run402 1.54.3 → 1.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +28 -0
- package/cli.mjs +7 -0
- package/core-dist/allowance-auth.js +42 -22
- package/lib/argparse.mjs +41 -0
- package/lib/ci.mjs +395 -0
- package/lib/deploy-v2.mjs +152 -6
- package/lib/functions.mjs +3 -20
- package/lib/projects.mjs +5 -3
- package/lib/sdk.mjs +2 -2
- package/lib/secrets.mjs +2 -0
- package/lib/subdomains.mjs +20 -4
- package/package.json +1 -1
- package/sdk/core-dist/allowance-auth.js +42 -22
- package/sdk/dist/ci-credentials.d.ts +22 -0
- package/sdk/dist/ci-credentials.d.ts.map +1 -0
- package/sdk/dist/ci-credentials.js +103 -0
- package/sdk/dist/ci-credentials.js.map +1 -0
- package/sdk/dist/index.d.ts +6 -0
- package/sdk/dist/index.d.ts.map +1 -1
- package/sdk/dist/index.js +5 -0
- package/sdk/dist/index.js.map +1 -1
- package/sdk/dist/namespaces/ci.d.ts +21 -0
- package/sdk/dist/namespaces/ci.d.ts.map +1 -0
- package/sdk/dist/namespaces/ci.js +253 -0
- package/sdk/dist/namespaces/ci.js.map +1 -0
- package/sdk/dist/namespaces/ci.types.d.ts +91 -0
- package/sdk/dist/namespaces/ci.types.d.ts.map +1 -0
- package/sdk/dist/namespaces/ci.types.js +8 -0
- package/sdk/dist/namespaces/ci.types.js.map +1 -0
- package/sdk/dist/namespaces/deploy.d.ts.map +1 -1
- package/sdk/dist/namespaces/deploy.js +45 -21
- package/sdk/dist/namespaces/deploy.js.map +1 -1
- package/sdk/dist/node/ci.d.ts +12 -0
- package/sdk/dist/node/ci.d.ts.map +1 -0
- package/sdk/dist/node/ci.js +30 -0
- package/sdk/dist/node/ci.js.map +1 -0
- package/sdk/dist/node/index.d.ts +7 -2
- package/sdk/dist/node/index.d.ts.map +1 -1
- package/sdk/dist/node/index.js +3 -2
- package/sdk/dist/node/index.js.map +1 -1
package/sdk/dist/index.js
CHANGED
|
@@ -25,6 +25,7 @@ import { Email } from "./namespaces/email.js";
|
|
|
25
25
|
import { Contracts } from "./namespaces/contracts.js";
|
|
26
26
|
import { Admin } from "./namespaces/admin.js";
|
|
27
27
|
import { Deploy } from "./namespaces/deploy.js";
|
|
28
|
+
import { Ci } from "./namespaces/ci.js";
|
|
28
29
|
import { ScopedRun402 } from "./scoped.js";
|
|
29
30
|
import { LocalError } from "./errors.js";
|
|
30
31
|
export class Run402 {
|
|
@@ -48,6 +49,7 @@ export class Run402 {
|
|
|
48
49
|
contracts;
|
|
49
50
|
admin;
|
|
50
51
|
deploy;
|
|
52
|
+
ci;
|
|
51
53
|
#client;
|
|
52
54
|
constructor(opts) {
|
|
53
55
|
if (!opts || typeof opts !== "object") {
|
|
@@ -93,6 +95,7 @@ export class Run402 {
|
|
|
93
95
|
this.contracts = new Contracts(client);
|
|
94
96
|
this.admin = new Admin(client);
|
|
95
97
|
this.deploy = new Deploy(client);
|
|
98
|
+
this.ci = new Ci(client);
|
|
96
99
|
}
|
|
97
100
|
/**
|
|
98
101
|
* Return a project-scoped sub-client where every project-id-bearing namespace
|
|
@@ -171,6 +174,8 @@ export function run402(opts) {
|
|
|
171
174
|
}
|
|
172
175
|
export { Run402Error, PaymentRequired, ProjectNotFound, Unauthorized, ApiError, NetworkError, LocalError, Run402DeployError, isRun402Error, isPaymentRequired, isProjectNotFound, isUnauthorized, isApiError, isNetworkError, isLocalError, isDeployError, isRetryableRun402Error, } from "./errors.js";
|
|
173
176
|
export { withRetry } from "./retry.js";
|
|
177
|
+
