diff --git a/CHANGELOG.md b/CHANGELOG.md index df8bb124d..002fb3f2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th - The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://github.com/github/codeql-action/pull/3795) - The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://github.com/github/codeql-action/pull/3789) - Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://github.com/github/codeql-action/pull/3794) +- Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://github.com/github/codeql-action/pull/3807) ## 4.35.1 - 27 Mar 2026 diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index ebc105d2e..072deb113 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -121744,15 +121744,15 @@ function isToken(config) { return "token" in config && isStringOrUndefined(config.token); } function isAzureConfig(config) { - return "tenant_id" in config && "client_id" in config && isDefined2(config.tenant_id) && isDefined2(config.client_id) && isString(config.tenant_id) && isString(config.client_id); + return "tenant-id" in config && "client-id" in config && isDefined2(config["tenant-id"]) && isDefined2(config["client-id"]) && isString(config["tenant-id"]) && isString(config["client-id"]); } function isAWSConfig(config) { const requiredProperties = [ - "aws_region", - "account_id", - "role_name", + "aws-region", + "account-id", + "role-name", "domain", - "domain_owner" + "domain-owner" ]; for (const property of requiredProperties) { if (!(property in config) || !isDefined2(config[property]) || !isString(config[property])) { @@ -121768,10 +121768,10 @@ function isJFrogConfig(config) { if ("audience" in config && !isStringOrUndefined(config.audience)) { return false; } - if ("identity_mapping_name" in config && !isStringOrUndefined(config.identity_mapping_name)) { + if ("identity-mapping-name" in config && !isStringOrUndefined(config["identity-mapping-name"])) { return false; } - return "jfrog_oidc_provider_name" in config && isDefined2(config.jfrog_oidc_provider_name) && isString(config.jfrog_oidc_provider_name); + return "jfrog-oidc-provider-name" in config && isDefined2(config["jfrog-oidc-provider-name"]) && isString(config["jfrog-oidc-provider-name"]); } function credentialToStr(credential) { let result = `Type: ${credential.type};`; @@ -121795,18 +121795,21 @@ function credentialToStr(credential) { appendIfDefined("Token", isDefined2(credential.token) ? "***" : void 0); } if (isAzureConfig(credential)) { - appendIfDefined("Tenant", credential.tenant_id); - appendIfDefined("Client", credential.client_id); + appendIfDefined("Tenant", credential["tenant-id"]); + appendIfDefined("Client", credential["client-id"]); } else if (isAWSConfig(credential)) { - appendIfDefined("AWS Region", credential.aws_region); - appendIfDefined("AWS Account", credential.account_id); - appendIfDefined("AWS Role", credential.role_name); + appendIfDefined("AWS Region", credential["aws-region"]); + appendIfDefined("AWS Account", credential["account-id"]); + appendIfDefined("AWS Role", credential["role-name"]); appendIfDefined("AWS Domain", credential.domain); - appendIfDefined("AWS Domain Owner", credential.domain_owner); + appendIfDefined("AWS Domain Owner", credential["domain-owner"]); appendIfDefined("AWS Audience", credential.audience); } else if (isJFrogConfig(credential)) { - appendIfDefined("JFrog Provider", credential.jfrog_oidc_provider_name); - appendIfDefined("JFrog Identity Mapping", credential.identity_mapping_name); + appendIfDefined("JFrog Provider", credential["jfrog-oidc-provider-name"]); + appendIfDefined( + "JFrog Identity Mapping", + credential["identity-mapping-name"] + ); appendIfDefined("JFrog Audience", credential.audience); } return result; @@ -122217,22 +122220,22 @@ function getRegistryAddress(registry) { function getAuthConfig(config) { if (isAzureConfig(config)) { return { - tenant_id: config.tenant_id, - client_id: config.client_id + "tenant-id": config["tenant-id"], + "client-id": config["client-id"] }; } else if (isAWSConfig(config)) { return { - aws_region: config.aws_region, - account_id: config.account_id, - role_name: config.role_name, + "aws-region": config["aws-region"], + "account-id": config["account-id"], + "role-name": config["role-name"], domain: config.domain, - domain_owner: config.domain_owner, + "domain-owner": config["domain-owner"], audience: config.audience }; } else if (isJFrogConfig(config)) { return { - jfrog_oidc_provider_name: config.jfrog_oidc_provider_name, - identity_mapping_name: config.identity_mapping_name, + "jfrog-oidc-provider-name": config["jfrog-oidc-provider-name"], + "identity-mapping-name": config["identity-mapping-name"], audience: config.audience }; } else if (isToken(config)) { diff --git a/src/start-proxy.test.ts b/src/start-proxy.test.ts index 5e5bce6c9..e1d465abc 100644 --- a/src/start-proxy.test.ts +++ b/src/start-proxy.test.ts @@ -351,23 +351,23 @@ test("getCredentials throws an error when non-printable characters are used", as }); const validAzureCredential: startProxyExports.AzureConfig = { - tenant_id: "12345678-1234-1234-1234-123456789012", - client_id: "abcdef01-2345-6789-abcd-ef0123456789", + "tenant-id": "12345678-1234-1234-1234-123456789012", + "client-id": "abcdef01-2345-6789-abcd-ef0123456789", }; const validAwsCredential: startProxyExports.AWSConfig = { - aws_region: "us-east-1", - account_id: "123456789012", - role_name: "MY_ROLE", + "aws-region": "us-east-1", + "account-id": "123456789012", + "role-name": "MY_ROLE", domain: "MY_DOMAIN", - domain_owner: "987654321098", + "domain-owner": "987654321098", audience: "custom-audience", }; const validJFrogCredential: startProxyExports.JFrogConfig = { - jfrog_oidc_provider_name: "MY_PROVIDER", + "jfrog-oidc-provider-name": "MY_PROVIDER", audience: "jfrog-audience", - identity_mapping_name: "my-mapping", + "identity-mapping-name": "my-mapping", }; test("getCredentials throws an error when non-printable characters are used for Azure OIDC", (t) => { diff --git a/src/start-proxy.ts b/src/start-proxy.ts index b95d79d82..270681240 100644 --- a/src/start-proxy.ts +++ b/src/start-proxy.ts @@ -289,22 +289,22 @@ export function getAuthConfig( // which we can use to identify them. if (isAzureConfig(config)) { return { - tenant_id: config.tenant_id, - client_id: config.client_id, + "tenant-id": config["tenant-id"], + "client-id": config["client-id"], } satisfies AzureConfig; } else if (isAWSConfig(config)) { return { - aws_region: config.aws_region, - account_id: config.account_id, - role_name: config.role_name, + "aws-region": config["aws-region"], + "account-id": config["account-id"], + "role-name": config["role-name"], domain: config.domain, - domain_owner: config.domain_owner, + "domain-owner": config["domain-owner"], audience: config.audience, } satisfies AWSConfig; } else if (isJFrogConfig(config)) { return { - jfrog_oidc_provider_name: config.jfrog_oidc_provider_name, - identity_mapping_name: config.identity_mapping_name, + "jfrog-oidc-provider-name": config["jfrog-oidc-provider-name"], + "identity-mapping-name": config["identity-mapping-name"], audience: config.audience, } satisfies JFrogConfig; } else if (isToken(config)) { diff --git a/src/start-proxy/types.test.ts b/src/start-proxy/types.test.ts index ee20e74aa..3efaa3349 100644 --- a/src/start-proxy/types.test.ts +++ b/src/start-proxy/types.test.ts @@ -7,23 +7,23 @@ import * as types from "./types"; setupTests(test); const validAzureCredential: types.AzureConfig = { - tenant_id: "12345678-1234-1234-1234-123456789012", - client_id: "abcdef01-2345-6789-abcd-ef0123456789", + "tenant-id": "12345678-1234-1234-1234-123456789012", + "client-id": "abcdef01-2345-6789-abcd-ef0123456789", }; const validAwsCredential: types.AWSConfig = { - aws_region: "us-east-1", - account_id: "123456789012", - role_name: "MY_ROLE", + "aws-region": "us-east-1", + "account-id": "123456789012", + "role-name": "MY_ROLE", domain: "MY_DOMAIN", - domain_owner: "987654321098", + "domain-owner": "987654321098", audience: "custom-audience", }; const validJFrogCredential: types.JFrogConfig = { - jfrog_oidc_provider_name: "MY_PROVIDER", + "jfrog-oidc-provider-name": "MY_PROVIDER", audience: "jfrog-audience", - identity_mapping_name: "my-mapping", + "identity-mapping-name": "my-mapping", }; test("credentialToStr - pretty-prints valid username+password configurations", (t) => { diff --git a/src/start-proxy/types.ts b/src/start-proxy/types.ts index 0d3bf86c5..58adaf543 100644 --- a/src/start-proxy/types.ts +++ b/src/start-proxy/types.ts @@ -59,29 +59,29 @@ export function isToken( } /** Configuration for Azure OIDC. */ -export type AzureConfig = { tenant_id: string; client_id: string }; +export type AzureConfig = { "tenant-id": string; "client-id": string }; /** Decides whether `config` is an Azure OIDC configuration. */ export function isAzureConfig( config: UnvalidatedObject, ): config is AzureConfig { return ( - "tenant_id" in config && - "client_id" in config && - isDefined(config.tenant_id) && - isDefined(config.client_id) && - json.isString(config.tenant_id) && - json.isString(config.client_id) + "tenant-id" in config && + "client-id" in config && + isDefined(config["tenant-id"]) && + isDefined(config["client-id"]) && + json.isString(config["tenant-id"]) && + json.isString(config["client-id"]) ); } /** Configuration for AWS OIDC. */ export type AWSConfig = { - aws_region: string; - account_id: string; - role_name: string; + "aws-region": string; + "account-id": string; + "role-name": string; domain: string; - domain_owner: string; + "domain-owner": string; audience?: string; }; @@ -91,11 +91,11 @@ export function isAWSConfig( ): config is AWSConfig { // All of these properties are required. const requiredProperties = [ - "aws_region", - "account_id", - "role_name", + "aws-region", + "account-id", + "role-name", "domain", - "domain_owner", + "domain-owner", ]; for (const property of requiredProperties) { @@ -118,30 +118,30 @@ export function isAWSConfig( /** Configuration for JFrog OIDC. */ export type JFrogConfig = { - jfrog_oidc_provider_name: string; + "jfrog-oidc-provider-name": string; audience?: string; - identity_mapping_name?: string; + "identity-mapping-name"?: string; }; /** Decides whether `config` is a JFrog OIDC configuration. */ export function isJFrogConfig( config: UnvalidatedObject, ): config is JFrogConfig { - // The "audience" and "identity_mapping_name" fields are optional, but should be strings if present. + // The "audience" and "identity-mapping-name" fields are optional, but should be strings if present. if ("audience" in config && !json.isStringOrUndefined(config.audience)) { return false; } if ( - "identity_mapping_name" in config && - !json.isStringOrUndefined(config.identity_mapping_name) + "identity-mapping-name" in config && + !json.isStringOrUndefined(config["identity-mapping-name"]) ) { return false; } return ( - "jfrog_oidc_provider_name" in config && - isDefined(config.jfrog_oidc_provider_name) && - json.isString(config.jfrog_oidc_provider_name) + "jfrog-oidc-provider-name" in config && + isDefined(config["jfrog-oidc-provider-name"]) && + json.isString(config["jfrog-oidc-provider-name"]) ); } @@ -189,18 +189,21 @@ export function credentialToStr(credential: Credential): string { } if (isAzureConfig(credential)) { - appendIfDefined("Tenant", credential.tenant_id); - appendIfDefined("Client", credential.client_id); + appendIfDefined("Tenant", credential["tenant-id"]); + appendIfDefined("Client", credential["client-id"]); } else if (isAWSConfig(credential)) { - appendIfDefined("AWS Region", credential.aws_region); - appendIfDefined("AWS Account", credential.account_id); - appendIfDefined("AWS Role", credential.role_name); + appendIfDefined("AWS Region", credential["aws-region"]); + appendIfDefined("AWS Account", credential["account-id"]); + appendIfDefined("AWS Role", credential["role-name"]); appendIfDefined("AWS Domain", credential.domain); - appendIfDefined("AWS Domain Owner", credential.domain_owner); + appendIfDefined("AWS Domain Owner", credential["domain-owner"]); appendIfDefined("AWS Audience", credential.audience); } else if (isJFrogConfig(credential)) { - appendIfDefined("JFrog Provider", credential.jfrog_oidc_provider_name); - appendIfDefined("JFrog Identity Mapping", credential.identity_mapping_name); + appendIfDefined("JFrog Provider", credential["jfrog-oidc-provider-name"]); + appendIfDefined( + "JFrog Identity Mapping", + credential["identity-mapping-name"], + ); appendIfDefined("JFrog Audience", credential.audience); }