Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the start-proxy action’s credential parsing/types so it can accept and forward future OIDC-based private registry authentication configurations (Azure/AWS/JFrog) to the Dependabot authentication proxy.
Changes:
- Extend registry credential typing/validation to include OIDC configuration shapes (Azure/AWS/JFrog) and add a redacting
credentialToStrinsrc/start-proxy/types.ts. - Add/adjust unit tests to cover OIDC acceptance, printable-character validation for OIDC fields, and new
credentialToStrformatting/redaction. - Add a changelog entry describing upcoming OIDC-registry compatibility.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/start-proxy/types.ts | Adds OIDC auth config types/guards and a new credentialToStr implementation for safe logging. |
| src/start-proxy/types.test.ts | New unit tests for credentialToStr across password/token/OIDC credential shapes. |
| src/start-proxy.ts | Adds getAuthConfig and updates credential validation/handling to propagate OIDC configs. |
| src/start-proxy.test.ts | Updates and expands tests for OIDC credential acceptance and validation behaviors. |
| lib/start-proxy-action.js | Generated build output (not reviewed). |
| CHANGELOG.md | Documents OIDC-registry config acceptance. |
Comments suppressed due to low confidence (2)
src/start-proxy/types.ts:93
isAWSConfigtreats any defined values as valid (including numbers/objects). Since these fields are declared as strings, the guard should also enforcetypeof config[property] === "string"for required properties (andaudienceif present) so invalid types don't slip through validation and reach the proxy.
/** Decides whether `config` is an AWS OIDC configuration. */
export function isAWSConfig(config: Partial<AuthConfig>): config is AWSConfig {
// All of these properties are required.
const requiredProperties = [
"aws_region",
"account_id",
"role_name",
"domain",
"domain_owner",
];
for (const property of requiredProperties) {
if (!(property in config) || !isDefined(config[property])) {
return false;
}
}
return true;
}
src/start-proxy/types.ts:109
isJFrogConfigonly checks thatjfrog_oidc_provider_nameis defined, but not that it's a string. Consider requiringtypeof jfrog_oidc_provider_name === "string"(and validating optional fields if present) to avoid propagating malformed configs.
/** Decides whether `config` is a JFrog OIDC configuration. */
export function isJFrogConfig(
config: Partial<AuthConfig>,
): config is JFrogConfig {
return (
"jfrog_oidc_provider_name" in config &&
isDefined(config.jfrog_oidc_provider_name)
);
| if ("password" in credential) { | ||
| appendIfDefined("Password", credential.password ? "***" : undefined); | ||
| } | ||
| if (isToken(credential)) { | ||
| appendIfDefined("Token", credential.token ? "***" : undefined); | ||
| } |
There was a problem hiding this comment.
credentialToStr uses truthiness checks (credential.password ? "***" : undefined / credential.token ? "***" : undefined) which will omit the field entirely for empty-string secrets. Use an isDefined(...) check (or check for property presence + non-null/undefined) so that empty strings are still masked/indicated consistently.
| "tenant_id" in config && | ||
| "client_id" in config && | ||
| isDefined(config.tenant_id) && | ||
| isDefined(config.client_id) |
There was a problem hiding this comment.
isAzureConfig only checks that tenant_id/client_id are defined, but not that they are strings. This allows non-string values to be treated as valid Azure OIDC config and propagated to the proxy. Tighten the guard to require typeof tenant_id === "string" and typeof client_id === "string" (and optionally non-empty).
This issue also appears in the following locations of the same file:
- line 76
- line 102
| isDefined(config.client_id) | |
| isDefined(config.client_id) && | |
| typeof config.tenant_id === "string" && | |
| typeof config.client_id === "string" && | |
| config.tenant_id.length > 0 && | |
| config.client_id.length > 0 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
The Dependabot team have been working on support for OIDC-based authentication in the Dependabot authentication proxy, which we also use to support private package registries in Default Setup.
This PR modifies the
start-proxyaction to accept such configurations and propagate them to the proxy. This will ensure that we are ready to support OIDC-based authentication when such configurations are available to us. This is not yet the case at the time of writing.However, that should not block this PR from being merged, since we just perform validation that will allow such configurations to be propagated to the proxy in the future.
Notes for reviewers
Best reviewed commit-by-commit. See the internal issue for more context and references.
Risk assessment
For internal use only. Please select the risk level of this change:
Which use cases does this change impact?
Workflow types:
dynamicworkflows (Default Setup, Code Quality, ...).Products:
analysis-kinds: code-scanning.analysis-kinds: code-quality.Environments:
github.comand/or GitHub Enterprise Cloud with Data Residency.How did/will you validate this change?
.test.tsfiles).pr-checks).If something goes wrong after this change is released, what are the mitigation and rollback strategies?
How will you know if something goes wrong after this change is released?
Are there any special considerations for merging or releasing this change?
Merge / deployment checklist