aws-actions/configure-aws-credentials
1
0
Fork 0
mirror of synced 2026-06-05 13:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: aws-actions:main
Branches Tags
aws-actions:main
aws-actions:release-please--branches--main--components--configure-aws-credentials
aws-actions:tag-size-patch-lehmanmj
aws-actions:6.2
aws-actions:6.1.3
aws-actions:kellerkt/container-credential-provider
aws-actions:bump-6.2
aws-actions:kellertk/nofollow
aws-actions:unstage-devel-changes
aws-actions:devel
aws-actions:kellertk/readme-update-oidc
aws-actions:kellertk/1554
aws-actions:kellertk/forgejo
aws-actions:kellertk/390
aws-actions:kellertk/483
aws-actions:kellertk/doc-update
aws-actions:kellertk/rolesessionname_regex
aws-actions:kellertk/retry-logic-with-dist-DO-NOT-MERGE
aws-actions:kellertk/autoincrement
aws-actions:kellertk/specify-sts-endpoint
aws-actions:Esmartdriver/main
aws-actions:kellertk/node24
aws-actions:kellertk/remove-release-please
aws-actions:kellertk-patch-1
aws-actions:dependabot/npm_and_yarn/main/aws-sdk/client-sts-3.964.0
aws-actions:lehmanmj-patch-1
aws-actions:kellertk/v6
aws-actions:v3-node20
aws-actions:integ-tests
aws-actions:v1-node16
aws-actions:configure-aws-credentials
aws-actions:v6
aws-actions:v5
aws-actions:v4
aws-actions:v4.0.2
aws-actions:v4.0.1
aws-actions:v4.0.0
aws-actions:v3
aws-actions:v3.0.2
aws-actions:v2
aws-actions:v2.2.0
aws-actions:v2.1.0
aws-actions:master
aws-actions:v1
aws-actions:v2.0.0
aws-actions:v1-node16
aws-actions:v1.7.0
aws-actions:v1.6.1
aws-actions:v1.6.0
aws-actions:v1.5.11
aws-actions:v1.5.10
aws-actions:v1.5.9
aws-actions:v1.5.8
aws-actions:v1.5.7
aws-actions:v1.5.6
aws-actions:v1.5.5
aws-actions:v1.5.4
aws-actions:v1.5.3
aws-actions:v1.5.2
aws-actions:v1.5.1
aws-actions:v1.5.0
aws-actions:v1.4.4
aws-actions:v1.4.3
aws-actions:v1.4.2
aws-actions:v1.4.1
aws-actions:v1.4.0
aws-actions:v1.3.5
aws-actions:v1.3.4
aws-actions:v1.3.3
aws-actions:v1.3.2
aws-actions:v1.3.1
aws-actions:v1.3.0
aws-actions:v1.2.0
aws-actions:v1.1.2
aws-actions:v1.1.1
aws-actions:v1.1.0
aws-actions:v1.0.1
aws-actions:v1.0.0
..
compare: aws-actions:devel
Branches Tags
aws-actions:main
aws-actions:release-please--branches--main--components--configure-aws-credentials
aws-actions:tag-size-patch-lehmanmj
aws-actions:6.2
aws-actions:6.1.3
aws-actions:kellerkt/container-credential-provider
aws-actions:bump-6.2
aws-actions:kellertk/nofollow
aws-actions:unstage-devel-changes
aws-actions:devel
aws-actions:kellertk/readme-update-oidc
aws-actions:kellertk/1554
aws-actions:kellertk/forgejo
aws-actions:kellertk/390
aws-actions:kellertk/483
aws-actions:kellertk/doc-update
aws-actions:kellertk/rolesessionname_regex
aws-actions:kellertk/retry-logic-with-dist-DO-NOT-MERGE
aws-actions:kellertk/autoincrement
aws-actions:kellertk/specify-sts-endpoint
aws-actions:Esmartdriver/main
aws-actions:kellertk/node24
aws-actions:kellertk/remove-release-please
aws-actions:kellertk-patch-1
aws-actions:dependabot/npm_and_yarn/main/aws-sdk/client-sts-3.964.0
aws-actions:lehmanmj-patch-1
aws-actions:kellertk/v6
aws-actions:v3-node20
aws-actions:integ-tests
aws-actions:v1-node16
aws-actions:configure-aws-credentials
aws-actions:v6
aws-actions:v5
aws-actions:v4
aws-actions:v4.0.2
aws-actions:v4.0.1
aws-actions:v4.0.0
aws-actions:v3
aws-actions:v3.0.2
aws-actions:v2
aws-actions:v2.2.0
aws-actions:v2.1.0
aws-actions:master
aws-actions:v1
aws-actions:v2.0.0
aws-actions:v1-node16
aws-actions:v1.7.0
aws-actions:v1.6.1
aws-actions:v1.6.0
aws-actions:v1.5.11
aws-actions:v1.5.10
aws-actions:v1.5.9
aws-actions:v1.5.8
aws-actions:v1.5.7
aws-actions:v1.5.6
aws-actions:v1.5.5
aws-actions:v1.5.4
aws-actions:v1.5.3
aws-actions:v1.5.2
aws-actions:v1.5.1
aws-actions:v1.5.0
aws-actions:v1.4.4
aws-actions:v1.4.3
aws-actions:v1.4.2
aws-actions:v1.4.1
aws-actions:v1.4.0
aws-actions:v1.3.5
aws-actions:v1.3.4
aws-actions:v1.3.3
aws-actions:v1.3.2
aws-actions:v1.3.1
aws-actions:v1.3.0
aws-actions:v1.2.0
aws-actions:v1.1.2
aws-actions:v1.1.1
aws-actions:v1.1.0
aws-actions:v1.0.1
aws-actions:v1.0.0

No commits in common. "main" and "devel" have entirely different histories.
main ... devel

16 changed files with 9013 additions and 9535 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.release-please-manifest.json
View file

@ -1,5 +1,5 @@
{
".release-please-manifest.json": "4.0.2",
"package.json": "6.0.0",
".": "6.2.0"
".": "6.1.1"
}

28
CHANGELOG.md
View file

@ -2,34 +2,6 @@
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
## [6.2.0](https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.3...v6.2.0) (2026-06-01)
### Features
* add additional session tags by default ([#1775](https://github.com/aws-actions/configure-aws-credentials/issues/1775)) ([e0ba768](https://github.com/aws-actions/configure-aws-credentials/commit/e0ba7685077379a14a82d01fefd511490344ebfc))
* add more retry logic and better logging ([#1764](https://github.com/aws-actions/configure-aws-credentials/issues/1764)) ([540d0c1](https://github.com/aws-actions/configure-aws-credentials/commit/540d0c13aedb8d55501d220bd2f0b3cdedfe84e8))
* add regex validation to role-session-name ([#1765](https://github.com/aws-actions/configure-aws-credentials/issues/1765)) ([e354499](https://github.com/aws-actions/configure-aws-credentials/commit/e35449909c6ede5083a48ba4b8bbfaaa1cf09ba1))
* Allow custom session tags to be passed when assuming a role ([#1759](https://github.com/aws-actions/configure-aws-credentials/issues/1759)) ([61f50f6](https://github.com/aws-actions/configure-aws-credentials/commit/61f50f630f383628add73c1eab3f1935ba07da2b))
* expose run id in STS client user-agent ([#1774](https://github.com/aws-actions/configure-aws-credentials/issues/1774)) ([29d1be3](https://github.com/aws-actions/configure-aws-credentials/commit/29d1be30273e7ef371d59fccf6ec54572c64ec89))
* support custom STS endpoints ([#1762](https://github.com/aws-actions/configure-aws-credentials/issues/1762)) ([8d52d05](https://github.com/aws-actions/configure-aws-credentials/commit/8d52d05d7a4521fa52b39de50cb6114b12e5c332))
### Bug Fixes
* skip credential check on output-env-credentials: false ([#1778](https://github.com/aws-actions/configure-aws-credentials/issues/1778)) ([58e7c47](https://github.com/aws-actions/configure-aws-credentials/commit/58e7c47adf77846879008deadfeeef8a6969fe6c))
* assumeRole failing from session tag size too large ([#1808](https://github.com/aws-actions/configure-aws-credentials/issues/1808)) ([d6f5dc3](https://github.com/aws-actions/configure-aws-credentials/commit/d6f5dc331b44474b19a52caaf85fa4d637b13c8e))
## [6.1.3](https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.2...v6.1.3) (2026-05-28)
### Bug Fixes
* fix: allow kubelet token symlink in [#1805](https://github.com/aws-actions/configure-aws-credentials/issues/1805)
## [6.1.2](https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.1...v6.1.2) (2026-05-26)
### Bug Fixes
* additional filesystem checks ([#1799](https://github.com/aws-actions/configure-aws-credentials/issues/1799)) ([c39f282](https://github.com/aws-actions/configure-aws-credentials/commit/c39f282697aca8a78c522ecf1f7da9899a31432c))
## [6.1.1](https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.0...v6.1.1) (2026-05-05)

85
README.md
View file

@ -168,7 +168,6 @@ detail.
| role-session-name | Defaults to "GitHubActions", but may be changed if required. | No |
| role-skip-session-tagging | Skips session tagging if set. | No |
| transitive-tag-keys | Define a list of transitive tag keys to pass when assuming a role. | No |
| custom-tags | Additional tags to apply to the assumed role session. Must be a JSON object provided as a string. Custom tags are not usable with OIDC or web identity token authentication. | No |
| inline-session-policy | You may further restrict the assumed role policy by defining an inline policy here. | No |
| managed-session-policies | You may further restrict the assumed role policy by specifying a managed policy here. | No |
| output-credentials | When set, outputs fetched credentials as action step output. (Outputs aws-access-key-id, aws-secret-access-key, aws-session-token, aws-account-id, authenticated-arn, and aws-expiration). Defaults to false. | No |
@ -181,8 +180,6 @@ detail.
| allowed-account-ids | A comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account. | No |
| force-skip-oidc | When set, the action will skip using GitHub OIDC provider even if the id-token permission is set. | No |
| action-timeout-s | Global timeout for the action in seconds. If set to a value greater than 0, the action will fail if it takes longer than this time to complete. | No |
| no-proxy | Hosts to skip for the proxy configuration. | No |
| sts-endpoint | Custom STS endpoint URL. Use this to point to an STS-compatible API (e.g. MinIO, LocalStack) instead of the default AWS STS endpoint for the region. | No |
</details>
@ -353,7 +350,8 @@ documentation for `GITHUB_` environment variable definitions][gh-env-vars])
[gh-env-vars]:
https://docs.github.com/en/actions/reference/workflows-and-actions/variables#default-environment-variables
**Default tags** are always emitted when session tags are used.
**Protected tags** are always emitted when session tags are used, and cannot be
overridden via `custom-tags`:
| Key | Value |
| ---------- | ----------------- |
@ -365,24 +363,21 @@ documentation for `GITHUB_` environment variable definitions][gh-env-vars])
| Commit | GITHUB_SHA |
| Branch | GITHUB_REF |
**Droppable tags** are automatically added to the set of default session tags.
If the session tags exceed the [packed size limit][packed-size-limit], these
tags will be dropped, and the AssumeRole call will be retried. If it still
fails, the action will error out. (It is difficult to predict the packed size
before making the call, as session tags and session policies are compressed into
a binary format as part of the call.)
**Overrideable tags** are automatically added to the set of default session tags
but may be overridden via `custom-tags`. AWS has a maximum limit of 50 session
tags; tags from this list are dropped in reverse priority order if your
`custom-tags` set plus the protected set exceeds this limit.
[packed-size-limit]:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_know
| Key | Value |
| --------------- | ----------------------- |
| EventName | GITHUB_EVENT_NAME |
| BaseRef | GITHUB_BASE_REF |
| HeadRef | GITHUB_HEAD_REF |
| RunId | GITHUB_RUN_ID |
| Job | GITHUB_JOB |
| TriggeringActor | GITHUB_TRIGGERING_ACTOR |
| Key | Value | Priority |
| --------------- | ----------------------- | -------- |
| EventName | GITHUB_EVENT_NAME | 1 |
| BaseRef | GITHUB_BASE_REF | 2 |
| HeadRef | GITHUB_HEAD_REF | 3 |
| RefName | GITHUB_REF_NAME | 4 |
| RunId | GITHUB_RUN_ID | 5 |
| RefType | GITHUB_REF_TYPE | 6 |
| Job | GITHUB_JOB | 7 |
| TriggeringActor | GITHUB_TRIGGERING_ACTOR | 8 |
Tags whose source environment variable is unset are omitted (e.g., `BaseRef` and
`HeadRef` are only set on `pull_request` events).