export { CI_SESSION_CREDENTIALS, createCiSessionCredentials, githubActionsCredentials, isCiSessionCredentials, } from "./ci-credentials.js";
|
|
174
178
|
export { Deploy } from "./namespaces/deploy.js";
|
|
179
|
+
export { Ci, CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, assertCiDeployableSpec, buildCiDelegationResourceUri, buildCiDelegationStatement, normalizeCiDelegationValues, validateCiNonce, validateCiSubjectMatch, } from "./namespaces/ci.js";
|
|
175
180
|
export { ScopedRun402 } from "./scoped.js";
|
|
176
181
|
//# sourceMappingURL=index.js.map
|
package/sdk/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAkC,MAAM,aAAa,CAAC;AAE1E,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAkC,MAAM,aAAa,CAAC;AAE1E,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AAExC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAezC,MAAM,OAAO,MAAM;IACR,QAAQ,CAAW;IACnB,KAAK,CAAQ;IACb,SAAS,CAAY;IACrB,OAAO,CAAU;IACjB,UAAU,CAAa;IACvB,OAAO,CAAU;IACjB,KAAK,CAAQ;IACb,OAAO,CAAU;IACjB,IAAI,CAAO;IACX,SAAS,CAAY;IACrB,EAAE,CAAK;IACP,KAAK,CAAM;IACX,IAAI,CAAO;IACX,YAAY,CAAe;IAC3B,OAAO,CAAU;IACjB,IAAI,CAAO;IACX,KAAK,CAAQ;IACb,SAAS,CAAY;IACrB,KAAK,CAAQ;IACb,MAAM,CAAS;IACf,EAAE,CAAK;IAEP,OAAO,CAAS;IAEzB,YAAY,IAAmB;QAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,UAAU,CAClB,mCAAmC,EACnC,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACtD,MAAM,IAAI,UAAU,CAClB,mDAAmD,EACnD,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,UAAU,CAClB,gKAAgK,EAChK,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,IACE,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,KAAK,UAAU;YAC9C,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,KAAK,UAAU,EACjD,CAAC;YACD,MAAM,IAAI,UAAU,CAClB,+EAA+E,EAC/E,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAiB;YAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;YACtD,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;QACF,MAAM,MAAM,GAAW,WAAW,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,QAAQ,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,UAAU,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QACzB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,OAAO,EAAE;YACnC,KAAK,EAAE,IAAI,CAAC,EAAE;YACd,UAAU,EAAE,KAAK;SAClB,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,OAAO,CAAC,EAAW;QACvB,IAAI,UAAU,GAAG,EAAE,CAAC;QACpB,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC;YACzD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,UAAU,CAClB,yIAAyI,EACzI,2BAA2B,CAC5B,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,UAAU,CAClB,yIAAyI,EACzI,2BAA2B,CAC5B,CAAC;YACJ,CAAC;YACD,UAAU,GAAG,MAAM,CAAC;QACtB,CAAC;QACD,OAAO,IAAI,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,UAAU,CAAC,EAAU;QACzB,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;CACF;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,KAAK,CAAC,MAAqC;IACzD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,MAAM,CAAC,IAAmB;IACxC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,OAAO,EACL,WAAW,EACX,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,sBAAsB,GACvB,MAAM,aAAa,CAAC;AAMrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,OAAO,EACL,sBAAsB,EACtB,0BAA0B,EAC1B,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAM7B,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EACL,EAAE,EACF,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,EAC5B,sBAAsB,EACtB,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,eAAe,EACf,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
