diff --git a/utils/runContext.ts b/utils/runContext.ts index c939bbe..cf18fd1 100644 --- a/utils/runContext.ts +++ b/utils/runContext.ts @@ -57,18 +57,24 @@ const defaultRunContext: RunContext = { export async function fetchRunContext(params: { token: string; repoContext: RepoContext; + oidcToken?: string | undefined; }): Promise { const timeoutMs = 30000; const controller = new AbortController(); const timeoutId = setTimeout(() => controller.abort(), timeoutMs); try { + const headers: Record = { + Authorization: `Bearer ${params.token}`, + "Content-Type": "application/json", + }; + if (params.oidcToken) { + headers["X-GitHub-OIDC-Token"] = params.oidcToken; + } + const response = await apiFetch({ path: `/api/repo/${params.repoContext.owner}/${params.repoContext.name}/run-context`, - headers: { - Authorization: `Bearer ${params.token}`, - "Content-Type": "application/json", - }, + headers, signal: controller.signal, }); diff --git a/utils/runContextData.ts b/utils/runContextData.ts index e529cd8..921d5a5 100644 --- a/utils/runContextData.ts +++ b/utils/runContextData.ts @@ -1,3 +1,4 @@ +import * as core from "@actions/core"; import type { Octokit } from "@octokit/rest"; import packageJson from "../package.json" with { type: "json" }; import { log } from "./cli.ts"; @@ -32,9 +33,16 @@ export async function resolveRunContextData( const repoContext = parseRepoContext(); + let oidcToken: string | undefined; + try { + oidcToken = await core.getIDToken("pullfrog-api"); + } catch { + // OIDC not available (local dev, non-actions environment, fork PRs) + } + const [repoResponse, runContext] = await Promise.all([ params.octokit.repos.get({ owner: repoContext.owner, repo: repoContext.name }), - fetchRunContext({ token: params.token, repoContext }), + fetchRunContext({ token: params.token, repoContext, oidcToken }), ]); return { diff --git a/utils/secrets.ts b/utils/secrets.ts index a7bb2e3..772d9dc 100644 --- a/utils/secrets.ts +++ b/utils/secrets.ts @@ -1,10 +1,7 @@ /** - * Secret detection and redaction utilities - * Redacts actual secret values rather than using pattern matching + * Secret detection and env filtering utilities */ -import { getGitHubInstallationToken } from "./token.ts"; - // patterns for sensitive env var names export const SENSITIVE_PATTERNS = [ /_KEY$/i, @@ -47,38 +44,3 @@ export function resolveEnv(mode: EnvMode | undefined): Record