@ -390,21 +385,21 @@ Tags whose source environment variable is unset are omitted (e.g., `BaseRef` and
_Note: all tag values must conform to
[the tag requirements][sts-tag-requirements].
Values longer than 256 characters will be truncated, and characters outside the
allowed set will be replaced with an underscore (`_`)._
allowed set will be replaced with an underscore (`_`).\_
[sts-tag-requirements]:
https://docs.aws.amazon.com/STS/latest/APIReference/API_Tag.html
The action will use session tagging by default unless you are using OIDC or a
Web Identify Token File.
The action will use session tagging by default unless you are using OIDC.
To [forward session tags to subsequent sessions in a role
chain][session-tag-chaining], you can use the `transitive-tag-keys` input to
specify the keys of the tags to be passed.
chain][session-tag-chaining], you can use
[session-tag-chaining]:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
the `transitive-tag-keys` input to specify the keys of the tags to be passed.
_Note that all subsequent roles in the chain must have
`role-skip-session-tagging` set to `true`_
@ -421,10 +416,9 @@ with:
### Custom session tags
You can add custom session tags using the `custom-tags` input, which accepts a
JSON object. Custom tags cannot override existing tags. Note that AWS allows a
maximum of 50 tags (so you can supply a maximum of 43 custom tags), although it
is likely that you will exceed the [packed size limit][packed-size-limit]
before you exceed the maximum number of tags.
JSON object. Custom tags cannot override protected tags, but they can override
overrideable tags (in which case the overrideable tag's slot is freed for the
next overrideable tag in the priority list, if any).
```yaml
uses: aws-actions/configure-aws-credentials@v6
@ -590,7 +584,7 @@ claims ([1][gh-blog-oidc], [2][sub-claim-custom]).
> **Warning:** Avoid `ForAllValues:` in `Allow` statements. These operators
> return true when the claim is absent or misspelled, which can lead to
> unintended access. Instead, use `StringEquals` or `StringLike` operators to
> uninended access. Instead, use `StringEquals` or `StringLike` operators to
> check for specific claim values.
[least-privilege]:
@ -623,35 +617,6 @@ For further information on OIDC and GitHub Actions, please see:
- [GitHub docs: Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
- [GitHub changelog: GitHub Actions: Secure cloud deployments with OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/)
## Getting Credentials in AWS Self-Hosted Runners
If you are running GitHub Actions in a self-hosted runner using an AWS Service
(such as Codebuild or EKS) and you have properly configured the service,
credentials should be available by default; the AWS CLI will fetch credentials
using the AWS_CONTAINER_CREDENTIALS_FULL_URI or
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables. However, you may
still want to use this action if you need to export those credentials for use
with other tools in your workflow. You may also want to use this action in
scenarios where you need to use that 'default' role to assume another role.
To export credentials, simply run the action with `role-to-assume` set to the
default role of the container.
To assume another role from the container's default role, use the
`role-chaining: true` flag, so that the action fetches the default credentials
from the environment before assuming the other role.
If you are using EKS Pod Identities and encountering an error related to the
packed size of session tags, you must either run the action with
`role-skip-session-tagging: true` to disable the tags set by the action, or
[disable EKS session tagging][eks-disable-session-tagging] in the EKS settings
to disable the tags that are automatically set by the EKS Pod Identity Service.
Check the values of the action's session tags and the session tags that are
added by EKS so you can keep the set of tags which is more useful to you.
[eks-disable-session-tagging]:
https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags
## Compatibility with non-GitHub Actions environments
This action has been sucessfully tested with

14
THIRD-PARTY
View file

@ -855,7 +855,7 @@ Apache License
The following npm packages may be included in this product:
- @aws-sdk/signature-v4-multi-region@3.996.27
- @smithy/core@3.24.5
- @smithy/core@3.24.3
- @smithy/types@4.14.2
These packages each contain the following license:
@ -1254,7 +1254,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The following npm package may be included in this product:
- @aws-sdk/core@3.974.15
- @aws-sdk/core@3.974.12
This package contains the following license:
@ -1674,18 +1674,18 @@ Apache License
The following npm packages may be included in this product:
- @aws-sdk/credential-provider-env@3.972.41
- @aws-sdk/credential-provider-env@3.972.38
- @aws-sdk/credential-provider-ini@3.972.42
- @aws-sdk/credential-provider-node@3.972.43
- @aws-sdk/token-providers@3.1049.0
- @aws-sdk/types@3.973.9
- @aws-sdk/types@3.973.8
- @aws-sdk/util-locate-window@3.965.5
- @aws-sdk/xml-builder@3.972.26
- @aws-sdk/xml-builder@3.972.24
- @smithy/credential-provider-imds@4.3.3
- @smithy/fetch-http-handler@5.4.3
- @smithy/is-array-buffer@2.2.0
- @smithy/node-http-handler@4.7.3
- @smithy/signature-v4@5.4.5
- @smithy/signature-v4@5.4.3
- @smithy/util-buffer-from@2.2.0
- @smithy/util-utf8@2.3.0
@ -2335,7 +2335,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The following npm packages may be included in this product:
- @nodable/entities@2.1.1
- @nodable/entities@2.1.0
- quickjs-wasi@2.2.0
- xml-naming@0.1.0

24
dist/cleanup/index.js generated vendored
View file

@ -5707,7 +5707,7 @@ var require_client_h1 = __commonJS({
kResume,
kHTTPContext
} = require_symbols();
var constants4 = require_constants2();
var constants3 = require_constants2();
var EMPTY_BUF = Buffer.alloc(0);
var FastBuffer = Buffer[Symbol.species];
var addListener = util.addListener;
@ -5779,7 +5779,7 @@ var require_client_h1 = __commonJS({
constructor(client, socket, { exports: exports3 }) {
assert(Number.isFinite(client[kMaxHeadersSize]) && client[kMaxHeadersSize] > 0);
this.llhttp = exports3;
this.ptr = this.llhttp.llhttp_alloc(constants4.TYPE.RESPONSE);
this.ptr = this.llhttp.llhttp_alloc(constants3.TYPE.RESPONSE);
this.client = client;
this.socket = socket;
this.timeout = null;
@ -5874,19 +5874,19 @@ var require_client_h1 = __commonJS({
currentBufferRef = null;
}
const offset = llhttp.llhttp_get_error_pos(this.ptr) - currentBufferPtr;
if (ret === constants4.ERROR.PAUSED_UPGRADE) {
if (ret === constants3.ERROR.PAUSED_UPGRADE) {
this.onUpgrade(data.slice(offset));
} else if (ret === constants4.ERROR.PAUSED) {
} else if (ret === constants3.ERROR.PAUSED) {
this.paused = true;
socket.unshift(data.slice(offset));
} else if (ret !== constants4.ERROR.OK) {
} else if (ret !== constants3.ERROR.OK) {
const ptr = llhttp.llhttp_get_error_reason(this.ptr);
let message = "";
if (ptr) {
const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0);
message = "Response does not match the HTTP/1.1 protocol (" + Buffer.from(llhttp.memory.buffer, ptr, len).toString() + ")";
}
throw new HTTPParserError(message, constants4.ERROR[ret], data.slice(offset));
throw new HTTPParserError(message, constants3.ERROR[ret], data.slice(offset));
}
} catch (err) {
util.destroy(socket, err);
@ -6061,7 +6061,7 @@ var require_client_h1 = __commonJS({
socket[kBlocking] = false;
client[kResume]();
}
return pause ? constants4.ERROR.PAUSED : 0;
return pause ? constants3.ERROR.PAUSED : 0;
}
onBody(buf) {
const { client, socket, statusCode, maxResponseSize } = this;
@ -6083,7 +6083,7 @@ var require_client_h1 = __commonJS({
}
this.bytesRead += buf.length;
if (request.onData(buf) === false) {
return constants4.ERROR.PAUSED;
return constants3.ERROR.PAUSED;
}
}
onMessageComplete() {
@ -6118,13 +6118,13 @@ var require_client_h1 = __commonJS({
if (socket[kWriting]) {
assert(client[kRunning] === 0);
util.destroy(socket, new InformationalError("reset"));
return constants4.ERROR.PAUSED;
return constants3.ERROR.PAUSED;
} else if (!shouldKeepAlive) {
util.destroy(socket, new InformationalError("reset"));
return constants4.ERROR.PAUSED;
return constants3.ERROR.PAUSED;
} else if (socket[kReset] && client[kRunning] === 0) {
util.destroy(socket, new InformationalError("reset"));
return constants4.ERROR.PAUSED;
return constants3.ERROR.PAUSED;
} else if (client[kPipelining] == null || client[kPipelining] === 1) {
setImmediate(() => client[kResume]());
} else {
@ -19128,7 +19128,6 @@ function error(message, properties = {}) {
}
// src/helpers.ts
var fs3 = __toESM(require("node:fs"));
function errorMessage(error2) {
return error2 instanceof Error ? error2.message : String(error2);
}
@ -19146,7 +19145,6 @@ function getBooleanInput(name, options) {
Support boolean input list: \`true | True | TRUE | false | False | FALSE\``
);
}
var O_NOFOLLOW = fs3.constants.O_NOFOLLOW ?? 0;
// src/cleanup/index.ts
function cleanup() {

4414
dist/index.js generated vendored
View file

File diff suppressed because it is too large Load diff

391
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "configure-aws-credentials",
"version": "6.2.0",
"version": "6.1.1",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "configure-aws-credentials",
"version": "6.2.0",
"version": "6.1.1",
"license": "MIT",
"dependencies": {
"@actions/core": "^3.0.1",
@ -15,11 +15,11 @@
"proxy-agent": "^8.0.1"
},
"devDependencies": {
"@aws-sdk/credential-provider-env": "^3.972.39",
"@aws-sdk/credential-provider-env": "^3.972.38",
"@biomejs/biome": "2.4.15",
