diff --git a/__tests__/github.test.ts b/__tests__/github.test.ts index 900a7ed..1b77450 100644 --- a/__tests__/github.test.ts +++ b/__tests__/github.test.ts @@ -107,12 +107,12 @@ describe('actionsRuntimeToken', () => { it('fixture', async () => { process.env.ACTIONS_RUNTIME_TOKEN = fs.readFileSync(path.join(__dirname, 'fixtures', 'runtimeToken.txt')).toString().trim(); const runtimeToken = GitHub.actionsRuntimeToken; - expect(runtimeToken.ac).toEqual('[{"Scope":"refs/heads/master","Permission":3}]'); - expect(runtimeToken.iss).toEqual('vstoken.actions.githubusercontent.com'); + expect(runtimeToken?.ac).toEqual('[{"Scope":"refs/heads/master","Permission":3}]'); + expect(runtimeToken?.iss).toEqual('vstoken.actions.githubusercontent.com'); }); }); -describe('printActionsRuntimeToken', () => { +describe('printActionsRuntimeTokenACs', () => { const originalEnv = process.env; beforeEach(() => { jest.resetModules(); @@ -126,18 +126,13 @@ describe('printActionsRuntimeToken', () => { it('empty', async () => { const execSpy = jest.spyOn(core, 'info'); process.env.ACTIONS_RUNTIME_TOKEN = ''; - GitHub.printActionsRuntimeToken(); + await GitHub.printActionsRuntimeTokenACs(); expect(execSpy).toHaveBeenCalledWith(`ACTIONS_RUNTIME_TOKEN not set`); }); - it('prints ac', () => { + it('refs/heads/master', async () => { const execSpy = jest.spyOn(core, 'info'); process.env.ACTIONS_RUNTIME_TOKEN = fs.readFileSync(path.join(__dirname, 'fixtures', 'runtimeToken.txt')).toString().trim(); - GitHub.printActionsRuntimeToken(); - expect(execSpy).toHaveBeenCalledWith(`[ - { - "Scope": "refs/heads/master", - "Permission": 3 - } -]`); + await GitHub.printActionsRuntimeTokenACs(); + expect(execSpy).toHaveBeenCalledWith(`refs/heads/master: read/write`); }); }); diff --git a/src/github.ts b/src/github.ts index 5fa840a..6c8c2d0 100644 --- a/src/github.ts +++ b/src/github.ts @@ -20,7 +20,7 @@ import * as github from '@actions/github'; import {Context} from '@actions/github/lib/context'; import jwt_decode from 'jwt-decode'; -import {GitHubActionsRuntimeToken, GitHubRepo} from './types/github'; +import {GitHubActionsRuntimeToken, GitHubActionsRuntimeTokenAC, GitHubRepo} from './types/github'; export interface GitHubOpts { token?: string; @@ -49,17 +49,37 @@ export class GitHub { return process.env.GITHUB_API_URL || 'https://api.github.com'; } - static get actionsRuntimeToken(): GitHubActionsRuntimeToken { + static get actionsRuntimeToken(): GitHubActionsRuntimeToken | undefined { const token = process.env['ACTIONS_RUNTIME_TOKEN'] || ''; - return token ? jwt_decode(token) : {}; + return token ? jwt_decode(token) : undefined; } - public static async printActionsRuntimeToken() { - const actionsRuntimeToken = process.env['ACTIONS_RUNTIME_TOKEN']; - if (actionsRuntimeToken) { - core.info(JSON.stringify(JSON.parse(GitHub.actionsRuntimeToken.ac as string), undefined, 2)); - } else { + public static async printActionsRuntimeTokenACs() { + const jwt = GitHub.actionsRuntimeToken; + if (!jwt) { core.info(`ACTIONS_RUNTIME_TOKEN not set`); + return; + } + try { + >JSON.parse(`${jwt.ac}`).forEach(ac => { + let permission: string; + switch (ac.Permission) { + case 1: + permission = 'read'; + break; + case 2: + permission = 'write'; + break; + case 3: + permission = 'read/write'; + break; + default: + permission = `unimplemented (${ac.Permission})`; + } + core.info(`${ac.Scope}: ${permission}`); + }); + } catch (e) { + core.warning(`Cannot parse Actions Runtime Token Access Controls: ${e.message}`); } } } diff --git a/src/types/github.ts b/src/types/github.ts index 833a405..a7b9c71 100644 --- a/src/types/github.ts +++ b/src/types/github.ts @@ -29,3 +29,8 @@ export type GitHubRepo = OctoOpenApiTypes['schemas']['repository']; export interface GitHubActionsRuntimeToken extends JwtPayload { ac?: string; } + +export interface GitHubActionsRuntimeTokenAC { + Scope: string; + Permission: number; +}