fix: change to the oidc flow for more granualr control over log levels

reggi · reggi · commit 3c263ef8af9c · 2025-06-27T13:24:13.000-04:00
diff --git a/lib/utils/oidc.js b/lib/utils/oidc.js
@@ -30,6 +30,7 @@ async function oidc ({ packageName, registry, opts, config }) {
       /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L161C13-L161C22 */
       ciInfo.GITLAB
     )) {
+      log.silly('oidc', 'Not running OIDC, not in a supported CI environment')
       return undefined
     }
 
@@ -67,14 +68,11 @@ async function oidc ({ packageName, registry, opts, config }) {
           process.env.ACTIONS_ID_TOKEN_REQUEST_URL &&
           process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
         ) {
-          log.silly('oidc', '"GITHUB_ACTIONS" detected with "ACTIONS_ID_" envs, fetching id_token')
-
           /**
            * The specification for an audience is `npm:registry.npmjs.org`,
            * where "registry.npmjs.org" can be any supported registry.
            */
           const audience = `npm:${new URL(registry).hostname}`
-          log.silly('oidc', `Using audience: ${audience}`)
           const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL)
           url.searchParams.append('audience', audience)
           const startTime = Date.now()
@@ -96,17 +94,19 @@ async function oidc ({ packageName, registry, opts, config }) {
           const json = await response.json()
 
           if (!response.ok) {
-            throw new Error(`Failed to fetch id_token from GitHub: received an invalid response`)
+            log.silly('oidc', `Failed to fetch id_token from GitHub: received an invalid response`)
+            return undefined
           }
 
           if (!json.value) {
-            throw new Error(`Failed to fetch id_token from GitHub: missing value`)
+            log.silly('oidc', `Failed to fetch id_token from GitHub: missing value`)
+            return undefined
           }
 
-          log.silly('oidc', 'GITHUB_ACTIONS valid fetch response for id_token')
           idToken = json.value
         } else {
-          throw new Error('GITHUB_ACTIONS detected. If you intend to publish using OIDC, please set workflow permissions for `id-token: write`')
+          log.silly('oidc', 'GITHUB_ACTIONS detected. If you intend to publish using OIDC, please set workflow permissions for `id-token: write`')
+          return undefined
         }
       }
     }
@@ -130,22 +130,31 @@ async function oidc ({ packageName, registry, opts, config }) {
     }
 
     const escapedPackageName = npa(packageName).escapedName
-    const response = await npmFetch.json(new URL(`/-/npm/v1/oidc/token/exchange/package/${escapedPackageName}`, registry), {
-      ...{
-        ...opts,
-        [authTokenKey]: idToken, // Use the idToken as the auth token for the request
-      },
-      method: 'POST',
-      headers: {
-        ...opts.headers,
-        'Content-Type': 'application/json',
-        // this will not work because the existing auth token will replace it.
-        // authorization: `Bearer ${idToken}`,
-      },
-    })
+    let response
+    try {
+      response = await npmFetch.json(new URL(`/-/npm/v1/oidc/token/exchange/package/${escapedPackageName}`, registry), {
+        ...{
+          ...opts,
+          [authTokenKey]: idToken, // Use the idToken as the auth token for the request
+        },
+        method: 'POST',
+        headers: {
+          ...opts.headers,
+          'Content-Type': 'application/json',
+          // this will not work because the existing auth token will replace it.
+          // authorization: `Bearer ${idToken}`,
+        },
+      })
+    } catch (error) {
+      if (error?.body?.message) {
+        log.verbose('oidc', `Registry body response error message "${error.body.message}"`)
+      }
+      return undefined
+    }
 
     if (!response?.token) {
-      throw new Error('OIDC token exchange failure: missing token in response body')
+      log.silly('oidc', 'OIDC token exchange failure: missing token in response body')
+      return undefined
     }
     /*
      * The "opts" object is a clone of npm.flatOptions and is passed through the `publish` command,
@@ -158,9 +167,6 @@ async function oidc ({ packageName, registry, opts, config }) {
     log.silly('oidc', `OIDC token successfully retrieved`)
   } catch (error) {
     log.verbose('oidc', error.message)
-    if (error?.body?.message) {
-      log.verbose('oidc', `Registry body response error message "${error.body.message}"`)
-    }
   }
   return undefined
 }
