chore: wip

SocialGouv · Jan 20, 2025 · 67cc20b · 67cc20b
1 parent e5ff66b
commit 67cc20b
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 11 deletions.
diff --git a/dist/index.cjs b/dist/index.cjs
@@ -27592,6 +27592,7 @@ async function run() {
     // Get inputs
     const tokenBureauUrl = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('token-bureau-url', { required: true });
     const audience = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('audience', { required: true });
+    const permissions = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('permissions');
 
     _actions_core__WEBPACK_IMPORTED_MODULE_0__.debug(`Using token-bureau-url: ${tokenBureauUrl}`);
     _actions_core__WEBPACK_IMPORTED_MODULE_0__.debug(`Using audience: ${audience}`);
@@ -27617,9 +27618,9 @@ async function run() {
         'Accept': 'application/json',
         'User-Agent': 'token-bureau-action'
       },
-      body: JSON.stringify({
-        repositories: [repository]
-      })
+      body: JSON.stringify(
+        permissions ? { permissions: JSON.parse(permissions) } : {}
+      )
     });
 
     _actions_core__WEBPACK_IMPORTED_MODULE_0__.debug(`Response status: ${response.status}`);

diff --git a/examples/workflow.yml b/examples/workflow.yml
@@ -25,6 +25,14 @@ jobs:
           # The audience value must match OIDC_AUDIENCE in your server's environment
           # This is used to validate the OIDC token
           audience: your-audience-value
+
+          # Specify the permissions for the generated token
+          # These must match the permissions configured in your TokenBureau server
+          permissions: |
+            {
+              "contents": "write",
+              "issues": "read"
+            }
 
       # Example: Use the token to create a release
       - name: Create Release

diff --git a/package.json b/package.json
@@ -33,5 +33,6 @@
         "type": "json"
       }
     ]
-  }
+  },
+  "packageManager": "[email protected]"
 }
diff --git a/packages/action/index.js b/packages/action/index.js
@@ -31,10 +31,9 @@ async function run() {
         'Accept': 'application/json',
         'User-Agent': 'token-bureau-action'
       },
-      body: JSON.stringify({
-        repositories: [repository],
-        permissions: permissions ? JSON.parse(permissions) : undefined
-      })
+      body: JSON.stringify(
+        permissions ? { permissions: JSON.parse(permissions) } : {}
+      )
     });
 
     core.debug(`Response status: ${response.status}`);

diff --git a/packages/server/config/permissions.yml b/packages/server/config/permissions.yml
@@ -8,6 +8,14 @@ default:
     issues: write
     pull_requests: write
     deployments: write
+    # packages: read
+    # actions: read
+    # security_events: read
+    # statuses: read
+    # checks: read
+    # discussions: read
+    # pages: read
+    # workflows: read
 
 # Repository-specific permission overrides
 # Format: owner/repo or org/*

diff --git a/packages/server/index.js b/packages/server/index.js
@@ -245,16 +245,19 @@ app.post('/generate-token', async (req, res) => {
 
     const tokenPayload = extractAndDecodeToken(req.headers.authorization);
 
-    // Handle both direct permissions object and wrapped format
-    const requestedPermissions = req.body.permissions || 
-      (typeof req.body === 'object' && !Array.isArray(req.body) ? req.body : undefined);
+    // Extract permissions from request body
+    const requestedPermissions = req.body.permissions;
 
     logger.debug({ 
       bodyType: typeof req.body,
       body: req.body,
       requestedPermissions 
     }, 'Parsed request body');
 
+    if (requestedPermissions && typeof requestedPermissions !== 'object') {
+      throw new Error('Permissions must be an object mapping permission names to access levels');
+    }
+
     // Verify OIDC token
     const decoded = await new Promise((resolve, reject) => {
       jwt.verify(tokenPayload, getKey, {
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,5 +33,6 @@ @@
             "type": "json"
           }
         ]
-      }
+      },
+      "packageManager": "[email protected]"
     }