12:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

chore: adjust cleanup build again

Browse source
This commit is contained in:
peterwoodworth 2023-03-22 16:51:12 -07:00
commit 0d90ddd1f2
13 changed files with 17958 additions and 321 deletions
Download patch file Download diff file Expand all files Collapse all files

114
dist/cleanup/CredentialsClient.js generated vendored
View file

@ -1,114 +0,0 @@
"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
exports.__esModule = true;
exports.CredentialsClient = void 0;
var core_1 = require("@actions/core");
var client_sts_1 = require("@aws-sdk/client-sts");
var node_http_handler_1 = require("@aws-sdk/node-http-handler");
var https_proxy_agent_1 = require("https-proxy-agent");
var helpers_1 = require("./helpers");
var USER_AGENT = 'configure-aws-credentials-for-github-actions';
var CredentialsClient = /** @class */ (function () {
function CredentialsClient(props) {
if (props.region) {
this.region = props.region;
}
else {
(0, core_1.info)('No region provided, using global STS endpoint');
}
if (props.proxyServer) {
(0, core_1.info)('Configurint proxy handler for STS client');
var handler = new https_proxy_agent_1.HttpsProxyAgent(props.proxyServer);
this.requestHandler = new node_http_handler_1.NodeHttpHandler({
httpAgent: handler,
httpsAgent: handler
});
}
}
CredentialsClient.prototype.getStsClient = function () {
if (!this.stsClient) {
this.stsClient = new client_sts_1.STSClient({
region: this.region ? this.region : undefined,
customUserAgent: USER_AGENT,
requestHandler: this.requestHandler ? this.requestHandler : undefined,
useGlobalEndpoint: this.region ? false : true
});
}
return this.stsClient;
};
CredentialsClient.prototype.validateCredentials = function (expectedAccessKeyId) {
return __awaiter(this, void 0, void 0, function () {
var credentials, error_1, actualAccessKeyId;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
_a.trys.push([0, 2, , 3]);
return [4 /*yield*/, this.loadCredentials()];
case 1:
credentials = _a.sent();
if (!credentials.accessKeyId) {
throw new Error('Access key ID empty after loading credentials');
}
return [3 /*break*/, 3];
case 2:
error_1 = _a.sent();
throw new Error("Credentials could not be loaded, please check your action inputs: ".concat((0, helpers_1.errorMessage)(error_1)));
case 3:
actualAccessKeyId = credentials.accessKeyId;
if (expectedAccessKeyId && expectedAccessKeyId !== actualAccessKeyId) {
throw new Error('Unexpected failure: Credentials loaded by the SDK do not match the access key ID configured by the action');
}
return [2 /*return*/];
}
});
});
};
CredentialsClient.prototype.loadCredentials = function () {
return __awaiter(this, void 0, void 0, function () {
var client;
return __generator(this, function (_a) {
client = new client_sts_1.STSClient({
requestHandler: this.requestHandler ? this.requestHandler : undefined
});
return [2 /*return*/, client.config.credentials()];
});
});
};
return CredentialsClient;
}());
exports.CredentialsClient = CredentialsClient;

41
dist/cleanup/cleanup/index.js generated vendored
View file

@ -1,41 +0,0 @@
"use strict";
exports.__esModule = true;
exports.cleanup = void 0;
var core = require("@actions/core");
var helpers_1 = require("../helpers");
/**
* When the GitHub Actions job is done, clean up any environment variables that
* may have been set by the configure-aws-credentials steps in the job.
*
* Environment variables are not intended to be shared across different jobs in
* the same GitHub Actions workflow: GitHub Actions documentation states that
* each job runs in a fresh instance. However, doing our own cleanup will
* give us additional assurance that these environment variables are not shared
* with any other jobs.
*/
function cleanup() {
try {
// The GitHub Actions toolkit does not have an option to completely unset
// environment variables, so we overwrite the current value with an empty
// string. The AWS CLI and AWS SDKs will behave correctly: they treat an
// empty string value as if the environment variable does not exist.
core.exportVariable('AWS_ACCESS_KEY_ID', '');
core.exportVariable('AWS_SECRET_ACCESS_KEY', '');
core.exportVariable('AWS_SESSION_TOKEN', '');
core.exportVariable('AWS_DEFAULT_REGION', '');
core.exportVariable('AWS_REGION', '');
}
catch (error) {
core.setFailed((0, helpers_1.errorMessage)(error));
}
}
exports.cleanup = cleanup;
/* c8 ignore start */
if (require.main === module) {
try {
cleanup();
}
catch (error) {
core.setFailed((0, helpers_1.errorMessage)(error));
}
}

