@argos-ci/core 5.3.1 → 6.0.0

package/dist/index.mjs

@@ -1017,28 +1017,116 @@ const chunk = (collection, size) => {
 	return result;
 };
 //#endregion
-//#region src/auth.ts
+//#region src/github-actions-oidc.ts
+/**
+* Check if GitHub Actions OIDC is available for auto-detection.
+*/
+function isGitHubActionsOidcAvailable() {
+	return process.env.GITHUB_ACTIONS === "true" && Boolean(process.env.ACTIONS_ID_TOKEN_REQUEST_URL) && Boolean(process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) && !process.env.ARGOS_TOKEN;
+}
+async function fetchOidcToken(args) {
+	if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) throw new Error(`ACTIONS_ID_TOKEN_REQUEST_URL not found`);
+	if (!process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) throw new Error(`ACTIONS_ID_TOKEN_REQUEST_TOKEN not found`);
+	const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL);
+	url.searchParams.set("audience", args.audience);
+	const response = await fetch(url.toString(), { headers: {
+		Authorization: `Bearer ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`,
+		Accept: "application/json; api-version=2.0",
+		"Content-Type": "application/json"
+	} });
+	if (!response.ok) throw new Error(`Failed to fetch GitHub Actions OIDC token: ${response.status} ${response.statusText}`);
+	const data = await response.json();
+	if (!data.value) throw new Error("Invalid GitHub Actions OIDC token response: missing 'value' field");
+	return data.value;
+}
+/**
+* Exchange a GitHub Actions OIDC token for a short-lived Argos token.
+*/
+async function exchangeGitHubActionsOidcToken(args) {
+	const { apiBaseUrl, config } = args;
+	const audience = new URL(apiBaseUrl).origin;
+	const oidcToken = await fetchOidcToken({ audience });
+	const result = await createClient({ baseUrl: apiBaseUrl }).POST("/auth/github-actions/oidc/exchange", { body: {
+		oidcToken,
+		repository: config.originalRepository ?? void 0,
+		commit: config.commit,
+		branch: config.branch,
+		pullRequestNumber: config.prNumber ?? void 0
+	} });
+	if (result.error) throwAPIError(result.error);
+	return result.data.token;
+}
+//#endregion
+//#region src/github-actions-tokenless.ts
 const base64Encode = (obj) => Buffer.from(JSON.stringify(obj), "utf8").toString("base64");
 /**
-* Get the authentication token.
+* Check if GitHub Actions tokenless authentication is available for auto-detection.
 */
-function getAuthToken(args) {
-	const { token, ciProvider, originalRepository: repository, jobId, runId, prNumber } = args;
-	if (token) return token;
-	switch (ciProvider) {
-		case "github-actions": {
-			if (!repository || !jobId || !runId) throw new Error(`Automatic GitHub Actions variables detection failed. Please add the 'ARGOS_TOKEN'`);
-			const [owner, repo] = repository.split("/");
-			return `tokenless-github-${base64Encode({
-				owner,
-				repository: repo,
-				jobId,
-				runId,
-				prNumber: prNumber ?? void 0
-			})}`;
-		}
-		default: throw new Error("Missing Argos repository token 'ARGOS_TOKEN'");
+function isGitHubActionsTokenlessAvailable(config) {
+	return Boolean(config.ciProvider === "github-actions" && config.prHeadCommit && !process.env.ARGOS_TOKEN);
+}
+/**
+* Build a tokenless GitHub Actions bearer token from the CI environment.
+*/
+function getTokenlessBearerToken(config) {
+	const { originalRepository: repository, jobId, runId, prNumber } = config;
+	if (!repository || !jobId || !runId) throw new Error(`Automatic GitHub Actions variables detection failed. Please set ARGOS_TOKEN.`);
+	const [owner, repo] = repository.split("/");
+	return `tokenless-github-${base64Encode({
+		owner,
+		repository: repo,
+		jobId,
+		runId,
+		prNumber: prNumber ?? void 0
+	})}`;
+}
+/**
+* Exchange a tokenless GitHub Actions bearer token for a short-lived Argos token.
+*/
+async function exchangeGitHubActionsTokenlessToken(args) {
+	const { apiBaseUrl, config } = args;
+	if (!config.prHeadCommit) throw new Error(`GitHub PR head commit is required for tokenless authentication.`);
+	const tokenlessToken = getTokenlessBearerToken(config);
+	const result = await createClient({ baseUrl: apiBaseUrl }).POST("/auth/github-actions/tokenless/exchange", { body: {
+		tokenlessToken,
+		commit: config.prHeadCommit,
+		branch: config.branch
+	} });
+	if (result.error) throwAPIError(result.error);
+	return result.data.token;
+}
+//#endregion
+//#region src/auth.ts
+/**
+* Resolve the Argos authentication token.
+* Priority: ARGOS_TOKEN > GitHub Actions OIDC > GitHub Actions tokenless exchange.
+*/
+async function resolveArgosToken(config) {
+	if (config.token) {
+		debug("Authenticated with ARGOS_TOKEN.");
+		return config.token;
+	}
+	if (isGitHubActionsOidcAvailable()) {
+		const token = await exchangeGitHubActionsOidcToken({
+			apiBaseUrl: config.apiBaseUrl,
+			config
+		});
+		debug("Authenticated with GitHub Actions OIDC.");
+		debug(`Repository: ${config.originalRepository}`);
+		debug(`Run: ${config.runId}`);
+		return token;
+	}
+	if (isGitHubActionsTokenlessAvailable(config)) {
+		const token = await exchangeGitHubActionsTokenlessToken({
+			apiBaseUrl: config.apiBaseUrl,
+			config
+		});
+		debug("Authenticated with GitHub Actions tokenless exchange.");
+		debug(`Repository: ${config.originalRepository}`);
+		debug(`Run: ${config.runId}`);
+		return token;
 	}
+	throw new Error("Missing Argos repository token 'ARGOS_TOKEN'");
 }
 //#endregion
 //#region src/deploy.ts
@@ -1053,7 +1141,7 @@ async function deploy(params) {
 	const { token: _token, ...debugParams } = params;
 	debug("Starting deploy with params", debugParams);
 	const config = await getConfigFromOptions(params);
-	const authToken = getAuthToken(config);
+	const authToken = await resolveArgosToken(config);
 	const apiClient = createClient({
 		baseUrl: config.apiBaseUrl,
 		authToken
@@ -1125,7 +1213,7 @@ async function deploy(params) {
 */
 async function finalize(params) {
 	const config = await readConfig({ parallelNonce: params.parallel?.nonce });
-	const authToken = getAuthToken(config);
+	const authToken = await resolveArgosToken(config);
 	const apiClient = createClient({
 		baseUrl: config.apiBaseUrl,
 		authToken
@@ -1242,7 +1330,7 @@ function getSnapshotMimeType(filepath) {
 */
 async function skip(params) {
 	const [config, argosSdk] = await Promise.all([getConfigFromOptions(params), getArgosCoreSDKIdentifier()]);
-	const authToken = getAuthToken(config);
+	const authToken = await resolveArgosToken(config);
 	const createBuildResponse = await createClient({
 		baseUrl: config.apiBaseUrl,
 		authToken
@@ -1279,7 +1367,7 @@ const CHUNK_SIZE = 10;
 async function upload(params) {
 	debug("Starting upload with params", params);
 	const [config, argosSdk] = await Promise.all([getConfigFromOptions(params), getArgosCoreSDKIdentifier()]);
-	const authToken = getAuthToken(config);
+	const authToken = await resolveArgosToken(config);
 	const apiClient = createClient({
 		baseUrl: config.apiBaseUrl,
 		authToken

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@argos-ci/core",
   "description": "Node.js SDK for visual testing with Argos.",
-  "version": "5.3.1",
+  "version": "6.0.0",
   "type": "module",
   "exports": {
     ".": {
@@ -23,7 +23,7 @@
     "url": "https://github.com/argos-ci/argos-javascript/issues"
   },
   "engines": {
-    "node": ">=20.0.0"
+    "node": ">=22.0.0"
   },
   "license": "MIT",
   "keywords": [
@@ -39,8 +39,8 @@
     "access": "public"
   },
   "dependencies": {
-    "@argos-ci/api-client": "0.19.0",
-    "@argos-ci/util": "3.4.0",
+    "@argos-ci/api-client": "0.20.0",
+    "@argos-ci/util": "4.0.0",
     "convict": "^6.2.5",
     "debug": "^4.4.3",
     "fast-glob": "^3.3.3",
@@ -56,7 +56,7 @@
     "@types/node": "catalog:",
     "@types/tmp": "^0.2.6",
     "@vercel/repository-dispatch": "^0.1.0",
-    "msw": "^2.12.14",
+    "msw": "^2.14.5",
     "vitest": "catalog:"
   },
   "scripts": {
@@ -67,5 +67,5 @@
     "lint": "eslint .",
     "test": "vitest"
   },
-  "gitHead": "42a0f0da3b0ebae3e86f01a07cfdf5c320057f00"
+  "gitHead": "357c71173989a18d98767bb8811272cb46ecf937"
 }