/** CI/OIDC federation namespace and canonical delegation helpers. */
|
|
2
|
+
import type { Client } from "../kernel.js";
|
|
3
|
+
import type { PlanRequest, ReleaseSpec } from "./deploy.types.js";
|
|
4
|
+
import type { CiBindingRow, CiCreateBindingInput, CiDelegationValues, CiListBindingsInput, CiListBindingsResult, CiTokenExchangeInput, CiTokenExchangeResponse, NormalizedCiDelegationValues } from "./ci.types.js";
|
|
5
|
+
export { CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, } from "./ci.types.js";
|
|
6
|
+
export declare class Ci {
|
|
7
|
+
private readonly client;
|
|
8
|
+
constructor(client: Client);
|
|
9
|
+
createBinding(input: CiCreateBindingInput): Promise<CiBindingRow>;
|
|
10
|
+
listBindings(input: CiListBindingsInput): Promise<CiListBindingsResult>;
|
|
11
|
+
getBinding(bindingId: string): Promise<CiBindingRow>;
|
|
12
|
+
revokeBinding(bindingId: string): Promise<CiBindingRow>;
|
|
13
|
+
exchangeToken(input: CiTokenExchangeInput): Promise<CiTokenExchangeResponse>;
|
|
14
|
+
}
|
|
15
|
+
export declare function normalizeCiDelegationValues(values: CiDelegationValues): NormalizedCiDelegationValues;
|
|
16
|
+
export declare function buildCiDelegationStatement(values: CiDelegationValues): string;
|
|
17
|
+
export declare function buildCiDelegationResourceUri(values: CiDelegationValues): string;
|
|
18
|
+
export declare function validateCiSubjectMatch(subject: string): string;
|
|
19
|
+
export declare function validateCiNonce(nonce: string): string;
|
|
20
|
+
export declare function assertCiDeployableSpec(specOrPlanBody: ReleaseSpec | PlanRequest | unknown): void;
|
|
21
|
+
//# sourceMappingURL=ci.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci.d.ts","sourceRoot":"","sources":["../../src/namespaces/ci.ts"],"names":[],"mappings":"AAAA,qEAAqE;AAErE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAE3C,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAClE,OAAO,KAAK,EACV,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,EAEpB,uBAAuB,EACvB,4BAA4B,EAC7B,MAAM,eAAe,CAAC;AAUvB,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,GAC7B,MAAM,eAAe,CAAC;AAkBvB,qBAAa,EAAE;IACD,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAErC,aAAa,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC;IA+BjE,YAAY,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAcvE,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAUpD,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAUvD,aAAa,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAoBnF;AAED,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,kBAAkB,GACzB,4BAA4B,CA4B9B;AAED,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CA2B7E;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAuB/E;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CA6B9D;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQrD;AAED,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,IAAI,CA4BhG"}
|
|
@@ -0,0 +1,253 @@
|
|
|
1
|
+