165
dist/cleanup/helpers.js generated vendored
View file

@ -1,165 +0,0 @@
"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
exports.__esModule = true;
exports.isDefined = exports.errorMessage = exports.retryAndBackoff = exports.reset = exports.withsleep = exports.defaultSleep = exports.sanitizeGitHubVariables = exports.exportAccountId = exports.exportRegion = exports.exportCredentials = void 0;
var core = require("@actions/core");
var client_sts_1 = require("@aws-sdk/client-sts");
var MAX_TAG_VALUE_LENGTH = 256;
var SANITIZATION_CHARACTER = '_';
// Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets.
// Setting the credentials as secrets masks them in Github Actions logs
function exportCredentials(creds) {
if (creds === null || creds === void 0 ? void 0 : creds.AccessKeyId) {
core.setSecret(creds.AccessKeyId);
core.exportVariable('AWS_ACCESS_KEY_ID', creds.AccessKeyId);
}
if (creds === null || creds === void 0 ? void 0 : creds.SecretAccessKey) {
core.setSecret(creds.SecretAccessKey);
core.exportVariable('AWS_SECRET_ACCESS_KEY', creds.SecretAccessKey);
}
if (creds === null || creds === void 0 ? void 0 : creds.SessionToken) {
core.setSecret(creds.SessionToken);
core.exportVariable('AWS_SESSION_TOKEN', creds.SessionToken);
}
else if (process.env['AWS_SESSION_TOKEN']) {
// clear session token from previous credentials action
core.exportVariable('AWS_SESSION_TOKEN', '');
}
}
exports.exportCredentials = exportCredentials;
function exportRegion(region) {
core.exportVariable('AWS_DEFAULT_REGION', region);
core.exportVariable('AWS_REGION', region);
}
exports.exportRegion = exportRegion;
// Obtains account ID from STS Client and sets it as output
function exportAccountId(credentialsClient, maskAccountId) {
return __awaiter(this, void 0, void 0, function () {
var client, identity, accountId;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
client = credentialsClient.getStsClient();
return [4 /*yield*/, client.send(new client_sts_1.GetCallerIdentityCommand({}))];
case 1:
identity = _a.sent();
accountId = identity.Account;
if (!accountId) {
throw new Error('Could not get Account ID from STS. Did you set credentials?');
}
if (maskAccountId) {
core.setSecret(accountId);
}
core.setOutput('aws-account-id', accountId);
return [2 /*return*/, accountId];
}
});
});
}
exports.exportAccountId = exportAccountId;
// Tags have a more restrictive set of acceptable characters than GitHub environment variables can.
// This replaces anything not conforming to the tag restrictions by inverting the regular expression.
// See the AWS documentation for constraint specifics https://docs.aws.amazon.com/STS/latest/APIReference/API_Tag.html.
function sanitizeGitHubVariables(name) {
var nameWithoutSpecialCharacters = name.replace(/[^\p{L}\p{Z}\p{N}_.:/=+\-@]/gu, SANITIZATION_CHARACTER);
var nameTruncated = nameWithoutSpecialCharacters.slice(0, MAX_TAG_VALUE_LENGTH);
return nameTruncated;
}
exports.sanitizeGitHubVariables = sanitizeGitHubVariables;
function defaultSleep(ms) {
return __awaiter(this, void 0, void 0, function () {
return __generator(this, function (_a) {
return [2 /*return*/, new Promise(function (resolve) { return setTimeout(resolve, ms); })];
});
});
}
exports.defaultSleep = defaultSleep;
var sleep = defaultSleep;
function withsleep(s) {
sleep = s;
}
exports.withsleep = withsleep;
function reset() {
sleep = defaultSleep;
}
exports.reset = reset;
// Retries the promise with exponential backoff if the error isRetryable up to maxRetries time.
function retryAndBackoff(fn, isRetryable, retries, maxRetries, base) {
if (retries === void 0) { retries = 0; }
if (maxRetries === void 0) { maxRetries = 12; }
if (base === void 0) { base = 50; }
return __awaiter(this, void 0, void 0, function () {
var err_1;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
_a.trys.push([0, 2, , 5]);
return [4 /*yield*/, fn()];
case 1: return [2 /*return*/, _a.sent()];
case 2:
err_1 = _a.sent();
if (!isRetryable) {
throw err_1;
}
// It's retryable, so sleep and retry.
return [4 /*yield*/, sleep(Math.random() * (Math.pow(2, retries) * base))];
case 3:
// It's retryable, so sleep and retry.
_a.sent();
retries += 1;
if (retries === maxRetries) {
throw err_1;
}
return [4 /*yield*/, retryAndBackoff(fn, isRetryable, retries, maxRetries, base)];
case 4: return [2 /*return*/, _a.sent()];
case 5: return [2 /*return*/];
}
});
});
}
exports.retryAndBackoff = retryAndBackoff;
/* c8 ignore start */
function errorMessage(error) {
return error instanceof Error ? error.message : String(error);
}
exports.errorMessage = errorMessage;
function isDefined(i) {
return i !== undefined && i !== null;
}
exports.isDefined = isDefined;
/* c8 ignore stop */

