feat(trusted-publishing): pass id-token as bearer header for gitlab pipelines

travi · travi · commit 6d1c3cf9b3c9 · 2025-10-15T12:30:13.000-05:00
for #958
diff --git a/lib/definitions/constants.js b/lib/definitions/constants.js
@@ -1 +1,4 @@
 export const OFFICIAL_REGISTRY = "https://registry.npmjs.org/";
+
+export const GITHUB_ACTIONS_PROVIDER_NAME = "GitHub Actions";
+export const GITLAB_PIPELINES_PROVIDER_NAME = "GitLab CI/CD";
diff --git a/lib/trusted-publishing/token-exchange.js b/lib/trusted-publishing/token-exchange.js
@@ -1,19 +1,13 @@
 import { getIDToken } from "@actions/core";
+import envCi from "env-ci";
 
-import { OFFICIAL_REGISTRY } from "../definitions/constants.js";
-
-const GITHUB_ACTIONS_PROVIDER_NAME = "GitHub Actions";
-const GITLAB_PIPELINES_PROVIDER_NAME = "GitLab CI/CD";
-
-async function exchangeGithubActionsToken(packageName) {
-  let idToken;
-
-  try {
-    idToken = await getIDToken("npm:registry.npmjs.org");
-  } catch (e) {
-    return undefined;
-  }
+import {
+  OFFICIAL_REGISTRY,
+  GITHUB_ACTIONS_PROVIDER_NAME,
+  GITLAB_PIPELINES_PROVIDER_NAME,
+} from "../definitions/constants.js";
 
+async function exchangeIdToken(idToken, packageName) {
   const response = await fetch(
     `${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${encodeURIComponent(packageName)}`,
     {
@@ -29,6 +23,38 @@ async function exchangeGithubActionsToken(packageName) {
   return undefined;
 }
 
+async function exchangeGithubActionsToken(packageName) {
+  let idToken;
+
+  try {
+    idToken = await getIDToken("npm:registry.npmjs.org");
+  } catch (e) {
+    return undefined;
+  }
+
+  return exchangeIdToken(idToken, packageName);
+}
+
+async function exchangeGitlabPipelinesToken(packageName) {
+  const idToken = process.env.NPM_ID_TOKEN;
+
+  if (!idToken) {
+    return undefined;
+  }
+
+  return await exchangeIdToken(idToken, packageName);
+}
+
 export default async function exchangeToken(pkg) {
-  return await exchangeGithubActionsToken(pkg.name);
+  const { name: ciProviderName } = envCi();
+
+  if (GITHUB_ACTIONS_PROVIDER_NAME === ciProviderName) {
+    return await exchangeGithubActionsToken(pkg.name);
+  }
+
+  if (GITLAB_PIPELINES_PROVIDER_NAME === ciProviderName) {
+    return await exchangeGitlabPipelinesToken(pkg.name);
+  }
+
+  return undefined;
 }
diff --git a/test/trusted-publishing/token-exchange.test.js b/test/trusted-publishing/token-exchange.test.js
@@ -1,11 +1,15 @@
 import test from "ava";
 import * as td from "testdouble";
 
-import { OFFICIAL_REGISTRY } from "../../lib/definitions/constants.js";
+import {
+  OFFICIAL_REGISTRY,
+  GITHUB_ACTIONS_PROVIDER_NAME,
+  GITLAB_PIPELINES_PROVIDER_NAME,
+} from "../../lib/definitions/constants.js";
 
 // https://api-docs.npmjs.com/#tag/registry.npmjs.org/operation/exchangeOidcToken
 
-let exchangeToken, getIDToken;
+let exchangeToken, getIDToken, envCi;
 const packageName = "@scope/some-package";
 const pkg = { name: packageName };
 const idToken = "id-token-value";
@@ -14,15 +18,19 @@ const token = "token-value";
 test.beforeEach(async (t) => {
   await td.replace(globalThis, "fetch");
   ({ getIDToken } = await td.replaceEsm("@actions/core"));
+  ({ default: envCi } = await td.replaceEsm("env-ci"));
 