/** CI/OIDC federation namespace and canonical delegation helpers. */
|
|
2
|
+
import { LocalError, Run402DeployError } from "../errors.js";
|
|
3
|
+
import { CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, } from "./ci.types.js";
|
|
4
|
+
export { CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, } from "./ci.types.js";
|
|
5
|
+
const TOKEN_EXCHANGE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
|
|
6
|
+
const TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt";
|
|
7
|
+
const MAX_SUBJECT_MATCH_CHARS = 256;
|
|
8
|
+
const MAX_RESOURCE_URI_BYTES = 4096;
|
|
9
|
+
const MAX_STATEMENT_BYTES = 8192;
|
|
10
|
+
const NONCE_RE = /^[0-9a-f]{16,64}$/;
|
|
11
|
+
const CI_DEPLOY_SPEC_ALLOWED_KEYS = new Set([
|
|
12
|
+
"project",
|
|
13
|
+
"database",
|
|
14
|
+
"functions",
|
|
15
|
+
"site",
|
|
16
|
+
"base",
|
|
17
|
+
]);
|
|
18
|
+
export class Ci {
|
|
19
|
+
client;
|
|
20
|
+
constructor(client) {
|
|
21
|
+
this.client = client;
|
|
22
|
+
}
|
|
23
|
+
async createBinding(input) {
|
|
24
|
+
if (input?.provider !== CI_GITHUB_ACTIONS_PROVIDER) {
|
|
25
|
+
throw new LocalError('ci.createBinding provider must be "github-actions" in v1', "creating CI binding");
|
|
26
|
+
}
|
|
27
|
+
if (!input.signed_delegation) {
|
|
28
|
+
throw new LocalError("ci.createBinding requires signed_delegation", "creating CI binding");
|
|
29
|
+
}
|
|
30
|
+
const values = normalizeCiDelegationValues(input);
|
|
31
|
+
return this.client.request("/ci/v1/bindings", {
|
|
32
|
+
method: "POST",
|
|
33
|
+
body: {
|
|
34
|
+
project_id: values.project_id,
|
|
35
|
+
provider: input.provider,
|
|
36
|
+
subject_match: values.subject_match,
|
|
37
|
+
allowed_actions: values.allowed_actions,
|
|
38
|
+
allowed_events: values.allowed_events,
|
|
39
|
+
github_repository_id: values.github_repository_id,
|
|
40
|
+
expires_at: values.expires_at,
|
|
41
|
+
nonce: values.nonce,
|
|
42
|
+
signed_delegation: input.signed_delegation,
|
|
43
|
+
},
|
|
44
|
+
context: "creating CI binding",
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
async listBindings(input) {
|
|
48
|
+
if (!input?.project) {
|
|
49
|
+
throw new LocalError("ci.listBindings requires { project }", "listing CI bindings");
|
|
50
|
+
}
|
|
51
|
+
const qs = new URLSearchParams({ project: input.project });
|
|
52
|
+
return this.client.request(`/ci/v1/bindings?${qs.toString()}`, { context: "listing CI bindings" });
|
|
53
|
+
}
|
|
54
|
+
async getBinding(bindingId) {
|
|
55
|
+
if (!bindingId) {
|
|
56
|
+
throw new LocalError("ci.getBinding requires a binding id", "getting CI binding");
|
|
57
|
+
}
|
|
58
|
+
return this.client.request(`/ci/v1/bindings/${encodeURIComponent(bindingId)}`, { context: "getting CI binding" });
|
|
59
|
+
}
|
|
60
|
+
async revokeBinding(bindingId) {
|
|
61
|
+
if (!bindingId) {
|
|
62
|
+
throw new LocalError("ci.revokeBinding requires a binding id", "revoking CI binding");
|
|
63
|
+
}
|
|
64
|
+
return this.client.request(`/ci/v1/bindings/${encodeURIComponent(bindingId)}/revoke`, { method: "POST", context: "revoking CI binding" });
|
|
65
|
+
}
|
|
66
|
+
async exchangeToken(input) {
|
|
67
|
+
if (!input?.project_id || !input.subject_token) {
|
|
68
|