"@smithy/property-provider": "^4.3.4",
"@types/node": "^25.9.1",
"@vitest/coverage-v8": "4.1.5",
"@smithy/property-provider": "^4.3.3",
"@types/node": "^25.9.0",
"@vitest/coverage-v8": "^4.1.6",
"aws-sdk-client-mock": "^4.1.0",
"esbuild": "^0.28.0",
"generate-license-file": "^4.1.1",
@ -28,7 +28,7 @@
"memfs": "^4.57.2",
"standard-version": "^9.5.0",
"typescript": "^6.0.3",
"vitest": "4.1.5"
"vitest": "^4.1.5"
},
"engines": {
"node": ">= 16.3.0"
@ -155,17 +155,17 @@
}
},
"node_modules/@aws-sdk/core": {
"version": "3.974.15",
"resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.974.15.tgz",
"integrity": "sha512-UpA0rTGW/tHGITcCqHisbuuEPraYg9GG+mWmXjY5+RxZBMLGe6aL9oe0ix50LztwAcPIkGZLH0yWdMIkCM10hw==",
"version": "3.974.12",
"resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.974.12.tgz",
"integrity": "sha512-qrqgioqYFjwR6LatVNS1L2Vk++EwRIxqSQXPKNv5Ofux2D8UNgqMQ1znnMyEImXquVPTtbf71fc128pvmU6y9A==",
"license": "Apache-2.0",
"dependencies": {
"@aws-sdk/types": "^3.973.9",
"@aws-sdk/xml-builder": "^3.972.26",
"@aws-sdk/types": "^3.973.8",
"@aws-sdk/xml-builder": "^3.972.24",
"@aws/lambda-invoke-store": "^0.2.2",
"@smithy/core": "^3.24.5",
"@smithy/signature-v4": "^5.4.5",
"@smithy/types": "^4.14.2",
"@smithy/core": "^3.24.2",
"@smithy/signature-v4": "^5.4.2",
"@smithy/types": "^4.14.1",
"bowser": "^2.11.0",
"tslib": "^2.6.2"
},
@ -174,15 +174,15 @@
}
},
"node_modules/@aws-sdk/credential-provider-env": {
"version": "3.972.41",
"resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.41.tgz",
"integrity": "sha512-n1EbJ98yvPWWdHZZv8bRBMqqDQJrtgtxyJ4xLy2Uqrh25BCOZQ7nnS1CsFXvuH8r0b0KVHDZEGEH5FxmEMP8jg==",
"version": "3.972.38",
"resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.38.tgz",
"integrity": "sha512-m3WjZEgPtioMhPmwqUt+DhlTJ2i9ufR6DhfkyXojb9puEvfR+ur2U5shavu5/Cc9WHHsDCvALi6UFHgcqjhQ5w==",
"license": "Apache-2.0",
"dependencies": {
"@aws-sdk/core": "^3.974.15",
"@aws-sdk/types": "^3.973.9",
"@smithy/core": "^3.24.5",
"@smithy/types": "^4.14.2",
"@aws-sdk/core": "^3.974.12",
"@aws-sdk/types": "^3.973.8",
"@smithy/core": "^3.24.2",
"@smithy/types": "^4.14.1",
"tslib": "^2.6.2"
},
"engines": {
@ -376,12 +376,12 @@
}
},
"node_modules/@aws-sdk/types": {
"version": "3.973.9",
"resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.9.tgz",
"integrity": "sha512-kuBfgQVdcz5Bmapc4A13YbpVw/pXkesfhetcFYwbntqas8sF41OHyd4o28+/TG2ZQdHBsv90Lsu5y6oitvYCdg==",
"version": "3.973.8",
"resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.8.tgz",
"integrity": "sha512-gjlAdtHMbtR9X5iIhVUvbVcy55KnznpC6bkDUWW9z915bi0ckdUr5cjf16Kp6xq0bP5HBD2xzgbL9F9Quv5vUw==",
"license": "Apache-2.0",
"dependencies": {
"@smithy/types": "^4.14.2",
"@smithy/types": "^4.14.1",
"tslib": "^2.6.2"
},
"engines": {
@ -401,12 +401,13 @@
}
},
"node_modules/@aws-sdk/xml-builder": {
"version": "3.972.26",
"resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.26.tgz",
"integrity": "sha512-cDbrqvDS73whl6YAPSPq0U6whzG6UWI9PuWh0wrUuGoZexhWEqhdunbukV7iBoaWnFV1AODutM5hOD6rtn439g==",
"version": "3.972.24",
"resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.24.tgz",
"integrity": "sha512-V8z5YcDPfsvzrBlj0xR1vhRtocblhYbqdreCJB/voGd4Sr5zjNAeWxexbnqVtskTJe0vFb5KMqbSL++ePl+zRw==",
"license": "Apache-2.0",
"dependencies": {
"@smithy/types": "^4.14.2",
"@nodable/entities": "2.1.0",
"@smithy/types": "^4.14.1",
"fast-xml-parser": "5.7.3",
"tslib": "^2.6.2"
},
@ -1682,9 +1683,9 @@
}
},
"node_modules/@nodable/entities": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.1.1.tgz",
"integrity": "sha512-Pig3HxDIoMgjdEH8OCf/dkcTmLFjJRjWuq8jSnklu284/TKOPibSRERmOykiwmyXTtv61mP+44f3GMx0tLAyjg==",
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.1.0.tgz",
"integrity": "sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==",
"funding": [
{
"type": "github",
@ -1971,9 +1972,9 @@
}
},
"node_modules/@oxc-project/types": {
"version": "0.132.0",
"resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.132.0.tgz",
"integrity": "sha512-FESMOxil5Se014ui/Eq8fT5uHJo6nIRwH0PfJrZJXs6Gek3ZVFOrpUv3YIZT20m+extU98Hg1Ym72U58rlsxUQ==",
"version": "0.129.0",
"resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.129.0.tgz",
"integrity": "sha512-3oz8m3FGdr2nDXVqmFUw7jolKliC4MoyXYIG2c7gpjBnzUWQpUGIYcXYKxTdTi+N2jusvt610ckTMkxdwHkYEg==",
"dev": true,
"license": "MIT",
"funding": {
@ -1981,9 +1982,9 @@
}
},
"node_modules/@rolldown/binding-android-arm64": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.2.tgz",
"integrity": "sha512-ZS4D1JPGn/MYQN/SYDWftIE/nVsM8j/AFOYEzAoOE2O3NktQOZru+/vYXGbR/qtdLdIfGCP0lcoJiYVzsEz+iQ==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0.tgz",
"integrity": "sha512-TWMZnRLMe63C2Lhyicviu7ZHaU4kxa6PS3rofvc9GmcvptzNN11BcfQ4Sl7MwTOsisQoa2keB/EBdNCAnUo8vA==",
"cpu": [
"arm64"
],
@ -1998,9 +1999,9 @@
}
},
"node_modules/@rolldown/binding-darwin-arm64": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.2.tgz",
"integrity": "sha512-vdFA9+C/rekyGce7WqHs/xoT0ioZEWaOFyZLIV1mEeNFaFDUQrPIo8Vs2GvJ6eetb3rzDUtUBgzto3ExpXJB3w==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0.tgz",
"integrity": "sha512-6XcD+8k0gPVItNagEw78/qqcBDwKcwDYS8V2hRmVsfUSIrd8cWe/CBvRDI5toqFyPfj+FJr6t8U6Xj2P2prEew==",
"cpu": [
"arm64"
],
@ -2015,9 +2016,9 @@
}
},
"node_modules/@rolldown/binding-darwin-x64": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.2.tgz",
"integrity": "sha512-BewSOwTHazv77DTYiAZXSqqKZ4KP/KonFisDMVU7PImxoWfB2aepnPhd2E4SWz3zDzYgDNbs6jBmTdgNnF02GA==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0.tgz",
"integrity": "sha512-iN/tWVXRQDWvmZlKdceP1Dwug9GDpEymhb9p4xnEe6zvCg5lFmzVljl+1qR1NVx3yfGpr2Na+CuLmv5IU8uzfQ==",
"cpu": [
"x64"
],
@ -2032,9 +2033,9 @@
}
},
"node_modules/@rolldown/binding-freebsd-x64": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.2.tgz",
"integrity": "sha512-m41o7M0YWtUdqk61Tb+jnKb2rN++iRdIASlExkUoKfIAH30DOHCB8fVLzSUpbWHHU8esmEioY62PxzexE8MBuA==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0.tgz",
"integrity": "sha512-jjQMDvvwSOuhOwMszD/klSOjyWMM3zI64hWTj9KT5x4MxRbZAf+7vLQ6qouRhtsLVFHr3f0ILaJAfgENPiQdAQ==",
"cpu": [
"x64"
],
@ -2049,9 +2050,9 @@
}
},
"node_modules/@rolldown/binding-linux-arm-gnueabihf": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.2.tgz",
"integrity": "sha512-jcojB9H7W/jS29pMKWAK1N+fU99vXodHDTatS3b3y/XSOCiHo0kkA74pL3jJmkoQtYpOCxDvaKs1fo2Ij/1X5w==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0.tgz",
"integrity": "sha512-d//Dtg2x6/m3mbV64yUGNnDGNZaDGRpDLLNGerHQUVObuNaIQaaDp25yUiqGXtHEXX+NP2d0wAlmKgpYgIAJ2A==",
"cpu": [
"arm"
],
@ -2066,16 +2067,13 @@
}
},
"node_modules/@rolldown/binding-linux-arm64-gnu": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.2.tgz",
"integrity": "sha512-1jn6qDU5iiOgFgygDzKUuKP0maTi0/f1+sBLgvij/76C77Nm3ts6ufz9Bjg5q5dduxiUIxtq86JIoBvo1xQ4Ig==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0.tgz",
"integrity": "sha512-n7Ofp0mx+aB2cC+Sdy5YtMnXtY9lchnHbY+3Yt0uq9JsWQExf4f5Whu0tK0R8Jdc9S6RchTHjIFY7uc92puOVQ==",
"cpu": [
"arm64"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MIT",
"optional": true,
"os": [
@ -2086,16 +2084,13 @@
}
},
"node_modules/@rolldown/binding-linux-arm64-musl": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.2.tgz",
"integrity": "sha512-QVLO/czFMdoMFSqlX3bcswcJNm/23r+qoa/jgtmFc/qEp6/jXmIkDjF/XIo8dPfGaiwy1xfQn8o77L79GeXFgw==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0.tgz",
"integrity": "sha512-EIVjy2cgd7uuMMo94FVkBp7F6DhcZAUwNURkSG3RwUmvAXR6s0ISxM81U+IydcZByPG0pZIHsf1b6kTxoFDgJA==",
"cpu": [
"arm64"
],
"dev": true,
"libc": [
"musl"
],
"license": "MIT",
"optional": true,
"os": [
@ -2106,16 +2101,13 @@
}
},
"node_modules/@rolldown/binding-linux-ppc64-gnu": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.2.tgz",
"integrity": "sha512-hgO5Abm0w5UL6FEa2iFnZqo2KlK7TQ5QhV5x09hujBf7t5KzHQ1VmfPuTpqRy/rNlSxua3eWH374xxiVrP+lcA==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0.tgz",
"integrity": "sha512-JEwwOPcwTLAcpDQlqSmjEmfs63xJnSiUNIGvLcDLUHCWK4XowpS/7c7tUsUH6uT/ct6bMUTdXKfI8967FYj6mg==",
"cpu": [
"ppc64"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MIT",
"optional": true,
"os": [
@ -2126,16 +2118,13 @@
}
},
"node_modules/@rolldown/binding-linux-s390x-gnu": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.2.tgz",
"integrity": "sha512-fy8rXxuYEu602abC8MUNaPjYLIFzReOaEIEMKMUa0rFEUxNpVXhs15KSSQ4qlqSaM7B6rcj9rDZgADh/IGDzLQ==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0.tgz",
"integrity": "sha512-0wjCFhLrihtAubnT9iA0N++0pSV0z5Hg7tNGdNJ4RFaINceHadoF+kiFGyY1qSSNVIAZtLotG8Ju1bgDPkjnFA==",
"cpu": [
"s390x"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MIT",
"optional": true,
"os": [
@ -2146,16 +2135,13 @@
}
},
"node_modules/@rolldown/binding-linux-x64-gnu": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.2.tgz",
"integrity": "sha512-0+bOkiQ779+r1WpoHOWHqncvyySci0vKph+myNDYb+im6meJAzHQXay6oEgnkHuUGouM1LKTZwqKpBow6Kj7CQ==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0.tgz",
"integrity": "sha512-Dfn7iak9BcMMePxcoJfpSbWqnEyrp/dRF63/8qW/eHBdOZov6x5aShLLEYGYdIeSJ6vMLK/XCVB+lGIxm41bQA==",
"cpu": [
"x64"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MIT",
"optional": true,
"os": [
@ -2166,16 +2152,13 @@
}
},
"node_modules/@rolldown/binding-linux-x64-musl": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.2.tgz",
"integrity": "sha512-mjSkrzZK5Qsl0a9d1JgILOiuZOSDTVdKENcSXBoqbzSrspLR/4/IRVDo5wd2GgZjNss/viBFJdeq+j7qH2nypw==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0.tgz",
"integrity": "sha512-5/utzzDmD/pD/bmuaUcbTf/sZYy0aztwIVlfpoW1fTjCZ0BaPOMVWGZL1zvgxyi7ZIVYWlxKONHmSbHuiOh8Jw==",
"cpu": [
"x64"
],
"dev": true,
"libc": [
"musl"
],
"license": "MIT",
"optional": true,
"os": [
@ -2186,9 +2169,9 @@
}
},
"node_modules/@rolldown/binding-openharmony-arm64": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.2.tgz",
"integrity": "sha512-1v5vHasdfQAZoEHakBV72LIFAC9JjnymsiKxp+GEr/ma3+NJCPSaYK+qavInOovJkgwFrs7GccX2d6IgDA3Z5w==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0.tgz",
"integrity": "sha512-ouJs8VcUomfLfpbUECqFMRqdV4x6aeAK3MA4m6vTrJJjKyWTV5KnxZx7Jd9G+GlDaQQxubcba00x16OyJ1meig==",
"cpu": [
"arm64"
],
@ -2203,9 +2186,9 @@
}
},
"node_modules/@rolldown/binding-wasm32-wasi": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.2.tgz",
"integrity": "sha512-mb1VobWn6NheziTk5/WEaR6AKVbrwT5sOi6C7zk3gy/pD1qtJfU1j4PgTo2NJnOtbL9Dl3Aeei8w9jJ7qC2jZQ==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0.tgz",
"integrity": "sha512-E+oHKGiDA+lsKMmFtffDDw91EryDT7uJocrIuCHqhm6bCTM6xFK+3gaCkYOHfPwQr0cCNarSM2xaELoQDz9jJg==",
"cpu": [
"wasm32"
],
@ -2222,9 +2205,9 @@
}
},
"node_modules/@rolldown/binding-win32-arm64-msvc": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.2.tgz",
"integrity": "sha512-SqKonF56vA/L2yHwHYcEp2P34URpOZ7d1fS635cTkpDnUtEGdUbhI6NzsPdqeSWvAAeGDrxjWjNmibDIdFf9/A==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0.tgz",
"integrity": "sha512-yYK02n8Rngo+gbm1y6G0+7jk1sJ/2Wt7K0me0Y7k/ErBpyf+LJ2gFpqWVTcRV1rUepBlQRmpgWkTQCiiwrK0Ow==",
"cpu": [
"arm64"
],
@ -2239,9 +2222,9 @@
}
},
"node_modules/@rolldown/binding-win32-x64-msvc": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.2.tgz",
"integrity": "sha512-v7qRI7gXLRINcOGXt+7YmAZ6iFuyZVMIoXAxhd8oP+DR9dLfL9GfNIx7PLMxmhZdvq8waUJBQiWN9EKNy+TRBQ==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0.tgz",
"integrity": "sha512-14bpChMahXRRXiTwahSl+zzHPW6qQTXtkMuJBFlbo+pqSAews2d4BdCSHfrJ/MBsCZtpmTafsY+1QhBzitcmdg==",
"cpu": [
"x64"
],
@ -2256,9 +2239,9 @@
}
},
"node_modules/@rolldown/pluginutils": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.1.tgz",
"integrity": "sha512-2j9bGt5Jh8hj+vPtgzPtl72j0yRxHAyumoo6TNfAjsLB04UtpSvPbPcDcBMxz7n+9CYB0c1GxQFxYRg2jimqGw==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0.tgz",
"integrity": "sha512-aKs/3GSWyV0mrhNmt/96/Z3yczC3yvrzYATCiCXQebBsGyYzjNdUphRVLeJQ67ySKVXRfMxt2lm12pmXvbPFQQ==",
"dev": true,
"license": "MIT"
},
@ -2384,9 +2367,9 @@
}
},
"node_modules/@smithy/core": {
"version": "3.24.5",
"resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.24.5.tgz",
"integrity": "sha512-Kt8phUg45M15EjhYAbZ+fFikYneijLu9Liugz8ZsYz2i8j0hzGv27LWKpEHYRfvj+LyCOSijpcR/2i8RouV+cA==",
"version": "3.24.3",
"resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.24.3.tgz",
"integrity": "sha512-Ep/7tPamGY8mgESE3LyLKtxJyy6U52WWAqr/3wial47Sj4u3PiIF73AOGI27UyLy9duTkhZbgzodOfLV4TduZg==",
"license": "Apache-2.0",
"dependencies": {
"@aws-crypto/crc32": "5.2.0",
@ -2452,13 +2435,13 @@
}
},
"node_modules/@smithy/property-provider": {
"version": "4.3.5",
"resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.3.5.tgz",
"integrity": "sha512-QNc22/FgfEm/9/rkefShfQUVckH3HWiQ2RPs+40hwAdY65hbg88gombeHwkfMzmVDZjolcyQeyOjnxZRmpavIA==",
"version": "4.3.3",
"resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.3.3.tgz",
"integrity": "sha512-nmeVi9Ww/RMyttqj1Dh0PA+iVieKm4dxDlnT6tNP118O/5U/Qqb9b3DV5A3RX+slR/m4/MABSZ2zNfSkpVV8dw==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"@smithy/core": "^3.24.5",
"@smithy/core": "^3.24.3",
"tslib": "^2.6.2"
},
"engines": {
@ -2466,12 +2449,12 @@
}
},
"node_modules/@smithy/signature-v4": {
"version": "5.4.5",
"resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.4.5.tgz",
"integrity": "sha512-QBJKWGqIknH0dc9LWpfH1mkdokAx6iXYN3UcQ3eY6uIEyScuoQAhfl94ge7ozUy9WgFUdE8xsvwBjaYBbWmPNA==",
"version": "5.4.3",
"resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.4.3.tgz",
"integrity": "sha512-53+75QuPl6DL+ct6vVEB51FDO5oulXr20TPV46VvJZg76lIlXNWfxi8j+G2V/t0I2qxCBOa3vX/8bmjrpFVo9g==",
"license": "Apache-2.0",
"dependencies": {
"@smithy/core": "^3.24.5",
"@smithy/core": "^3.24.3",
"@smithy/types": "^4.14.2",
"tslib": "^2.6.2"
},
@ -2616,9 +2599,9 @@
"license": "MIT"
},
"node_modules/@types/node": {
"version": "25.9.1",
"resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.1.tgz",
"integrity": "sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg==",
"version": "25.9.0",
"resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.0.tgz",
"integrity": "sha512-AOQwYUNolgy3VosiRqXrACUXTN8nJUtPl7FJXMqZVyxiiCLhQuG3jXKvCS1ALr+Y2OmZhzzLVlYPEqJaiqkaJQ==",
"dev": true,
"license": "MIT",
"dependencies": {
@ -2657,14 +2640,14 @@
"license": "MIT"
},
"node_modules/@vitest/coverage-v8": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.5.tgz",
"integrity": "sha512-38C0/Ddb7HcRG0Z4/DUem8x57d2p9jYgp18mkaYswEOQBGsI1CG4f/hjm0ZCeaJfWhSZ4k7jgs29V1Zom7Ki9A==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.6.tgz",
"integrity": "sha512-36l628fQ/9a/8ihy97eOtEnvWQEdqULQOJtcaxtoNq0G1w3Mxd4szSahOaMM9/NGyZ+hyKcMtIW/WIxq0XQViQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@bcoe/v8-coverage": "^1.0.2",
"@vitest/utils": "4.1.5",
"@vitest/utils": "4.1.6",
"ast-v8-to-istanbul": "^1.0.0",
"istanbul-lib-coverage": "^3.2.2",
"istanbul-lib-report": "^3.0.1",
@ -2678,8 +2661,8 @@
"url": "https://opencollective.com/vitest"
},
"peerDependencies": {
"@vitest/browser": "4.1.5",
"vitest": "4.1.5"
"@vitest/browser": "4.1.6",
"vitest": "4.1.6"
},
"peerDependenciesMeta": {
"@vitest/browser": {
@ -2688,16 +2671,16 @@
}
},
"node_modules/@vitest/expect": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.5.tgz",
"integrity": "sha512-PWBaRY5JoKuRnHlUHfpV/KohFylaDZTupcXN1H9vYryNLOnitSw60Mw9IAE2r67NbwwzBw/Cc/8q9BK3kIX8Kw==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.6.tgz",
"integrity": "sha512-7EHDquPthALSV0jhhjgEW8FXaviMx7rSqu8W6oqCoAuOhKov814P99QDV1pxMA3QPv21YudvJngIhjrNI4opLg==",
"dev": true,
"license": "MIT",
"dependencies": {
"@standard-schema/spec": "^1.1.0",
"@types/chai": "^5.2.2",
"@vitest/spy": "4.1.5",
"@vitest/utils": "4.1.5",
"@vitest/spy": "4.1.6",
"@vitest/utils": "4.1.6",
"chai": "^6.2.2",
"tinyrainbow": "^3.1.0"
},
@ -2706,13 +2689,13 @@
}
},
"node_modules/@vitest/mocker": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.5.tgz",
"integrity": "sha512-/x2EmFC4mT4NNzqvC3fmesuV97w5FC903KPmey4gsnJiMQ3Be1IlDKVaDaG8iqaLFHqJ2FVEkxZk5VmeLjIItw==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.6.tgz",
"integrity": "sha512-MCFc63czMjEInOlcY2cpQCvCN+KgbAn+60xu9cMgP4sKaLC5JNAKw7JH8QdAnoAC88hW1IiSNZ+GgVXlN1UcMQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@vitest/spy": "4.1.5",
"@vitest/spy": "4.1.6",
"estree-walker": "^3.0.3",
"magic-string": "^0.30.21"
},
@ -2733,9 +2716,9 @@
}
},
"node_modules/@vitest/pretty-format": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.5.tgz",
"integrity": "sha512-7I3q6l5qr03dVfMX2wCo9FxwSJbPdwKjy2uu/YPpU3wfHvIL4QHwVRp57OfGrDFeUJ8/8QdfBKIV12FTtLn00g==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.6.tgz",
"integrity": "sha512-h5SxD/IzNhZYnrSZRsUZQIC+vD0GY8cUvq0iwsmkFKixRCKLLWqCXa/FIQ4S1R+sI+PGoojkHsdNrbZiM9Qpgw==",
"dev": true,
"license": "MIT",
"dependencies": {
@ -2746,13 +2729,13 @@
}
},
"node_modules/@vitest/runner": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.5.tgz",
"integrity": "sha512-2D+o7Pr82IEO46YPpoA/YU0neeyr6FTerQb5Ro7BUnBuv6NQtT/kmVnczngiMEBhzgqz2UZYl5gArejsyERDSQ==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.6.tgz",
"integrity": "sha512-nOPCmn2+yD0ZNmKdsXGv/UxMMWbMuKeD6GyYncNwdkYDxpQvrPSKYj2rWuDjC2Y4b6w6hjip5dBKFzEUuZe3vA==",
"dev": true,
"license": "MIT",
"dependencies": {
"@vitest/utils": "4.1.5",
"@vitest/utils": "4.1.6",
"pathe": "^2.0.3"
},
"funding": {
@ -2760,14 +2743,14 @@
}
},
"node_modules/@vitest/snapshot": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.5.tgz",
"integrity": "sha512-zypXEt4KH/XgKGPUz4eC2AvErYx0My5hfL8oDb1HzGFpEk1P62bxSohdyOmvz+d9UJwanI68MKwr2EquOaOgMQ==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.6.tgz",
"integrity": "sha512-YhsdE6xAVfTDmzjxL2ZDUvjj+ZsgyOKe+TdQzqkD72wIOmHka8NuGQ6NpTNZv9D2Z63fbwWKJPeVpEw4EQgYxw==",
"dev": true,
"license": "MIT",
"dependencies": {
"@vitest/pretty-format": "4.1.5",
"@vitest/utils": "4.1.5",
"@vitest/pretty-format": "4.1.6",
"@vitest/utils": "4.1.6",
"magic-string": "^0.30.21",
"pathe": "^2.0.3"
},
@ -2776,9 +2759,9 @@
}
},
"node_modules/@vitest/spy": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.5.tgz",
"integrity": "sha512-2lNOsh6+R2Idnf1TCZqSwYlKN2E/iDlD8sgU59kYVl+OMDmvldO1VDk39smRfpUNwYpNRVn3w4YfuC7KfbBnkQ==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.6.tgz",
"integrity": "sha512-JFKxMx6udhwKh/Ldo270e17QX710vgunMkuPAvXjHSvC6oqLWAHhVhjg/I71q0u0CBSErIODV1Kjv0FQNSWjdg==",
"dev": true,
"license": "MIT",
"funding": {
@ -2786,13 +2769,13 @@
}
},
"node_modules/@vitest/utils": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.5.tgz",
"integrity": "sha512-76wdkrmfXfqGjueGgnb45ITPyUi1ycZ4IHgC2bhPDUfWHklY/q3MdLOAB+TF1e6xfl8NxNY0ZYaPCFNWSsw3Ug==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.6.tgz",
"integrity": "sha512-FxIY+U81R3LGKCxaHHFRQ5+g6/iRgGLmeHWdp2Amj4ljQRrEIWHmZyDfDYBRZlpyqA7qKxtS9DD1dhk8RnRIVQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@vitest/pretty-format": "4.1.5",
"@vitest/pretty-format": "4.1.6",
"convert-source-map": "^2.0.0",
"tinyrainbow": "^3.1.0"
},
@ -5447,9 +5430,6 @@
"arm64"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MPL-2.0",
"optional": true,
"os": [
@ -5471,9 +5451,6 @@
"arm64"
],
"dev": true,
"libc": [
"musl"
],
"license": "MPL-2.0",
"optional": true,
"os": [
@ -5495,9 +5472,6 @@
"x64"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MPL-2.0",
"optional": true,
"os": [
@ -5519,9 +5493,6 @@
"x64"
],
"dev": true,
"libc": [
"musl"
],
"license": "MPL-2.0",
"optional": true,
"os": [
@ -7478,9 +7449,9 @@
}
},
