npm - @pagopa/dx-cli - Versions diffs - 0.21.5 → 0.21.6 - Mend

@pagopa/dx-cli 0.21.5 → 0.21.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/adapters/azure/__tests__/cloud-account-service.test.js CHANGED Viewed

@@ -285,7 +285,7 @@ describe("initialize", () => {
             principalType: "ServicePrincipal",
             roleDefinitionId: "/subscriptions/sub-1/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
         }));
-        expect(mockCreateFederatedIdentityCredential).toHaveBeenCalledWith("dx-d-itn-common-rg-01", "dx-d-itn-bootstrap-id-01", "bootstrapper-dev-cd", {
+        expect(mockCreateFederatedIdentityCredential).toHaveBeenCalledWith("dx-d-itn-common-rg-01", "dx-d-itn-bootstrap-id-01", "dx-bootstrapper-dev-cd", {
             audiences: ["api://AzureADTokenExchange"],
             issuer: "https://token.actions.githubusercontent.com",
             subject: "repo:pagopa/dx:environment:bootstrapper-dev-cd",
@@ -341,4 +341,38 @@ describe("initialize", () => {
             secretValue: "private-key",
         });
     });
+    test("uses a repository-specific federated credential name", async ({ cloudAccountService, }) => {
+        const createOrUpdateEnvironmentSecret = vi
+            .fn()
+            .mockResolvedValue(undefined);
+        await cloudAccountService.initialize({
+            csp: "azure",
+            defaultLocation: "italynorth",
+            displayName: "Test subscription",
+            id: "sub-1",
+        }, {
+            name: "dev",
+            prefix: "dx",
+        }, {
+            clientId: "app-client-id",
+            id: "app-id",
+            installationId: "installation-id",
+            key: "private-key\n",
+        }, {
+            owner: "pagopa",
+            repo: "dx-playground",
+        }, {
+            createBranch: vi.fn(),
+            createOrUpdateEnvironmentSecret,
+            createPullRequest: vi.fn(),
+            getFileContent: vi.fn(),
+            getRepository: vi.fn(),
+            updateFile: vi.fn(),
+        });
+        expect(mockCreateFederatedIdentityCredential).toHaveBeenCalledWith("dx-d-itn-common-rg-01", "dx-d-itn-bootstrap-id-01", "dx-playground-bootstrapper-dev-cd", {
+            audiences: ["api://AzureADTokenExchange"],
+            issuer: "https://token.actions.githubusercontent.com",
+            subject: "repo:pagopa/dx-playground:environment:bootstrapper-dev-cd",
+        });
+    });
 });

package/dist/adapters/azure/cloud-account-service.js CHANGED Viewed

@@ -199,14 +199,19 @@ export class AzureCloudAccountService {
             })));
             logger.debug("Assigned bootstrap roles to identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
             const githubEnvironmentName = `bootstrapper-${name}-cd`;
-            // Federate the bootstrap identity with the GitHub environment so workflows can exchange their OIDC token for Azure access.
-            await msiClient.federatedIdentityCredentials.createOrUpdate(resourceGroupName, identityName, githubEnvironmentName, {
+            const federatedCredentialName = this.#createFederatedCredentialName({
+                github,
+                githubEnvironmentName,
+            });
+            // Include a repository-derived suffix so different repositories can share
+            // the same bootstrap identity without overwriting each other's OIDC trust.
+            await msiClient.federatedIdentityCredentials.createOrUpdate(resourceGroupName, identityName, federatedCredentialName, {
                 audiences: ["api://AzureADTokenExchange"],
                 issuer: "https://token.actions.githubusercontent.com",
                 subject: `repo:${github.owner}/${github.repo}:environment:${githubEnvironmentName}`,
             });
             logger.debug("Configured federated identity credential {credentialName} for identity {identityName} in subscription {subscriptionId}", {
-                credentialName: githubEnvironmentName,
+                credentialName: federatedCredentialName,
                 identityName,
                 subscriptionId: cloudAccount.id,
             });
@@ -374,6 +379,10 @@ export class AzureCloudAccountService {
         logger.debug("Created key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccount.id });
         return keyVaultName;
     }
+    #createFederatedCredentialName({ github, githubEnvironmentName, }) {
+        const repoName = github.repo.replaceAll(/[^a-zA-Z0-9-]/g, "-");
+        return `${repoName}-${githubEnvironmentName}`;
+    }
     #createRoleAssignmentName(scope, principalId, roleDefinitionId) {
         const hash = createHash("sha256")
             .update(`${scope}:${principalId}:${roleDefinitionId}`)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.21.5",
+  "version": "0.21.6",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {