Skip to content

oidc-exchange: specialize error on PRs from forks #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Feb 27, 2024
Merged

oidc-exchange: specialize error on PRs from forks #203

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b2d4ab8
oidc-exchange: specialize error on PRs from forks
woodruffw Dec 31, 2023
d2748ca
oidc-exchange: lintage
woodruffw Dec 31, 2023
a697e49
oidc-exchange: more lintage
woodruffw Dec 31, 2023
25e0a31
oidc-exchange: more percussive maintenance
woodruffw Dec 31, 2023
3fa387e
Update oidc-exchange.py
woodruffw Feb 5, 2024
a584d06
Update oidc-exchange.py
woodruffw Feb 5, 2024
35f68b4
Update oidc-exchange.py
woodruffw Feb 11, 2024
fc4d6c6
Merge branch 'unstable/v1' into ww/pull-request-specialization
woodruffw Feb 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 38 additions & 1 deletion oidc-exchange.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,19 @@
Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.
"""

# Specialization of the token retrieval failure case, when we know that
# the failure cause is use within a third-party PR.
_TOKEN_RETRIEVAL_FAILED_3P_PR_MESSAGE = """
OpenID Connect token retrieval failed: {identity_error}

The workflow context indicates that this action was called from a
pull request on a fork. GitHub doesn't give these workflows OIDC permissions,
even if `id-token: write` is explicitly configured.

To fix this, change your publishing workflow to use an event that
forks of your repository cannot trigger (such as tag or release creation).
"""

# Rendered if the package index refuses the given OIDC token.
_SERVER_REFUSED_TOKEN_EXCHANGE_MESSAGE = """
Token request failed: the server refused the request for the following reasons:
Expand Down Expand Up @@ -162,6 +175,27 @@ def _get(name: str) -> str: # noqa: WPS430
)


def event_is_third_party_pr() -> bool:
# Non-`pull_request` events cannot be from third-party PRs.
if os.getenv("GITHUB_EVENT_NAME") != "pull_request":
return False

if event_path := os.getenv("GITHUB_EVENT_PATH"):
try:
event = json.loads(Path(event_path).read_text())
try:
return event["pull_request"]["head"]["repo"]["fork"]
except KeyError:
return False
except json.JSONDecodeError:
debug("unexpected: GITHUB_EVENT_PATH does not contain valid JSON")
return False

# No GITHUB_EVENT_PATH indicates a weird GitHub or runner bug.
debug("unexpected: no GITHUB_EVENT_PATH to check")
return False
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NB: I used debug(...) rather than die(...) here, since this function is only called from an error path -- I think masking the error here would likely cause even more confusion. But maybe there's a better idea/solution 🙂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this note! I don't have better a refactoring suggestion for this right now. Maybe sometime...



repository_url = get_normalized_input("repository-url")
repository_domain = urlparse(repository_url).netloc
token_exchange_url = f"https://{repository_domain}/_/oidc/github/mint-token"
Expand All @@ -179,7 +213,10 @@ def _get(name: str) -> str: # noqa: WPS430
try:
oidc_token = id.detect_credential(audience=oidc_audience)
except id.IdentityError as identity_error:
die(_TOKEN_RETRIEVAL_FAILED_MESSAGE.format(identity_error=identity_error))
if event_is_third_party_pr():
die(_TOKEN_RETRIEVAL_FAILED_3P_PR_MESSAGE.format(identity_error=identity_error))
else:
die(_TOKEN_RETRIEVAL_FAILED_MESSAGE.format(identity_error=identity_error))

# Now we can do the actual token exchange.
mint_token_resp = requests.post(
Expand Down