github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-05-02 03:00:22 -04:00
Code Issues Packages Projects Releases Wiki Activity

build: authenticate sudowoodo /token exchange via Actions OIDC (#51051)

Browse Source
This commit is contained in:
Samuel Attard
2026-04-14 18:54:45 -04:00
committed by GitHub
parent 53bf94fdf4
commit 3896050d5f
3 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/pipeline-segment-electron-build.yml vendored
View File

@@ -77,7 +77,6 @@ env:
ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
SUDOWOODO_EXCHANGE_TOKEN: ${{ secrets.SUDOWOODO_EXCHANGE_TOKEN }}
GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || inputs.target-platform == 'win' && '--custom-var=checkout_win=True' || '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
ELECTRON_OUT_DIR: Default
ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}

1
.github/workflows/pipeline-segment-electron-publish.yml vendored
View File

@@ -79,7 +79,6 @@ env:
ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
SUDOWOODO_EXCHANGE_TOKEN: ${{ secrets.SUDOWOODO_EXCHANGE_TOKEN }}
GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' &&
'--custom-var=checkout_mac=True --custom-var=host_os=mac' ||
inputs.target-platform == 'win' && '--custom-var=checkout_win=True' ||

24
script/release/github-token.ts
View File

@@ -5,18 +5,36 @@ import { ElectronReleaseRepo } from './types';
const cachedTokens = Object.create(null);
const SUDOWOODO_OIDC_AUDIENCE = 'sudowoodo-broker';
async function getActionsIdToken(): Promise<string> {
const { ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN } = process.env;
if (!ACTIONS_ID_TOKEN_REQUEST_URL || !ACTIONS_ID_TOKEN_REQUEST_TOKEN) {
throw new Error(
'ACTIONS_ID_TOKEN_REQUEST_URL/_TOKEN not set — the job needs `permissions: id-token: write` to mint an OIDC token for the sudowoodo exchange'
);
}
const { value } = await got(ACTIONS_ID_TOKEN_REQUEST_URL + '&audience=' + SUDOWOODO_OIDC_AUDIENCE, {
headers: {
authorization: 'Bearer ' + ACTIONS_ID_TOKEN_REQUEST_TOKEN
}
}).json<{ value: string }>();
return value;
}
async function ensureToken(repo: ElectronReleaseRepo) {
if (!cachedTokens[repo]) {
cachedTokens[repo] = await (async () => {
const { ELECTRON_GITHUB_TOKEN, SUDOWOODO_EXCHANGE_URL, SUDOWOODO_EXCHANGE_TOKEN } = process.env;
const { ELECTRON_GITHUB_TOKEN, SUDOWOODO_EXCHANGE_URL } = process.env;
if (ELECTRON_GITHUB_TOKEN) {
return ELECTRON_GITHUB_TOKEN;
}
if (SUDOWOODO_EXCHANGE_URL && SUDOWOODO_EXCHANGE_TOKEN) {
if (SUDOWOODO_EXCHANGE_URL) {
const idToken = await getActionsIdToken();
const resp = await got.post(SUDOWOODO_EXCHANGE_URL + '?repo=' + repo, {
headers: {
Authorization: SUDOWOODO_EXCHANGE_TOKEN
Authorization: 'Bearer ' + idToken
},
throwHttpErrors: false
});