Initial action implementation, with tests

Author: segiddins

.github/workflows/test.yml

@@ -21,4 +21,8 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./
         with:
-          milliseconds: 1000
+          role-to-assume: 3
+          gem-server: 'https://oidc-api-token.rubygems.org'
+      - name: Test token
+        run: |
+          curl -v --fail 'https://oidc-api-token.rubygems.org/api/v1/oidc/api_key/roles/3' -H 'Authorization: ${{ env.RUBYGEMS_API_TOKEN }}'

__tests__/main.test.ts

@@ -1,29 +1,132 @@
-import {wait} from '../src/wait'
-import * as process from 'process'
-import * as cp from 'child_process'
-import * as path from 'path'
-import {expect, test} from '@jest/globals'
-
-test('throws invalid number', async () => {
-  const input = parseInt('foo', 10)
-  await expect(wait(input)).rejects.toThrow('milliseconds not a number')
+import nock from 'nock'
+import {
+  beforeEach,
+  afterEach,
+  expect,
+  jest,
+  test,
+  describe
+} from '@jest/globals'
+import {readFile} from 'fs/promises'
+import mockFS from 'mock-fs'
+import * as os from 'os'
+import YAML from 'yaml'
+import * as core from '@actions/core'
+
+import {configureApiToken} from '../src/configureApiToken'
+import {assumeRole} from '../src/oidc/assumeRole'
+
+jest.mock('os', () => {
+  const originalModule = jest.requireActual('os') as any
+
+  return {
+    __esModule: true, // Use it when dealing with esModules
+    ...originalModule,
+    homedir: jest.fn()
+  }
 })
 
-test('wait 500 ms', async () => {
-  const start = new Date()
-  await wait(500)
-  const end = new Date()
-  var delta = Math.abs(end.getTime() - start.getTime())
-  expect(delta).toBeGreaterThan(450)
+describe('configureApiToken', () => {
+  test('throws no token', async () => {
+    await expect(configureApiToken(undefined as any, '')).rejects.toThrow(
+      'Empty apiToken is not supported'
+    )
+  })
+
+  test('throws empty token', async () => {
+    await expect(configureApiToken(undefined as any, '')).rejects.toThrow(
+      'Empty apiToken is not supported'
+    )
+  })
+
+  test('adding default token', async () => {
+    mockHomedir('/home/runner')
+    mockFS({})
+
+    await configureApiToken('token', 'https://rubygems.org')
+
+    await expect(
+      readFile('/home/runner/.gem/credentials', 'utf8').then(YAML.parse)
+    ).resolves.toEqual({':rubygems_api_key': 'token'})
+    expect(exportedVariables).toEqual({
+      BUNDLE_GEM__PUSH_KEY: 'token',
+      GEM_HOST_API_KEY: 'token',
+      RUBYGEMS_API_KEY: 'token'
+    })
+  })
+
+  test('adding custom token', async () => {
+    mockHomedir('/home/runner')
+    mockFS({})
+
+    await configureApiToken('token', 'https://oidc-api-token.rubygems.org')
+
+    await expect(
+      readFile('/home/runner/.gem/credentials', 'utf8').then(YAML.parse)
+    ).resolves.toEqual({'https://oidc-api-token.rubygems.org': 'token'})
+    expect(exportedVariables).toEqual({
+      BUNDLE_GEM__PUSH_KEY: 'token',
+      GEM_HOST_API_KEY: 'token',
+      RUBYGEMS_API_KEY: 'token'
+    })
+  })
 })
 
-// shows how the runner will run a javascript action with env / stdout protocol
-test('test runs', () => {
-  process.env['INPUT_MILLISECONDS'] = '500'
-  const np = process.execPath
-  const ip = path.join(__dirname, '..', 'lib', 'main.js')
-  const options: cp.ExecFileSyncOptions = {
-    env: process.env
+describe('assumeRole', () => {
+  test('works', async () => {
+    jest.spyOn(core, 'getIDToken').mockReturnValue(Promise.resolve('ID_TOKEN'))
+
+    nock('https://rubygems.org')
+      .post('/api/v1/oidc/api_key_roles/1/assume_role', {
+        jwt: 'ID_TOKEN'
+      })
+      .reply(201, {
+        name: 'role name',
+        rubygems_api_key: 'API_KEY',
+        expires_at: '2021-01-01T00:00:00Z',
+        scopes: ['push_rubygem']
+      })
+
+    await expect(
+      assumeRole('1', 'rubygems.org', 'https://rubygems.org')
+    ).resolves.toEqual({
+      expiresAt: '2021-01-01T00:00:00Z',
+      gem: undefined,
+      name: 'role name',
+      rubygemsApiKey: 'API_KEY',
+      scopes: ['push_rubygem']
+    })
+  })
+})
+
+function mockHomedir(homedir: string) {
+  mockOf(os.homedir).mockReturnValue(homedir)
+}
+
+function mockOf<T extends (...args: any) => any>(dep: T): jest.Mock<T> {
+  return <jest.Mock<T>>(<unknown>dep)
+}
+
+let exportedVariables: Record<string, string>
+let secrets: string[]
+
+beforeEach(() => {
+  if (!nock.isActive()) {
+    nock.activate()
   }
-  console.log(cp.execFileSync(np, [ip], options).toString())
+  nock.disableNetConnect()
+
+  exportedVariables = {}
+  secrets = []
+  jest.spyOn(core, 'exportVariable').mockImplementation((name, value) => {
+    exportedVariables[name] = value
+  })
+  jest.spyOn(core, 'setSecret').mockImplementation(value => {
+    secrets.push(value)
+  })
+})
+
+afterEach(() => {
+  mockFS.restore()
+  nock.restore()
 })

action.yml

@@ -1,11 +1,27 @@
-name: 'Your name here'
-description: 'Provide a description here'
-author: 'Your name or organization here'
+name: 'Configure RubyGems Credentials'
+description: 'Configure rubygems.org credential environment variables for use in other GitHub Actions.'
+branding:
+  icon: 'package'
+  color: 'red'
+author: 'RubyGems'
 inputs:
-  milliseconds: # change this
-    required: true
-    description: 'input description here'
-    default: 'default value if applicable'
+  gem-server:
+    required: false
+    description: 'The gem server to configure credentials for. Defaults to https://rubygems.org.'
+    default: 'https://rubygems.org'
+  audience:
+    default: 'rubygems.org'
+    description: 'The audience to use for the OIDC provider. Defaults to rubygems.org.'
+    required: false
+  role-to-assume:
+    description: >-
+      Use the provided credentials to assume an OIDC api token role and configure the Actions
+      environment with the assumed role credentials rather than with the provided
+      credentials
+    required: false
+  api-token:
+    description: 'The rubygems api token to use for authentication.'
+    required: false
 runs:
   using: 'node16'
   main: 'dist/index.js'