remove typo & update test workflow

step-security · Oct 22, 2024 · 5be84ad · 5be84ad
1 parent 5af6c5c
commit 5be84ad
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 138 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -90,23 +90,10 @@ jobs:
           project_id: '${{ vars.PROJECT_ID }}'
           workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
 
-      - id: 'oauth-federated-token'
-        name: 'oauth-federated-token'
-        run: |-
-          curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-default.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
-            --silent \
-            --show-error \
-            --fail \
-            --header "Authorization: Bearer ${{ steps.auth-default.outputs.auth_token }}"
-
       - uses: 'google-github-actions/setup-gcloud@v2'
         with:
           version: '>= 363.0.0'
 
-      - name: 'gcloud'
-        run: |-
-          gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
-
 
   #
   # Workload Identity Federation through a Service Account
@@ -147,10 +134,6 @@ jobs:
         with:
           version: '>= 363.0.0'
 
-      - name: 'gcloud'
-        run: |-
-          gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
-
       - id: 'auth-access-token'
         name: 'auth-access-token'
         uses: './'
@@ -159,15 +142,6 @@ jobs:
           service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
           token_format: 'access_token'
 
-      - id: 'oauth-token'
-        name: 'oauth-token'
-        run: |-
-          curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
-            --silent \
-            --show-error \
-            --fail \
-            --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
-
       - id: 'id-token'
         name: 'id-token'
         uses: './'
@@ -177,101 +151,3 @@ jobs:
           token_format: 'id_token'
           id_token_audience: 'https://secretmanager.googleapis.com/'
           id_token_include_email: true
-
-
-  #
-  # Service Account Key JSON
-  #
-  credentials_json:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
-    name: 'credentials_json'
-    runs-on: '${{ matrix.os }}'
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - 'ubuntu-latest'
-          - 'windows-latest'
-          - 'macos-latest'
-
-    steps:
-      - uses: 'actions/checkout@v4'
-
-      - uses: 'actions/setup-node@v4'
-        with:
-          node-version: '20.x'
-
-      - name: 'npm build'
-        run: 'npm ci && npm run build'
-
-      - id: 'auth-default'
-        name: 'auth-default'
-        uses: './'
-        with:
-          credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
-
-      - uses: 'google-github-actions/setup-gcloud@v2'
-        with:
-          version: '>= 363.0.0'
-
-      - name: 'gcloud'
-        run: |-
-          gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
-
-      - id: 'auth-access-token'
-        name: 'auth-access-token'
-        uses: './'
-        with:
-          credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
-          token_format: 'access_token'
-
-      - id: 'access-token'
-        name: 'access-token'
-        run: |-
-          curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
-            --silent \
-            --show-error \
-            --fail \
-            --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
-
-      - id: 'auth-id-token'
-        name: 'auth-id-token'
-        uses: './'
-        with:
-          credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
-          token_format: 'id_token'
-          id_token_audience: 'https://secretmanager.googleapis.com/'
-          id_token_include_email: true
-
-  #
-  # This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
-  # variable is shared with the container and that the path of the file is on
-  # the shared filesystem with the container and that the USER for the container
-  # has permissions to read the file.
-  #
-  docker:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
-    name: 'docker'
-    runs-on: 'ubuntu-latest'
-    strategy:
-      fail-fast: false
-    steps:
-      - uses: 'actions/checkout@v4'
-
-      - uses: 'actions/setup-node@v4'
-        with:
-          node-version: '20.x'
-
-      - name: 'npm build'
-        run: 'npm ci && npm run build'
-
-      - name: 'auth-default'
-        uses: './'
-        with:
-          credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
-
-      - name: 'docker'
-        uses: 'docker://alpine:3'
-        with:
-          entrypoint: '/bin/sh'
-          args: '-euc "test -n "${GOOGLE_APPLICATION_CREDENTIALS}" && test -r "${GOOGLE_APPLICATION_CREDENTIALS}"'
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/src/main.ts b/src/main.ts
@@ -36,7 +36,6 @@ import {
 import {
   AuthClient,
   IAMCredentialsClient,
-  ServiceAccountKeyClient,
   WorkloadIdentityFederationClient,
 } from './client/client';
 import { Logger } from './logger';
@@ -48,8 +47,8 @@ import {
 } from './utils';
 import { appendFileSync } from 'fs';
 import { relative } from 'path';
-import * as core from '@actions/core'
-import axios, {isAxiosError} from 'axios'
+import * as core from '@actions/core';
+import axios, { isAxiosError } from 'axios';
 
 const secretsWarning =
   `If you are specifying input values via GitHub secrets, ensure the secret ` +
@@ -62,27 +61,24 @@ const oidcWarning =
   `GitHub Actions workflow permissions are incorrect, or this job is being ` +
   `run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token`;
 
-
 async function validateSubscription(): Promise<void> {
-  const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`
+  const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`;
 
   try {
-    await axios.get(API_URL, {timeout: 3000})
+    await axios.get(API_URL, { timeout: 3000 });
   } catch (error) {
     if (isAxiosError(error) && error.response) {
-      core.error(
-        'Subscription is not valid. Reach out to [email protected]'
-      )
-      process.exit(1)
+      core.error('Subscription is not valid. Reach out to [email protected]');
+      process.exit(1);
     } else {
-      core.info('Timeout or API not reachable. Continuing to next step.')
+      core.info('Timeout or API not reachable. Continuing to next step.');
     }
   }
 }
 
 export async function run(logger: Logger) {
   // check subscription
-  await validateSubscription()
+  await validateSubscription();
 
   // Warn if pinned to HEAD
   if (isPinnedToHead()) {
@@ -149,7 +145,7 @@ export async function run(logger: Logger) {
         serviceAccount: serviceAccount,
       });
     } else {
-      throw new Error('This action only supports workflow identity');
+      throw new Error('This action only supports workload identity');
     }
 
     // Always write the credentials file first, before trying to generate