   ({ default: exchangeToken } = await import("../../lib/trusted-publishing/token-exchange.js"));
 });
 
 test.afterEach.always((t) => {
   td.reset();
+
+  delete process.env.NPM_ID_TOKEN;
 });
 
-test.serial("that an access token is returned when token exchange succeeds", async (t) => {
+test.serial("that an access token is returned when token exchange succeeds on GitHub Actions", async (t) => {
+  td.when(envCi()).thenReturn({ name: GITHUB_ACTIONS_PROVIDER_NAME });
   td.when(getIDToken("npm:registry.npmjs.org")).thenResolve(idToken);
   td.when(
     fetch(`${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${encodeURIComponent(packageName)}`, {
@@ -36,13 +44,17 @@ test.serial("that an access token is returned when token exchange succeeds", asy
   t.is(await exchangeToken(pkg), token);
 });
 
-test.serial("that `undefined` is returned when ID token retrieval fails", async (t) => {
-  td.when(getIDToken("npm:registry.npmjs.org")).thenThrow(new Error("Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable"));
+test.serial("that `undefined` is returned when ID token retrieval fails on GitHub Actions", async (t) => {
+  td.when(envCi()).thenReturn({ name: GITHUB_ACTIONS_PROVIDER_NAME });
+  td.when(getIDToken("npm:registry.npmjs.org")).thenThrow(
+    new Error("Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable")
+  );
 
   t.is(await exchangeToken(pkg), undefined);
 });
 
-test.serial("that `undefined` is returned when token exchange fails", async (t) => {
+test.serial("that `undefined` is returned when token exchange fails on GitHub Actions", async (t) => {
+  td.when(envCi()).thenReturn({ name: GITHUB_ACTIONS_PROVIDER_NAME });
   td.when(getIDToken("npm:registry.npmjs.org")).thenResolve(idToken);
   td.when(
     fetch(`${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${encodeURIComponent(packageName)}`, {
@@ -55,3 +67,45 @@ test.serial("that `undefined` is returned when token exchange fails", async (t)
 
   t.is(await exchangeToken(pkg), undefined);
 });
+
+test.serial("that an access token is returned when token exchange succeeds on GitLab Pipelines", async (t) => {
+  process.env.NPM_ID_TOKEN = idToken;
+  td.when(envCi()).thenReturn({ name: GITLAB_PIPELINES_PROVIDER_NAME });
+  td.when(
+    fetch(`${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${encodeURIComponent(packageName)}`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${idToken}` },
+    })
+  ).thenResolve(
+    new Response(JSON.stringify({ token }), { status: 201, headers: { "Content-Type": "application/json" } })
+  );
+
+  t.is(await exchangeToken(pkg), token);
+});
+
+test.serial("that `undefined` is returned when ID token is not available on GitLab Pipelines", async (t) => {
+  td.when(envCi()).thenReturn({ name: GITLAB_PIPELINES_PROVIDER_NAME });
+
+  t.is(await exchangeToken(pkg), undefined);
+});
+
+test.serial("that `undefined` is returned when token exchange fails on GitLab Pipelines", async (t) => {
+  process.env.NPM_ID_TOKEN = idToken;
+  td.when(envCi()).thenReturn({ name: GITLAB_PIPELINES_PROVIDER_NAME });
+  td.when(
+    fetch(`${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${encodeURIComponent(packageName)}`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${idToken}` },
+    })
+  ).thenResolve(
+    new Response(JSON.stringify({ message: "foo" }), { status: 401, headers: { "Content-Type": "application/json" } })
+  );
+
+  t.is(await exchangeToken(pkg), undefined);
+});
+
+test.serial("that `undefined` is returned when no supported CI provider is detected", async (t) => {
+  td.when(envCi()).thenReturn({ name: "Other Service" });
+
+  t.is(await exchangeToken(pkg), undefined);
+});