+
throw new LocalError("ci.exchangeToken requires { project_id, subject_token }", "exchanging CI OIDC token");
|
|
69
|
+
}
|
|
70
|
+
const body = {
|
|
71
|
+
grant_type: TOKEN_EXCHANGE_GRANT_TYPE,
|
|
72
|
+
subject_token: input.subject_token,
|
|
73
|
+
subject_token_type: TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE,
|
|
74
|
+
project_id: input.project_id,
|
|
75
|
+
};
|
|
76
|
+
return this.client.request("/ci/v1/token-exchange", {
|
|
77
|
+
method: "POST",
|
|
78
|
+
body,
|
|
79
|
+
withAuth: false,
|
|
80
|
+
context: "exchanging CI OIDC token",
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
export function normalizeCiDelegationValues(values) {
|
|
85
|
+
if (!values || typeof values !== "object") {
|
|
86
|
+
throw new LocalError("CI delegation values must be an object", "validating CI delegation");
|
|
87
|
+
}
|
|
88
|
+
if (!values.project_id) {
|
|
89
|
+
throw new LocalError("CI delegation project_id is required", "validating CI delegation");
|
|
90
|
+
}
|
|
91
|
+
const subject_match = validateCiSubjectMatch(values.subject_match);
|
|
92
|
+
const nonce = validateCiNonce(values.nonce);
|
|
93
|
+
const allowed_actions = normalizeAllowedActions(values.allowed_actions);
|
|
94
|
+
const allowed_events = normalizeAllowedList(values.allowed_events, "allowed_events");
|
|
95
|
+
if (allowed_events.length === 0) {
|
|
96
|
+
throw new LocalError("CI delegation allowed_events must contain at least one event", "validating CI delegation");
|
|
97
|
+
}
|
|
98
|
+
return {
|
|
99
|
+
project_id: values.project_id,
|
|
100
|
+
issuer: values.issuer ?? CI_GITHUB_ACTIONS_ISSUER,
|
|
101
|
+
audience: values.audience ?? CI_AUDIENCE,
|
|
102
|
+
subject_match,
|
|
103
|
+
allowed_actions,
|
|
104
|
+
allowed_events,
|
|
105
|
+
expires_at: values.expires_at ?? null,
|
|
106
|
+
github_repository_id: values.github_repository_id ?? null,
|
|
107
|
+
nonce,
|
|
108
|
+
};
|
|
109
|
+
}
|
|
110
|
+
export function buildCiDelegationStatement(values) {
|
|
111
|
+
const v = normalizeCiDelegationValues(values);
|
|
112
|
+
const statement = [
|
|
113
|
+
`Authorize GitHub Actions workflows whose OIDC subject matches ${v.subject_match} to deploy to run402 project ${v.project_id}.`,
|
|
114
|
+
"",
|
|
115
|
+
"The workflows can:",
|
|
116
|
+
" - deploy function code that runs with this project's runtime authority, including the project's service-role key, the adminDb() bypass-RLS surface, and configured runtime secrets read via process.env;",
|
|
117
|
+
" - deploy database migrations, RLS/expose changes, and schema-altering SQL via spec.database.",
|
|
118
|
+
"",
|
|
119
|
+
"The workflows cannot directly call secrets, domain, subdomain, lifecycle, billing, contracts, or faucet endpoints. They cannot ship spec.secrets, spec.subdomains, spec.routes, spec.checks, or non-current spec.base.",
|
|
120
|
+
"",
|
|
121
|
+
`Audience: ${v.audience}`,
|
|
122
|
+
`Allowed events: ${v.allowed_events.join(",")}`,
|
|
123
|
+
`Repository ID: ${v.github_repository_id ?? "none-soft-bound"}`,
|
|
124
|
+
`Expires: ${v.expires_at ?? "never"}`,
|
|
125
|
+
`Nonce: ${v.nonce}`,
|
|
126
|
+
"",
|
|
127
|
+