"node_modules/postcss": {
"version": "8.5.15",
"resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz",
"integrity": "sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==",
"version": "8.5.14",
"resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.14.tgz",
"integrity": "sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==",
"dev": true,
"funding": [
{
@ -7498,7 +7469,7 @@
],
"license": "MIT",
"dependencies": {
"nanoid": "^3.3.12",
"nanoid": "^3.3.11",
"picocolors": "^1.1.1",
"source-map-js": "^1.2.1"
},
@ -7926,14 +7897,14 @@
"license": "ISC"
},
"node_modules/rolldown": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.2.tgz",
"integrity": "sha512-oZx5zVDtVB44AW3eaifgDml1gWRDZGvjcfdxonE4swNPG98PrrXjaO/KrnUjzlMnztCCRVlUueA1kCXhARGk6g==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0.tgz",
"integrity": "sha512-yD986aXDESFGS95spT1LAv0jssywP4npMEjmMHyN2/5+eE8qQJUype2AaKkRiLgBgyD0LFlubwAht7VmY8rGoA==",
"dev": true,
"license": "MIT",
"dependencies": {
"@oxc-project/types": "=0.132.0",
"@rolldown/pluginutils": "^1.0.0"
"@oxc-project/types": "=0.129.0",
"@rolldown/pluginutils": "1.0.0"
},
"bin": {
"rolldown": "bin/cli.mjs"
@ -7942,21 +7913,21 @@
"node": "^20.19.0 || >=22.12.0"
},
"optionalDependencies": {
"@rolldown/binding-android-arm64": "1.0.2",
"@rolldown/binding-darwin-arm64": "1.0.2",
"@rolldown/binding-darwin-x64": "1.0.2",
"@rolldown/binding-freebsd-x64": "1.0.2",
"@rolldown/binding-linux-arm-gnueabihf": "1.0.2",
"@rolldown/binding-linux-arm64-gnu": "1.0.2",
"@rolldown/binding-linux-arm64-musl": "1.0.2",
"@rolldown/binding-linux-ppc64-gnu": "1.0.2",
"@rolldown/binding-linux-s390x-gnu": "1.0.2",
"@rolldown/binding-linux-x64-gnu": "1.0.2",
"@rolldown/binding-linux-x64-musl": "1.0.2",
"@rolldown/binding-openharmony-arm64": "1.0.2",
"@rolldown/binding-wasm32-wasi": "1.0.2",
"@rolldown/binding-win32-arm64-msvc": "1.0.2",
"@rolldown/binding-win32-x64-msvc": "1.0.2"
"@rolldown/binding-android-arm64": "1.0.0",
"@rolldown/binding-darwin-arm64": "1.0.0",
"@rolldown/binding-darwin-x64": "1.0.0",
"@rolldown/binding-freebsd-x64": "1.0.0",
"@rolldown/binding-linux-arm-gnueabihf": "1.0.0",
"@rolldown/binding-linux-arm64-gnu": "1.0.0",
"@rolldown/binding-linux-arm64-musl": "1.0.0",
"@rolldown/binding-linux-ppc64-gnu": "1.0.0",
"@rolldown/binding-linux-s390x-gnu": "1.0.0",
"@rolldown/binding-linux-x64-gnu": "1.0.0",
"@rolldown/binding-linux-x64-musl": "1.0.0",
"@rolldown/binding-openharmony-arm64": "1.0.0",
"@rolldown/binding-wasm32-wasi": "1.0.0",
"@rolldown/binding-win32-arm64-msvc": "1.0.0",
"@rolldown/binding-win32-x64-msvc": "1.0.0"
}
},
"node_modules/run-con": {
@ -8593,9 +8564,9 @@
"license": "MIT"
},
"node_modules/tinyexec": {
"version": "1.2.2",
"resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.2.2.tgz",
"integrity": "sha512-M/Q0B2cp4K7kynaT/vnED1j8TlLY+Pp7C6Wl2bl/7u/F0mUVwdyOpwomQb8JpYLitHUssAJRmLZdMCGsrx7i+g==",
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.1.2.tgz",
"integrity": "sha512-dAqSqE/RabpBKI8+h26GfLq6Vb3JVXs30XYQjdMjaj/c2tS8IYYMbIzP599KtRj7c57/wYApb3QjgRgXmrCukA==",
"dev": true,
"license": "MIT",
"engines": {
@ -8817,16 +8788,16 @@
}
},
"node_modules/vite": {
"version": "8.0.14",
"resolved": "https://registry.npmjs.org/vite/-/vite-8.0.14.tgz",
"integrity": "sha512-s4BJJ+5y1pYL6Otw51FHhVJQhPnuRinKig64g/1+EUNaJsd3gCKdD31IPFvswUgW9/60QT9oFHbZHbQK5imcxw==",
"version": "8.0.12",
"resolved": "https://registry.npmjs.org/vite/-/vite-8.0.12.tgz",
"integrity": "sha512-w2dDofOWv2QB09ZITZBsvKTVAlYvPR4IAmrY/v0ir9KvLs0xybR7i48wxhM1/oyBWO34wPns+bPGw5ZrZqDpZg==",
"dev": true,
"license": "MIT",
"dependencies": {
"lightningcss": "^1.32.0",
"picomatch": "^4.0.4",
"postcss": "^8.5.15",
"rolldown": "1.0.2",
"postcss": "^8.5.14",
"rolldown": "1.0.0",
"tinyglobby": "^0.2.16"
},
"bin": {
@ -8895,19 +8866,19 @@
}
},
"node_modules/vitest": {
"version": "4.1.5",
"resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.5.tgz",
"integrity": "sha512-9Xx1v3/ih3m9hN+SbfkUyy0JAs72ap3r7joc87XL6jwF0jGg6mFBvQ1SrwaX+h8BlkX6Hz9shdd1uo6AF+ZGpg==",
"version": "4.1.6",
"resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.6.tgz",
"integrity": "sha512-6lvjbS3p9b4CrdCmguzbh2/4uoXhGE2q71R4OX5sqF9R1bo9Xd6fGrMAfvp5wnCzlBnFVdCOp6onuTQVbo8iUQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@vitest/expect": "4.1.5",
"@vitest/mocker": "4.1.5",
"@vitest/pretty-format": "4.1.5",
"@vitest/runner": "4.1.5",
"@vitest/snapshot": "4.1.5",
"@vitest/spy": "4.1.5",
"@vitest/utils": "4.1.5",
"@vitest/expect": "4.1.6",
"@vitest/mocker": "4.1.6",
"@vitest/pretty-format": "4.1.6",
"@vitest/runner": "4.1.6",
"@vitest/snapshot": "4.1.6",
"@vitest/spy": "4.1.6",
"@vitest/utils": "4.1.6",
"es-module-lexer": "^2.0.0",
"expect-type": "^1.3.0",
"magic-string": "^0.30.21",
@ -8935,12 +8906,12 @@
"@edge-runtime/vm": "*",
"@opentelemetry/api": "^1.9.0",
"@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
"@vitest/browser-playwright": "4.1.5",
"@vitest/browser-preview": "4.1.5",
"@vitest/browser-webdriverio": "4.1.5",
"@vitest/coverage-istanbul": "4.1.5",
"@vitest/coverage-v8": "4.1.5",
"@vitest/ui": "4.1.5",
"@vitest/browser-playwright": "4.1.6",
"@vitest/browser-preview": "4.1.6",
"@vitest/browser-webdriverio": "4.1.6",
"@vitest/coverage-istanbul": "4.1.6",
"@vitest/coverage-v8": "4.1.6",
"@vitest/ui": "4.1.6",
"happy-dom": "*",
"jsdom": "*",
"vite": "^6.0.0 || ^7.0.0 || ^8.0.0"

12
package.json
View file

@ -1,7 +1,7 @@
{
"name": "configure-aws-credentials",
"description": "A GitHub Action to configure AWS credentials",
"version": "6.2.0",
"version": "6.1.1",
"scripts": {
"build": "tsc",
"lint": "biome check --error-on-warnings ./src ./test && markdownlint -i node_modules -i CHANGELOG.md '**/*.md'",
@ -17,11 +17,11 @@
"organization": true
},
"devDependencies": {
"@aws-sdk/credential-provider-env": "^3.972.39",
"@aws-sdk/credential-provider-env": "^3.972.38",
"@biomejs/biome": "2.4.15",
"@smithy/property-provider": "^4.3.4",
"@types/node": "^25.9.1",
"@vitest/coverage-v8": "4.1.5",
"@smithy/property-provider": "^4.3.3",
"@types/node": "^25.9.0",
"@vitest/coverage-v8": "^4.1.6",
"aws-sdk-client-mock": "^4.1.0",
"esbuild": "^0.28.0",
"generate-license-file": "^4.1.1",
@ -30,7 +30,7 @@
"memfs": "^4.57.2",
"standard-version": "^9.5.0",
"typescript": "^6.0.3",
"vitest": "4.1.5"
"vitest": "^4.1.5"
},
"dependencies": {
"@actions/core": "^3.0.1",

63
src/assumeRole.ts
View file

@ -1,14 +1,11 @@
import assert from 'node:assert';
import fs from 'node:fs';
import path from 'node:path';
import * as core from '@actions/core';
import type { AssumeRoleCommandInput, STSClient, Tag } from '@aws-sdk/client-sts';
import {
AssumeRoleCommand,
AssumeRoleWithWebIdentityCommand,
PackedPolicyTooLargeException,
} from '@aws-sdk/client-sts';
import { AssumeRoleCommand, AssumeRoleWithWebIdentityCommand } from '@aws-sdk/client-sts';
import type { CredentialsClient } from './CredentialsClient';
import { errorMessage, isDefined, readFileUtf8, sanitizeGitHubVariables } from './helpers';
import { errorMessage, isDefined, sanitizeGitHubVariables } from './helpers';
async function assumeRoleWithOIDC(params: AssumeRoleCommandInput, client: STSClient, webIdentityToken: string) {
delete params.Tags;
@ -39,14 +36,13 @@ async function assumeRoleWithWebIdentityTokenFile(
const webIdentityTokenFilePath = path.isAbsolute(webIdentityTokenFile)
? webIdentityTokenFile
: path.join(workspace, webIdentityTokenFile);
const webIdentityToken = readFileUtf8(webIdentityTokenFilePath);
if (webIdentityToken === null) {
if (!fs.existsSync(webIdentityTokenFilePath)) {
throw new Error(`Web identity token file does not exist: ${webIdentityTokenFilePath}`);
}
core.info('Assuming role with web identity token file');
try {
const webIdentityToken = fs.readFileSync(webIdentityTokenFilePath, 'utf8');
delete params.Tags;
delete params.TransitiveTagKeys;
const creds = await client.send(
new AssumeRoleWithWebIdentityCommand({
...params,
@ -65,13 +61,6 @@ async function assumeRoleWithCredentials(params: AssumeRoleCommandInput, client:
const creds = await client.send(new AssumeRoleCommand({ ...params }));
return creds;
} catch (error) {
if (error instanceof PackedPolicyTooLargeException) {
core.info('Session tag size is too large; dropping droppable tags and retrying.');
const droppableKeys = new Set(DROPPABLE_TAG_SOURCES.map((s) => s.key));
params.Tags = params.Tags?.filter((tag) => !droppableKeys.has(tag.Key ?? ''));
const creds = await client.send(new AssumeRoleCommand({ ...params }));
return creds;
}
throw new Error(`Could not assume role with user credentials: ${errorMessage(error)}`);
}
}
@ -98,8 +87,8 @@ const MAX_TAG_KEY_LENGTH = 128;
const MAX_TAG_VALUE_LENGTH = 256;
const MAX_SESSION_TAGS = 50;
// Identity/audit primitives. Always emitted and cannot be dropped.
const NON_DROPPABLE_TAG_SOURCES: ReadonlyArray<{ key: string; envVar: string }> = [
// Identity/audit primitives. Always emitted and cannot be overridden by custom-tags.
const PROTECTED_TAG_SOURCES: ReadonlyArray<{ key: string; envVar: string }> = [
{ key: 'Repository', envVar: 'GITHUB_REPOSITORY' },
{ key: 'Workflow', envVar: 'GITHUB_WORKFLOW' },
{ key: 'Action', envVar: 'GITHUB_ACTION' },
@ -108,22 +97,21 @@ const NON_DROPPABLE_TAG_SOURCES: ReadonlyArray<{ key: string; envVar: string }>
{ key: 'Branch', envVar: 'GITHUB_REF' },
];
// Convenience metadata. If the AssumeRole call fails due to compressed size of
// session tags being too large, we will drop these tags and retry once.
const DROPPABLE_TAG_SOURCES: ReadonlyArray<{ key: string; envVar: string }> = [
// Convenience metadata. Custom-tags may override (suppresses the default for that key).
// Listed in priority order; lower-priority entries are dropped first if the user's custom-tags
// would push the total above MAX_SESSION_TAGS.
const OVERRIDEABLE_TAG_SOURCES_BY_PRIORITY: ReadonlyArray<{ key: string; envVar: string }> = [
{ key: 'EventName', envVar: 'GITHUB_EVENT_NAME' },
{ key: 'BaseRef', envVar: 'GITHUB_BASE_REF' },
{ key: 'HeadRef', envVar: 'GITHUB_HEAD_REF' },
{ key: 'RefName', envVar: 'GITHUB_REF_NAME' },
{ key: 'RunId', envVar: 'GITHUB_RUN_ID' },
{ key: 'RefType', envVar: 'GITHUB_REF_TYPE' },
{ key: 'Job', envVar: 'GITHUB_JOB' },
{ key: 'TriggeringActor', envVar: 'GITHUB_TRIGGERING_ACTOR' },
];
const PROTECTED_TAG_KEYS = new Set<string>([
'GitHub',
...NON_DROPPABLE_TAG_SOURCES.map((s) => s.key),
...DROPPABLE_TAG_SOURCES.map((s) => s.key),
]);
const PROTECTED_TAG_KEYS = new Set<string>(['GitHub', ...PROTECTED_TAG_SOURCES.map((s) => s.key)]);
export function parseAndValidateCustomTags(customTags: string, existingTags: Tag[]): Tag[] {
let parsed: unknown;
@ -210,13 +198,7 @@ export async function assumeRole(params: assumeRoleParams) {
// Build session tags. Values are sanitized because the AWS tag value spec is more
// restrictive than permissible characters in environment variables.
const protectedTags: Tag[] = [{ Key: 'GitHub', Value: 'Actions' }];
for (const { key, envVar } of NON_DROPPABLE_TAG_SOURCES) {
const value = process.env[envVar];
if (value) {
protectedTags.push({ Key: key, Value: sanitizeGitHubVariables(value) });
}
}
for (const { key, envVar } of DROPPABLE_TAG_SOURCES) {
for (const { key, envVar } of PROTECTED_TAG_SOURCES) {
const value = process.env[envVar];
if (value) {
protectedTags.push({ Key: key, Value: sanitizeGitHubVariables(value) });
@ -224,15 +206,26 @@ export async function assumeRole(params: assumeRoleParams) {
}
const parsedCustomTags: Tag[] = customTags ? parseAndValidateCustomTags(customTags, protectedTags) : [];
const customTagKeys = new Set(parsedCustomTags.map((t) => t.Key));
const tagArray: Tag[] = [...protectedTags, ...parsedCustomTags];
const availableOverrideableSlots = MAX_SESSION_TAGS - protectedTags.length - parsedCustomTags.length;
const overrideableTags: Tag[] = [];
for (const { key, envVar } of OVERRIDEABLE_TAG_SOURCES_BY_PRIORITY) {
if (overrideableTags.length >= availableOverrideableSlots) break;
if (customTagKeys.has(key)) continue;
const value = process.env[envVar];
if (value) {
overrideableTags.push({ Key: key, Value: sanitizeGitHubVariables(value) });
}
}
const tagArray: Tag[] = [...protectedTags, ...overrideableTags, ...parsedCustomTags];
const tags = roleSkipSessionTagging ? undefined : tagArray;
if (!tags) {
core.debug('Role session tagging has been skipped.');
} else {
core.debug(`${tags.length} role session tags are being used:`);
core.debug(JSON.stringify(tagArray));
}
//only populate transitiveTagKeys array if user is actually using session tagging

105
src/helpers.ts
View file

@ -1,5 +1,3 @@
import * as fs from 'node:fs';
import * as path from 'node:path';
import * as core from '@actions/core';
import type { Credentials, STSClient } from '@aws-sdk/client-sts';
import { GetCallerIdentityCommand } from '@aws-sdk/client-sts';
@ -293,106 +291,3 @@ export function getBooleanInput(name: string, options?: core.InputOptions & { de
`Support boolean input list: \`true | True | TRUE | false | False | FALSE\``,
);
}
// O_NOFOLLOW is undefined on Windows. This sets it to 0 if it's not defined.
const O_NOFOLLOW: number = (fs.constants as { O_NOFOLLOW?: number }).O_NOFOLLOW ?? 0;
export function isAllowListed(filePath: string): boolean {
// Kubelet projects service-account tokens through a symlink chain
// (token -> ..data/token, ..data -> ..<timestamp>/). The containing path is
// kubelet-controlled, so we allow symlink-following reads of this fixed
// location only.
const KUBERNETES_TOKEN_PATH_REGEX = /^\/var\/run\/secrets\/[^/]+\/serviceaccount\/token$/;
if (process.platform !== 'win32') {
// No Kubernetes token paths on Windows
return KUBERNETES_TOKEN_PATH_REGEX.test(path.posix.normalize(filePath));
}
return false;
}
export function isSymlink(filePath: string): boolean {
try {
return fs.lstatSync(filePath).isSymbolicLink();
} catch (err) {
if ((err as NodeJS.ErrnoException).code === 'ENOENT') return false;
throw err;
}
}
// Refuses if filePath or its parent directory is a symbolic link.
function refuseSymlinkOnPath(filePath: string): void {
const parent = path.dirname(filePath);
if (parent !== filePath && isSymlink(parent)) {
throw new Error(`Refusing ${filePath} (parent directory is a symbolic link)`);
}
if (isSymlink(filePath)) {
throw new Error(`Refusing ${filePath} (path is a symbolic link)`);
}
}
function assertRegularFile(fd: number, filePath: string): void {
const stats = fs.fstatSync(fd);
if (!stats.isFile()) {
throw new Error(`${filePath} (path is not a regular file)`);
}
}
// ENOENT: file does not exist
// ELOOP: too many symbolic links (from NOFOLLOW)
export function readFileUtf8(filePath: string): string | null {
const allowSymlink = isAllowListed(filePath);
if (!allowSymlink) {
refuseSymlinkOnPath(filePath);
}
const openFlags = fs.constants.O_RDONLY | (allowSymlink ? 0 : O_NOFOLLOW);
let fd: number;
try {
fd = fs.openSync(filePath, openFlags);
} catch (err) {
const code = (err as NodeJS.ErrnoException).code;
if (code === 'ENOENT') return null;
if (code === 'ELOOP') {
throw new Error(`Refusing ${filePath} (path is a symbolic link)`);
}
throw err;
}
try {
assertRegularFile(fd, filePath);
return fs.readFileSync(fd, 'utf-8');
} finally {
fs.closeSync(fd);
}
}
export function writeFileUtf8(filePath: string, content: string, mode = 0o600): void {
refuseSymlinkOnPath(filePath);
let fd: number;
try {
fd = fs.openSync(filePath, fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_TRUNC | O_NOFOLLOW, mode);
} catch (err) {
if ((err as NodeJS.ErrnoException).code === 'ELOOP') {
throw new Error(`Refusing ${filePath} (path is a symbolic link)`);
}
throw err;
}
try {
assertRegularFile(fd, filePath);
// openSync only applies mode on creation.
// If the file already exists, we need to ensure the mode is correct.
if (process.platform !== 'win32') {
fs.fchmodSync(fd, mode);
}
fs.writeFileSync(fd, content);
} finally {
fs.closeSync(fd);
}
}
export function mkdir(dir: string, mode = 0o700): void {
fs.mkdirSync(dir, { recursive: true, mode });
if (isSymlink(dir)) {
throw new Error(`Refusing ${dir} (path is a symbolic link)`);
}
}

20
src/profileManager.ts
View file

@ -1,8 +1,8 @@
import * as fs from 'node:fs';
import * as os from 'node:os';
import * as path from 'node:path';
import * as core from '@actions/core';
import type { Credentials } from '@aws-sdk/client-sts';
import { mkdir, readFileUtf8, writeFileUtf8 } from './helpers';
/**
* Parse an INI-format string into a nested object.
@ -87,8 +87,10 @@ export function getProfileFilePaths(): ProfileFilePaths {
*/
export function ensureAwsDirectoryExists(filePath: string): void {
const dir = path.dirname(filePath);
core.debug(`Ensuring directory exists: ${dir}`);
mkdir(dir, 0o700);
if (!fs.existsSync(dir)) {
core.debug(`Creating directory: ${dir}`);
fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
}
}
/**
@ -125,8 +127,14 @@ export function mergeProfileSection(
data: Record<string, string>,
overwriteAwsProfile: boolean,
): void {
const fileContent = readFileUtf8(filePath);
const existingContent: Record<string, Record<string, string>> = fileContent === null ? {} : parseIni(fileContent);
let existingContent: Record<string, Record<string, string>> = {};
// Read existing file if it exists
if (fs.existsSync(filePath)) {
core.debug(`Reading existing file: ${filePath}`);
const fileContent = fs.readFileSync(filePath, 'utf-8');
existingContent = parseIni(fileContent);
}
if (existingContent[sectionName] && !overwriteAwsProfile) {
throw new Error(
@ -139,7 +147,7 @@ export function mergeProfileSection(
const content = stringifyIni(existingContent);
core.debug(`Writing profile to ${filePath}`);
writeFileUtf8(filePath, content, 0o600);
fs.writeFileSync(filePath, content, { mode: 0o600 });
}
/**

63
test/assumeRole.test.ts
View file

@ -1,63 +0,0 @@
import * as core from '@actions/core';
import { AssumeRoleWithWebIdentityCommand, GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';
import { mockClient } from 'aws-sdk-client-mock';
import { fs, vol } from 'memfs';
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
import * as helpers from '../src/helpers';
import { run } from '../src/index';
import mocks from './mockinputs.test';
vi.mock('node:fs');
vi.mock('@actions/core');
const mockedSTSClient = mockClient(STSClient);
describe('assumeRoleWithWebIdentityTokenFile', {}, () => {
beforeEach(() => {
vi.restoreAllMocks();
vi.clearAllMocks();
mockedSTSClient.reset();
vol.reset();
helpers.withsleep(() => Promise.resolve());
vi.mocked(core.getInput).mockImplementation(mocks.getInput(mocks.WEBIDENTITY_TOKEN_FILE_INPUTS));
vi.mocked(core.getMultilineInput).mockReturnValue([]);
mockedSTSClient.on(GetCallerIdentityCommand).resolves({ ...mocks.outputs.GET_CALLER_IDENTITY });
process.env = { ...mocks.envs };
fs.mkdirSync('/home/github', { recursive: true });
});
afterEach(() => {
helpers.reset();
});
it('refuses when the token file is a symlink and never calls STS', async () => {
fs.mkdirSync('/etc', { recursive: true });
fs.writeFileSync('/etc/passwd', 'root:x:0:0::/root:/bin/sh');
fs.symlinkSync('/etc/passwd', '/home/github/file.txt');
await run();
expect(core.setFailed).toHaveBeenCalledWith(expect.stringMatching(/Refusing .* \(.* symbolic link\)/));
expect(mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand)).toHaveLength(0);
expect(fs.readFileSync('/etc/passwd', 'utf-8')).toBe('root:x:0:0::/root:/bin/sh');
});
it('preserves the existing missing-file error when the token file does not exist', async () => {
await run();
expect(core.setFailed).toHaveBeenCalledWith(expect.stringContaining('Web identity token file does not exist'));
expect(mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand)).toHaveLength(0);
});
it('passes token contents to STS when the file is regular', async () => {
fs.writeFileSync('/home/github/file.txt', 'real-token');
mockedSTSClient.on(AssumeRoleWithWebIdentityCommand).resolves(mocks.outputs.STS_CREDENTIALS);
