-
Notifications
You must be signed in to change notification settings - Fork 51
Expand file tree
/
Copy pathaction.yml
More file actions
71 lines (68 loc) · 3.48 KB
/
Copy pathaction.yml
File metadata and controls
71 lines (68 loc) · 3.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Setup JFrog OIDC
description: Obtain a JFrog access token via GitHub OIDC and configure npm to use JFrog registry proxy
runs:
using: composite
steps:
- name: Get JFrog OIDC token
shell: bash
run: |
set -euo pipefail
ID_TOKEN=$(curl -sLS \
-H "User-Agent: actions/oidc-client" \
-H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
echo "::add-mask::${ID_TOKEN}"
ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
"https://databricks.jfrog.io/access/api/v1/oidc/token" \
-d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
echo "::add-mask::${ACCESS_TOKEN}"
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "FAIL: Could not extract JFrog access token"
exit 1
fi
echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
echo "JFrog OIDC token obtained successfully"
- name: Configure npm for JFrog
shell: bash
run: |
set -euo pipefail
cat > ~/.npmrc << EOF
registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/
//databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN}
always-auth=true
EOF
echo "npm configured to use JFrog registry"
# Rewrite lockfile `resolved:` URLs to JFrog. `npm ci` honors the
# lockfile's `resolved:` URL over the `.npmrc` registry; protected
# runners cannot reach `registry.npmjs.org` or the internal
# `npm-proxy.dev.databricks.com` directly, so without this rewrite
# npm hangs ~8 minutes on any package whose `resolved:` points
# elsewhere, then dies with "Exit handler never called".
# The committed lockfile is kept as-generated locally (mixed
# public-npm + dev-proxy URLs) so contributors can `npm ci`
# locally; this step adapts it for CI.
- name: Rewrite lockfile to JFrog registry
shell: bash
run: |
set -euo pipefail
if [ -f package-lock.json ]; then
# Rewrite both public npm and the internal dev-proxy (the
# latter is written by `npm install` when run on a dev
# workstation whose .npmrc points at npm-proxy.dev).
sed -i \
-e 's|https://registry.npmjs.org|https://databricks.jfrog.io/artifactory/api/npm/db-npm|g' \
-e 's|https://npm-proxy.dev.databricks.com|https://databricks.jfrog.io/artifactory/api/npm/db-npm|g' \
package-lock.json
echo "package-lock.json resolved: URLs rewritten to JFrog"
echo "Resolved URL distribution after rewrite:"
grep -oE '"resolved": "https://[^/]+' package-lock.json | sort | uniq -c
# Fail loud if any non-JFrog host remains — a new registry hostname
# added to the tree would otherwise silently hang `npm ci` for 8min.
LEAKS=$(grep -oE '"resolved": "https://[^/]+' package-lock.json | grep -v 'databricks\.jfrog\.io' | sort -u || true)
if [ -n "$LEAKS" ]; then
echo "::error::JFrog rewrite incomplete; non-JFrog hosts remain: $LEAKS"
exit 1
fi
else
echo "no package-lock.json found; skipping rewrite"
fi