"Revoke at any time via the run402 CLI or POST /ci/v1/bindings/:id/revoke. Revocation stops future CI gateway requests but does not undo already-deployed code, stop in-flight deploy operations, rotate exfiltrated keys, or remove deployed functions. Recovery from a compromise: revoke the binding, then SIWE-deploy a known-good release that overwrites the malicious code, and rotate any service-role key the deployed code may have read.",
|
|
128
|
+
].join("\n");
|
|
129
|
+
if (new TextEncoder().encode(statement).byteLength > MAX_STATEMENT_BYTES) {
|
|
130
|
+
throw new LocalError(`CI delegation Statement exceeds ${MAX_STATEMENT_BYTES} bytes`, "building CI delegation statement");
|
|
131
|
+
}
|
|
132
|
+
return statement;
|
|
133
|
+
}
|
|
134
|
+
export function buildCiDelegationResourceUri(values) {
|
|
135
|
+
const v = normalizeCiDelegationValues(values);
|
|
136
|
+
const parts = [
|
|
137
|
+
`project_id=${encodeRfc3986(v.project_id)}`,
|
|
138
|
+
`issuer=${encodeRfc3986(v.issuer)}`,
|
|
139
|
+
`audience=${encodeRfc3986(v.audience)}`,
|
|
140
|
+
`subject_match=${encodeRfc3986(v.subject_match)}`,
|
|
141
|
+
`allowed_actions=${v.allowed_actions.map(encodeRfc3986).join(",")}`,
|
|
142
|
+
`allowed_events=${v.allowed_events.map(encodeRfc3986).join(",")}`,
|
|
143
|
+
];
|
|
144
|
+
if (v.expires_at !== null)
|
|
145
|
+
parts.push(`expires_at=${encodeRfc3986(v.expires_at)}`);
|
|
146
|
+
if (v.github_repository_id !== null) {
|
|
147
|
+
parts.push(`github_repository_id=${encodeRfc3986(v.github_repository_id)}`);
|
|
148
|
+
}
|
|
149
|
+
parts.push(`nonce=${encodeRfc3986(v.nonce)}`);
|
|
150
|
+
const uri = `run402-ci-delegation:v1?${parts.join("&")}`;
|
|
151
|
+
if (new TextEncoder().encode(uri).byteLength > MAX_RESOURCE_URI_BYTES) {
|
|
152
|
+
throw new LocalError(`CI delegation Resource URI exceeds ${MAX_RESOURCE_URI_BYTES} bytes`, "building CI delegation resource URI");
|
|
153
|
+
}
|
|
154
|
+
return uri;
|
|
155
|
+
}
|
|
156
|
+
export function validateCiSubjectMatch(subject) {
|
|
157
|
+
if (typeof subject !== "string" || subject.length === 0) {
|
|
158
|
+
throw new LocalError("CI subject_match must be a non-empty string", "validating CI subject");
|
|
159
|
+
}
|
|
160
|
+
if (subject.length > MAX_SUBJECT_MATCH_CHARS) {
|
|
161
|
+
throw new LocalError(`CI subject_match must be ${MAX_SUBJECT_MATCH_CHARS} characters or fewer`, "validating CI subject");
|
|
162
|
+
}
|
|
163
|
+
if (/[\x00-\x1f\x7f]/.test(subject)) {
|
|
164
|
+
throw new LocalError("CI subject_match must not contain control characters", "validating CI subject");
|
|
165
|
+
}
|
|
166
|
+
const firstWildcard = subject.indexOf("*");
|
|
167
|
+
if (firstWildcard >= 0) {
|
|
168
|
+
if (subject === "*") {
|
|
169
|
+
throw new LocalError("CI subject_match cannot be a bare wildcard", "validating CI subject");
|
|
170
|
+
}
|
|
171
|
+
if (firstWildcard !== subject.length - 1) {
|
|
172
|
+
throw new LocalError("CI subject_match wildcard is only allowed as the final character", "validating CI subject");
|
|
173
|
+
}
|
|
174
|
+
if (subject.indexOf("*", firstWildcard + 1) >= 0) {
|
|
175
|
+
throw new LocalError("CI subject_match can contain at most one wildcard", "validating CI subject");
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