await run();
expect(core.setFailed).not.toHaveBeenCalled();
const calls = mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand);
expect(calls).toHaveLength(1);
expect(calls[0]?.args[0].input.WebIdentityToken).toBe('real-token');
});
});

161
test/helpers.test.ts
View file

@ -1,16 +1,12 @@
import * as core from '@actions/core';
import { fs, vol } from 'memfs';
import { beforeEach, describe, expect, it, vi } from 'vitest';
import * as helpers from '../src/helpers';
vi.mock('node:fs');
vi.mock('@actions/core');
describe('Configure AWS Credentials helpers', {}, () => {
beforeEach(() => {
vi.restoreAllMocks();
vi.clearAllMocks();
vol.reset();
vi.resetAllMocks();
});
it('removes brackets from GitHub Actor', {}, () => {
const actor = 'actor[bot]';
@ -52,9 +48,6 @@ describe('Configure AWS Credentials helpers', {}, () => {
helpers.reset();
});
it('can output creds when told to', {}, () => {
vi.spyOn(core, 'setOutput').mockImplementation(() => {});
vi.spyOn(core, 'setSecret').mockImplementation(() => {});
vi.spyOn(core, 'exportVariable').mockImplementation(() => {});
helpers.exportCredentials(
{ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) },
true,
@ -75,9 +68,6 @@ describe('Configure AWS Credentials helpers', {}, () => {
process.env = env;
});
it(`won't output credentials to env if told not to`, {}, () => {
vi.spyOn(core, 'setOutput').mockImplementation(() => {});
vi.spyOn(core, 'setSecret').mockImplementation(() => {});
vi.spyOn(core, 'exportVariable').mockImplementation(() => {});
helpers.exportCredentials(
{ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) },
true,
@ -105,163 +95,22 @@ describe('Configure AWS Credentials helpers', {}, () => {
});
it('handles getBooleanInput correctly', {}, () => {
vi.spyOn(core, 'getInput').mockReturnValue('true');
vi.mocked(core.getInput).mockReturnValue('true');
expect(helpers.getBooleanInput('test')).toBe(true);
vi.spyOn(core, 'getInput').mockReturnValue('false');
vi.mocked(core.getInput).mockReturnValue('false');
expect(helpers.getBooleanInput('test')).toBe(false);
vi.spyOn(core, 'getInput').mockReturnValue('');
vi.mocked(core.getInput).mockReturnValue('');
expect(helpers.getBooleanInput('test', { default: true })).toBe(true);
vi.spyOn(core, 'getInput').mockReturnValue('invalid');
vi.mocked(core.getInput).mockReturnValue('invalid');
expect(() => helpers.getBooleanInput('test')).toThrow();
});
it('clears session token when not provided', {}, () => {
vi.spyOn(core, 'setSecret').mockImplementation(() => {});
vi.spyOn(core, 'exportVariable').mockImplementation(() => {});
process.env.AWS_SESSION_TOKEN = 'old-token';
helpers.exportCredentials({ AccessKeyId: 'test', SecretAccessKey: 'test' }, false, true);
expect(core.exportVariable).toHaveBeenCalledWith('AWS_SESSION_TOKEN', '');
});
describe('filesystem helpers', {}, () => {
describe('isSymlink', {}, () => {
it('returns true for a symlink', {}, () => {
fs.mkdirSync('/dir', { recursive: true });
fs.writeFileSync('/dir/target', 'data');
fs.symlinkSync('/dir/target', '/dir/link');
expect(helpers.isSymlink('/dir/link')).toBe(true);
});
it('returns false for a regular file', {}, () => {
fs.mkdirSync('/dir', { recursive: true });
fs.writeFileSync('/dir/file', 'data');
expect(helpers.isSymlink('/dir/file')).toBe(false);
});
it('returns false for a missing path', {}, () => {
expect(helpers.isSymlink('/nonexistent')).toBe(false);
});
});
describe('readFileUtf8', {}, () => {
it('returns content for a regular file', {}, () => {
fs.mkdirSync('/dir', { recursive: true });
fs.writeFileSync('/dir/file', 'hello');
expect(helpers.readFileUtf8('/dir/file')).toBe('hello');
});
it('returns null when the file does not exist', {}, () => {
fs.mkdirSync('/dir', { recursive: true });
expect(helpers.readFileUtf8('/dir/missing')).toBe(null);
});
it('refuses to read through a symlink at the target', {}, () => {
fs.mkdirSync('/dir', { recursive: true });
fs.writeFileSync('/dir/secret', 'sensitive');
fs.symlinkSync('/dir/secret', '/dir/link');
expect(() => helpers.readFileUtf8('/dir/link')).toThrow(/Refusing .* \(.* symbolic link\)/);
});
it('refuses to read when the parent directory is a symlink', {}, () => {
fs.mkdirSync('/real/.aws', { recursive: true });
fs.writeFileSync('/real/.aws/credentials', 'data');
fs.mkdirSync('/home', { recursive: true });
fs.symlinkSync('/real/.aws', '/home/.aws');
expect(() => helpers.readFileUtf8('/home/.aws/credentials')).toThrow(/Refusing .* \(.* symbolic link\)/);
});
it('refuses to read when the path is a directory', {}, () => {
fs.mkdirSync('/dir/subdir', { recursive: true });
expect(() => helpers.readFileUtf8('/dir/subdir')).toThrow(/not a regular file/);
});
it.skipIf(process.platform === 'win32')(
'follows the kubelet projected-token symlink chain at /var/run/secrets/*/serviceaccount/token',
() => {
fs.mkdirSync('/var/run/secrets/eks.amazonaws.com/serviceaccount/..2026_05_28_00_00_00.123', {
recursive: true,
});
fs.writeFileSync(
'/var/run/secrets/eks.amazonaws.com/serviceaccount/..2026_05_28_00_00_00.123/token',
'jwt-token',
);
fs.symlinkSync('..2026_05_28_00_00_00.123', '/var/run/secrets/eks.amazonaws.com/serviceaccount/..data');
fs.symlinkSync('..data/token', '/var/run/secrets/eks.amazonaws.com/serviceaccount/token');
expect(helpers.readFileUtf8('/var/run/secrets/eks.amazonaws.com/serviceaccount/token')).toBe('jwt-token');
},
);
it.skipIf(process.platform === 'win32')('still refuses symlinks at lookalike paths outside the allowlist', () => {
fs.mkdirSync('/var/run/secrets/eks.amazonaws.com/serviceaccount', { recursive: true });
fs.writeFileSync('/var/run/secrets/eks.amazonaws.com/serviceaccount/secret', 'jwt-token');
fs.symlinkSync(
'/var/run/secrets/eks.amazonaws.com/serviceaccount/secret',
'/var/run/secrets/eks.amazonaws.com/serviceaccount/token2',
);
expect(() => helpers.readFileUtf8('/var/run/secrets/eks.amazonaws.com/serviceaccount/token2')).toThrow(
/Refusing .* \(.* symbolic link\)/,
);
});
});
describe('isAllowListed', {}, () => {
it.skipIf(process.platform === 'win32')('matches the canonical kubelet projected-token path', () => {
expect(helpers.isAllowListed('/var/run/secrets/eks.amazonaws.com/serviceaccount/token')).toBe(true);
expect(helpers.isAllowListed('/var/run/secrets/kubernetes.io/serviceaccount/token')).toBe(true);
});
it.skipIf(process.platform === 'win32')('rejects nested or unrelated paths', () => {
expect(helpers.isAllowListed('/var/run/secrets/serviceaccount/token')).toBe(false);
expect(helpers.isAllowListed('/var/run/secrets/a/b/serviceaccount/token')).toBe(false);
expect(helpers.isAllowListed('/var/run/secrets/eks.amazonaws.com/serviceaccount/token2')).toBe(false);
expect(helpers.isAllowListed('/etc/var/run/secrets/foo/serviceaccount/token')).toBe(false);
});
it.skipIf(process.platform === 'win32')('normalizes path traversal attempts', () => {
expect(helpers.isAllowListed('/var/run/secrets/foo/serviceaccount/../../../../etc/passwd')).toBe(false);
});
});
describe('writeFileUtf8', {}, () => {
it('writes content with the specified mode', {}, () => {
fs.mkdirSync('/dir', { recursive: true });
helpers.writeFileUtf8('/dir/file', 'payload', 0o600);
expect(fs.readFileSync('/dir/file', 'utf-8')).toBe('payload');
expect(fs.statSync('/dir/file').mode & 0o777).toBe(0o600);
});
it('refuses to follow a symlink at the target and leaves the target file untouched', {}, () => {
fs.mkdirSync('/dir', { recursive: true });
fs.writeFileSync('/dir/target', 'original');
fs.symlinkSync('/dir/target', '/dir/link');
expect(() => helpers.writeFileUtf8('/dir/link', 'attacker', 0o600)).toThrow(/Refusing .* \(.* symbolic link\)/);
expect(fs.readFileSync('/dir/target', 'utf-8')).toBe('original');
});
it.skipIf(process.platform === 'win32')('tightens mode on existing files', () => {
fs.mkdirSync('/dir', { recursive: true });
fs.writeFileSync('/dir/file', 'old', { mode: 0o644 });
helpers.writeFileUtf8('/dir/file', 'new', 0o600);
expect(fs.statSync('/dir/file').mode & 0o777).toBe(0o600);
});
});
describe('mkdir', {}, () => {
it('is idempotent on a regular directory', {}, () => {
helpers.mkdir('/some/nested/dir', 0o700);
helpers.mkdir('/some/nested/dir', 0o700);
expect(fs.statSync('/some/nested/dir').isDirectory()).toBe(true);
});
it('refuses when the target directory is a symlink', {}, () => {
fs.mkdirSync('/real', { recursive: true });
fs.mkdirSync('/home', { recursive: true });
fs.symlinkSync('/real', '/home/.aws');
expect(() => helpers.mkdir('/home/.aws', 0o700)).toThrow(/Refusing .* \(.* symbolic link\)/);
});
});
});
});

136
test/index.test.ts
View file

@ -3,7 +3,6 @@ import {
AssumeRoleCommand,
AssumeRoleWithWebIdentityCommand,
GetCallerIdentityCommand,
PackedPolicyTooLargeException,
STSClient,
} from '@aws-sdk/client-sts';
import { mockClient } from 'aws-sdk-client-mock';
@ -203,18 +202,6 @@ describe('Configure AWS Credentials', {}, () => {
expect(core.setOutput).toHaveBeenCalledTimes(2);
expect(core.setFailed).not.toHaveBeenCalled();
});
it('does not send Tags or TransitiveTagKeys to AssumeRoleWithWebIdentity', async () => {
// AssumeRoleWithWebIdentity reads session tags from JWT claims, not the request.
// Both fields must be stripped before the STS call.
vi.mocked(core.getMultilineInput).mockImplementation((name: string) => {
if (name === 'transitive-tag-keys') return ['Repository'];
return [];
});
await run();
const callInput = mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand)[0].args[0].input;
expect(callInput.Tags).toBeUndefined();
expect(callInput.TransitiveTagKeys).toBeUndefined();
});
});
describe('Assume existing role', {}, () => {
@ -295,9 +282,9 @@ describe('Configure AWS Credentials', {}, () => {
await run();
const tags = mockedSTSClient.commandCalls(AssumeRoleCommand)[0].args[0].input.Tags ?? [];
// 7 protected (GitHub + Repository, Workflow, Action, Actor, Commit, Branch)
// + 6 droppable (EventName, BaseRef, HeadRef, RunId, Job, TriggeringActor).
// No custom-tags, all env vars set in mocks.envs → all 13 should be present, nothing else.
expect(tags).toHaveLength(13);
// + 8 overrideable (EventName, BaseRef, HeadRef, RefName, RunId, RefType, Job, TriggeringActor).
// No custom-tags, all env vars set in mocks.envs → all 15 should be present, nothing else.
expect(tags).toHaveLength(15);
const tagsByKey = Object.fromEntries(tags.map((t) => [t.Key, t.Value]));
expect(tagsByKey).toEqual({
GitHub: 'Actions',
@ -310,12 +297,14 @@ describe('Configure AWS Credentials', {}, () => {
EventName: 'pull_request',
BaseRef: 'main',
HeadRef: 'feature-branch',
RefName: 'feature-branch',
RunId: '16412345678',
RefType: 'branch',
Job: 'build',
TriggeringActor: 'MY-USERNAME_bot_',
});
});
it('omits droppable tags whose env vars are unset', {}, async () => {
it('omits overrideable tags whose env vars are unset', {}, async () => {
vi.mocked(core.getInput).mockImplementation(mocks.getInput(mocks.IAM_ASSUMEROLE_INPUTS));
delete process.env.GITHUB_BASE_REF;
delete process.env.GITHUB_HEAD_REF;
@ -329,27 +318,6 @@ describe('Configure AWS Credentials', {}, () => {
expect(tagKeys).toContain('EventName');
expect(tagKeys).toContain('RunId');
});
it('drops droppable tags and retries on PackedPolicyTooLargeException', {}, async () => {
vi.mocked(core.getInput).mockImplementation(mocks.getInput(mocks.IAM_ASSUMEROLE_INPUTS));
mockedSTSClient
.on(AssumeRoleCommand)
.rejectsOnce(new PackedPolicyTooLargeException({ message: 'too large', $metadata: {} }))
.resolvesOnce(mocks.outputs.STS_CREDENTIALS);
await run();
expect(core.info).toHaveBeenCalledWith('Session tag size is too large; dropping droppable tags and retrying.');
const retryInput = mockedSTSClient.commandCalls(AssumeRoleCommand)[1].args[0].input;
const retryTagKeys = (retryInput.Tags ?? []).map((t) => t.Key);
expect(retryTagKeys).not.toContain('EventName');
expect(retryTagKeys).not.toContain('BaseRef');
expect(retryTagKeys).not.toContain('HeadRef');
expect(retryTagKeys).not.toContain('RunId');
expect(retryTagKeys).not.toContain('Job');
expect(retryTagKeys).not.toContain('TriggeringActor');
// Protected tags remain
expect(retryTagKeys).toContain('GitHub');
expect(retryTagKeys).toContain('Repository');
expect(core.setFailed).not.toHaveBeenCalled();
});
it('sanitizes invalid characters in env-derived tag values', {}, async () => {
vi.mocked(core.getInput).mockImplementation(mocks.getInput(mocks.IAM_ASSUMEROLE_INPUTS));
process.env.GITHUB_HEAD_REF = 'feature/has spaces&bad?chars';
@ -402,6 +370,8 @@ describe('Configure AWS Credentials', {}, () => {
{ Key: 'EventName', Value: 'pull_request' },
{ Key: 'RunId', Value: '16412345678' },
{ Key: 'Job', Value: 'build' },
{ Key: 'RefName', Value: 'feature-branch' },
{ Key: 'RefType', Value: 'branch' },
{ Key: 'TriggeringActor', Value: 'MY-USERNAME_bot_' },
{ Key: 'Environment', Value: 'Production' },
{ Key: 'Team', Value: 'DevOps' },
@ -450,7 +420,7 @@ describe('Configure AWS Credentials', {}, () => {
await run();
expect(core.warning).toHaveBeenCalledWith(expect.stringContaining("'custom-tags' is set but will be ignored"));
});
it('rejects custom tags that conflict with droppable tag keys', {}, async () => {
it('lets custom tags override overrideable default tag keys', {}, async () => {
vi.mocked(core.getInput).mockImplementation(
mocks.getInput({
...mocks.IAM_ASSUMEROLE_INPUTS,
@ -458,10 +428,13 @@ describe('Configure AWS Credentials', {}, () => {
}),
);
await run();
expect(core.setFailed).toHaveBeenCalledWith(
"custom-tags: key 'EventName' conflicts with a protected session tag set by this action and cannot be overridden",
);
expect(mockedSTSClient.commandCalls(AssumeRoleCommand)).toHaveLength(0);
const tags = mockedSTSClient.commandCalls(AssumeRoleCommand)[0].args[0].input.Tags ?? [];
const eventNameTags = tags.filter((t) => t.Key === 'EventName');
const baseRefTags = tags.filter((t) => t.Key === 'BaseRef');
expect(eventNameTags).toHaveLength(1);
expect(eventNameTags[0]?.Value).toBe('workflow_dispatch');
expect(baseRefTags).toHaveLength(1);
expect(baseRefTags[0]?.Value).toBe('release/2026');
});
it('rejects custom tags that conflict with the protected Branch tag', {}, async () => {
// Regression guard: Branch was a default before v6.2 and must remain unoverridable.
@ -477,10 +450,62 @@ describe('Configure AWS Credentials', {}, () => {
);
expect(mockedSTSClient.commandCalls(AssumeRoleCommand)).toHaveLength(0);
});
it('rejects custom-tags that would exceed the session-tag limit', {}, async () => {
// 13 existing tags (7 non-droppable + 6 droppable) + 38 custom = 51 > 50.
it('drops lower-priority overrideable tags when custom-tags would exceed the session-tag limit', {}, async () => {
// 7 protected (GitHub + 6 from PROTECTED_TAG_SOURCES) + 40 custom = 47 used → 3 overrideable slots.
// The first 3 overrideable tags by priority are EventName, BaseRef, HeadRef (RefName, RunId, RefType,
// Job, TriggeringActor must be dropped).
const customTagsObj: Record<string, string> = {};
for (let i = 0; i < 38; i++) {
for (let i = 0; i < 40; i++) {
customTagsObj[`Custom${i}`] = `value${i}`;
}
vi.mocked(core.getInput).mockImplementation(
mocks.getInput({
...mocks.IAM_ASSUMEROLE_INPUTS,
'custom-tags': JSON.stringify(customTagsObj),
}),
);
await run();
const tags = mockedSTSClient.commandCalls(AssumeRoleCommand)[0].args[0].input.Tags ?? [];
const tagKeys = tags.map((t) => t.Key);
expect(tags).toHaveLength(50);
expect(tagKeys).toContain('Branch');
expect(tagKeys).toContain('EventName');
expect(tagKeys).toContain('BaseRef');
expect(tagKeys).toContain('HeadRef');
expect(tagKeys).not.toContain('RefName');
expect(tagKeys).not.toContain('RunId');
expect(tagKeys).not.toContain('RefType');
expect(tagKeys).not.toContain('Job');
expect(tagKeys).not.toContain('TriggeringActor');
});
it('overridden overrideable tags free a slot for a lower-priority overrideable tag', {}, async () => {
// Same 40-custom-tag scenario as above, but one of the customs overrides BaseRef.
// BaseRef no longer competes for the overrideable budget, so the next-priority overrideable (RefName) gets in.
const customTagsObj: Record<string, string> = { BaseRef: 'release/2026' };
for (let i = 0; i < 39; i++) {
customTagsObj[`Custom${i}`] = `value${i}`;
}
vi.mocked(core.getInput).mockImplementation(
mocks.getInput({
...mocks.IAM_ASSUMEROLE_INPUTS,
'custom-tags': JSON.stringify(customTagsObj),
}),
);
await run();
const tags = mockedSTSClient.commandCalls(AssumeRoleCommand)[0].args[0].input.Tags ?? [];
const tagKeys = tags.map((t) => t.Key);
expect(tags).toHaveLength(50);
expect(tagKeys).toContain('Branch');
expect(tagKeys).toContain('EventName');
expect(tagKeys).toContain('BaseRef');
expect(tagKeys).toContain('HeadRef');
expect(tagKeys).toContain('RefName');
expect(tagKeys).not.toContain('RunId');
});
it('rejects custom-tags that would exceed the session-tag limit on their own', {}, async () => {
// 7 protected + 44 custom = 51, which is over 50 even with zero overrideable tags.
const customTagsObj: Record<string, string> = {};
for (let i = 0; i < 44; i++) {
customTagsObj[`Custom${i}`] = `value${i}`;
}
vi.mocked(core.getInput).mockImplementation(
@ -493,10 +518,12 @@ describe('Configure AWS Credentials', {}, () => {
expect(core.setFailed).toHaveBeenCalledWith(expect.stringContaining('would exceed the AWS limit of 50'));
expect(mockedSTSClient.commandCalls(AssumeRoleCommand)).toHaveLength(0);
});
it('allows custom-tags up to the session-tag limit', {}, async () => {
// 13 existing tags + 37 custom = 50, exactly at the limit.
it('drops transitive-tag-keys entries that refer to evicted overrideable tags', {}, async () => {
// Force eviction of all overrideable tags below EventName/BaseRef/HeadRef. The user transitive-tags
// RunId (which gets evicted) and Repository (which is protected and stays). The TransitiveTagKeys
// payload must include only the keys that actually appear in Tags.
const customTagsObj: Record<string, string> = {};
for (let i = 0; i < 37; i++) {
for (let i = 0; i < 40; i++) {
customTagsObj[`Custom${i}`] = `value${i}`;
}
vi.mocked(core.getInput).mockImplementation(
@ -505,10 +532,15 @@ describe('Configure AWS Credentials', {}, () => {
'custom-tags': JSON.stringify(customTagsObj),
}),
);
vi.mocked(core.getMultilineInput).mockImplementation((name: string) => {
if (name === 'transitive-tag-keys') return ['Repository', 'RunId'];
return [];
});
await run();
expect(core.setFailed).not.toHaveBeenCalled();
const tags = mockedSTSClient.commandCalls(AssumeRoleCommand)[0].args[0].input.Tags ?? [];
expect(tags).toHaveLength(50);
const callInput = mockedSTSClient.commandCalls(AssumeRoleCommand)[0].args[0].input;
const tagKeys = (callInput.Tags ?? []).map((t) => t.Key);
expect(tagKeys).not.toContain('RunId');
expect(callInput.TransitiveTagKeys).toEqual(['Repository']);
});
});

2
test/mockinputs.test.ts
View file

@ -105,6 +105,8 @@ const envs = {
GITHUB_EVENT_NAME: 'pull_request',
GITHUB_RUN_ID: '16412345678',
GITHUB_JOB: 'build',
GITHUB_REF_NAME: 'feature-branch',
GITHUB_REF_TYPE: 'branch',
GITHUB_BASE_REF: 'main',
GITHUB_HEAD_REF: 'feature-branch',
GITHUB_TRIGGERING_ACTOR: 'MY-USERNAME[bot]',

70
test/profileManager.test.ts
View file

@ -11,13 +11,12 @@ import {
writeProfileFiles,
} from '../src/profileManager';
vi.mock('node:fs');
vi.mock('@actions/core');
vi.mock('node:fs');
describe('Profile Manager', {}, () => {
beforeEach(() => {
vi.restoreAllMocks();
vi.clearAllMocks();
vi.resetAllMocks();
vol.reset();
});
@ -736,69 +735,4 @@ describe('Profile Manager', {}, () => {
);
});
});
describe('symlink hardening', {}, () => {
const credsPath = '/home/user/.aws/credentials';
const configPath = '/home/user/.aws/config';
beforeEach(() => {
process.env.AWS_SHARED_CREDENTIALS_FILE = credsPath;
process.env.AWS_CONFIG_FILE = configPath;
});
it('mergeProfileSection refuses when the credentials path is a symlink and leaves the target unchanged', {}, () => {
fs.mkdirSync('/home/user/.aws', { recursive: true });
fs.mkdirSync('/etc', { recursive: true });
fs.writeFileSync('/etc/passwd', 'root:x:0:0::/root:/bin/sh');
fs.symlinkSync('/etc/passwd', credsPath);
expect(() => mergeProfileSection(credsPath, 'dev', { aws_access_key_id: 'AKIA' }, true)).toThrow(
/Refusing .* \(.* symbolic link\)/,
);
expect(fs.readFileSync('/etc/passwd', 'utf-8')).toBe('root:x:0:0::/root:/bin/sh');
});
it('mergeProfileSection refuses when the config path is a symlink', {}, () => {
fs.mkdirSync('/home/user/.aws', { recursive: true });
fs.mkdirSync('/etc', { recursive: true });
fs.writeFileSync('/etc/sensitive', 'do not overwrite');
fs.symlinkSync('/etc/sensitive', configPath);
expect(() => mergeProfileSection(configPath, 'profile dev', { region: 'us-east-1' }, true)).toThrow(
/Refusing .* \(.* symbolic link\)/,
);
expect(fs.readFileSync('/etc/sensitive', 'utf-8')).toBe('do not overwrite');
});
it('ensureAwsDirectoryExists refuses when ~/.aws is a symlink', {}, () => {
fs.mkdirSync('/real-target', { recursive: true });
fs.mkdirSync('/home/user', { recursive: true });
fs.symlinkSync('/real-target', '/home/user/.aws');
expect(() => ensureAwsDirectoryExists(credsPath)).toThrow(/Refusing .* \(.* symbolic link\)/);
});
it('writeProfileFiles refuses to overwrite a pre-existing symlink at the credentials path', {}, () => {
fs.mkdirSync('/home/user/.aws', { recursive: true });
fs.mkdirSync('/etc', { recursive: true });
fs.writeFileSync('/etc/passwd', 'root:x:0:0::/root:/bin/sh');
fs.symlinkSync('/etc/passwd', credsPath);
expect(() =>
writeProfileFiles('dev', { AccessKeyId: 'AKIA', SecretAccessKey: 'secret' }, 'us-east-1', true),
).toThrow(/Refusing .* \(.* symbolic link\)/);
expect(fs.lstatSync(credsPath).isSymbolicLink()).toBe(true);
expect(fs.readFileSync('/etc/passwd', 'utf-8')).toBe('root:x:0:0::/root:/bin/sh');
});
it('happy path still writes both files with mode 0o600 when no symlinks are present', {}, () => {
writeProfileFiles('dev', { AccessKeyId: 'AKIA', SecretAccessKey: 'secret' }, 'us-east-1', false);
expect(fs.statSync(credsPath).mode & 0o777).toBe(0o600);
expect(fs.statSync(configPath).mode & 0o777).toBe(0o600);
expect(fs.lstatSync(credsPath).isSymbolicLink()).toBe(false);
expect(fs.lstatSync(configPath).isSymbolicLink()).toBe(false);
});
});
});