17901
dist/cleanup/index.js generated vendored Normal file
View file

File diff suppressed because it is too large Load diff

14
dist/cleanup/src/CredentialsClient.d.ts generated vendored Normal file
View file

@ -0,0 +1,14 @@
import { STSClient } from '@aws-sdk/client-sts';
export interface CredentialsClientProps {
region?: string;
proxyServer?: string;
}
export declare class CredentialsClient {
region?: string;
private stsClient?;
private readonly requestHandler?;
constructor(props: CredentialsClientProps);
getStsClient(): STSClient;
validateCredentials(expectedAccessKeyId?: string): Promise<void>;
private loadCredentials;
}

13
dist/cleanup/src/assumeRole.d.ts generated vendored Normal file
View file

@ -0,0 +1,13 @@
import type { CredentialsClient } from './CredentialsClient';
export interface assumeRoleParams {
credentialsClient: CredentialsClient;
roleToAssume: string;
roleDuration: number;
roleSessionName: string;
roleSkipSessionTagging?: boolean;
sourceAccountId?: string;
roleExternalId?: string;
webIdentityTokenFile?: string;
webIdentityToken?: string;
}
export declare function assumeRole(params: assumeRoleParams): Promise<import("@aws-sdk/client-sts").AssumeRoleCommandOutput>;

11
dist/cleanup/src/cleanup/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,11 @@
/**
* When the GitHub Actions job is done, clean up any environment variables that
* may have been set by the configure-aws-credentials steps in the job.
*
* Environment variables are not intended to be shared across different jobs in
* the same GitHub Actions workflow: GitHub Actions documentation states that
* each job runs in a fresh instance. However, doing our own cleanup will
* give us additional assurance that these environment variables are not shared
* with any other jobs.
*/
export declare function cleanup(): void;

14
dist/cleanup/src/helpers.d.ts generated vendored Normal file
View file

@ -0,0 +1,14 @@
import type { Credentials } from '@aws-sdk/client-sts';
import type { CredentialsClient } from './CredentialsClient';
export declare function exportCredentials(creds?: Partial<Credentials>): void;
export declare function exportRegion(region: string): void;
export declare function exportAccountId(credentialsClient: CredentialsClient, maskAccountId?: string): Promise<string>;
export declare function sanitizeGitHubVariables(name: string): string;
export declare function defaultSleep(ms: number): Promise<unknown>;
declare let sleep: typeof defaultSleep;
export declare function withsleep(s: typeof sleep): void;
export declare function reset(): void;
export declare function retryAndBackoff<T>(fn: () => Promise<T>, isRetryable: boolean, retries?: number, maxRetries?: number, base?: number): Promise<T>;
export declare function errorMessage(error: unknown): string;
export declare function isDefined<T>(i: T | undefined | null): i is T;
export {};

1
dist/cleanup/src/index.d.ts generated vendored Normal file
View file

@ -0,0 +1 @@
export declare function run(): Promise<void>;

1
dist/cleanup/test/cleanup.test.d.ts generated vendored Normal file
View file

@ -0,0 +1 @@
export {};

1
dist/cleanup/test/helpers.test.d.ts generated vendored Normal file
View file

@ -0,0 +1 @@
export {};

1
dist/cleanup/test/index.test.d.ts generated vendored Normal file
View file

@ -0,0 +1 @@
export {};

2
package.json
View file

@ -4,7 +4,7 @@
"scripts": { "scripts": {
"build": "tsc --project tsconfig.build.json", "build": "tsc --project tsconfig.build.json",
"lint": "eslint .", "lint": "eslint .",
"package": "npm run build && ncc build --license THIRD-PARTY -o dist && tsc src/cleanup/index.ts --skipLibCheck --outdir dist/cleanup && copyup -E dist/THIRD-PARTY . && del-cli dist/THIRD-PARTY", "package": "npm run build && ncc build --license THIRD-PARTY -o dist && ncc build src/cleanup/index.ts -o dist/cleanup && copyup -E dist/THIRD-PARTY . && del-cli dist/THIRD-PARTY",
"test": "npm run lint && jest --verbose" "test": "npm run lint && jest --verbose"
}, },
"author": { "author": {