return subject;
|
|
179
|
+
}
|
|
180
|
+
export function validateCiNonce(nonce) {
|
|
181
|
+
if (typeof nonce !== "string" || !NONCE_RE.test(nonce)) {
|
|
182
|
+
throw new LocalError("CI delegation nonce must be lowercase hex between 16 and 64 characters", "validating CI nonce");
|
|
183
|
+
}
|
|
184
|
+
return nonce;
|
|
185
|
+
}
|
|
186
|
+
export function assertCiDeployableSpec(specOrPlanBody) {
|
|
187
|
+
const { spec, manifestRef } = unwrapSpecOrPlanBody(specOrPlanBody);
|
|
188
|
+
if (manifestRef !== undefined && manifestRef !== null) {
|
|
189
|
+
throwCiDeploySpecError("manifest_ref", "CI deploys must use inline specs under the gateway body cap; manifest_ref is not allowed.");
|
|
190
|
+
}
|
|
191
|
+
if (!spec || typeof spec !== "object" || Array.isArray(spec)) {
|
|
192
|
+
throwCiDeploySpecError("spec", "CI deploy requires a ReleaseSpec object.");
|
|
193
|
+
}
|
|
194
|
+
const obj = spec;
|
|
195
|
+
for (const key of Object.keys(obj)) {
|
|
196
|
+
if (!CI_DEPLOY_SPEC_ALLOWED_KEYS.has(key)) {
|
|
197
|
+
throwCiDeploySpecError(key, `CI deploy cannot ship spec.${key}; only project, database, functions, site, and base:{release:"current"} are allowed.`);
|
|
198
|
+
}
|
|
199
|
+
}
|
|
200
|
+
if (Object.prototype.hasOwnProperty.call(obj, "base") && !isCurrentBase(obj.base)) {
|
|
201
|
+
throwCiDeploySpecError("base", 'CI deploy base must be absent or exactly { release: "current" }.');
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
function normalizeAllowedActions(values) {
|
|
205
|
+
const actions = normalizeAllowedList(values, "allowed_actions");
|
|
206
|
+
if (actions.length !== 1 || actions[0] !== "deploy") {
|
|
207
|
+
throw new LocalError('CI delegation allowed_actions must be exactly ["deploy"] in v1', "validating CI delegation");
|
|
208
|
+
}
|
|
209
|
+
return ["deploy"];
|
|
210
|
+
}
|
|
211
|
+
function normalizeAllowedList(values, field) {
|
|
212
|
+
if (!Array.isArray(values)) {
|
|
213
|
+
throw new LocalError(`CI delegation ${field} must be an array`, "validating CI delegation");
|
|
214
|
+
}
|
|
215
|
+
const cleaned = values.map((value) => {
|
|
216
|
+
if (typeof value !== "string" || value.length === 0) {
|
|
217
|
+
throw new LocalError(`CI delegation ${field} must contain only non-empty strings`, "validating CI delegation");
|
|
218
|
+
}
|
|
219
|
+
return value;
|
|
220
|
+
});
|
|
221
|
+
return Array.from(new Set(cleaned)).sort();
|
|
222
|
+
}
|
|
223
|
+
function encodeRfc3986(value) {
|
|
224
|
+
return encodeURIComponent(value).replace(/[!'()*]/g, (char) => `%${char.charCodeAt(0).toString(16).toUpperCase()}`);
|
|
225
|
+
}
|
|
226
|
+
function unwrapSpecOrPlanBody(value) {
|
|
227
|
+
if (value &&
|
|
228
|
+
typeof value === "object" &&
|
|
229
|
+
!Array.isArray(value) &&
|
|
230
|
+
"spec" in value &&
|
|
231
|
+
!("project" in value)) {
|
|
232
|
+
const body = value;
|
|
233
|
+
return { spec: body.spec, manifestRef: body.manifest_ref };
|
|
234
|
+
}
|
|
235
|
+
return { spec: value };
|
|
236
|
+
}
|
|
237
|
+
function isCurrentBase(value) {
|
|
238
|
+
if (!value || typeof value !== "object" || Array.isArray(value))
|
|
239
|
+
return false;
|
|
240
|
+
const obj = value;
|
|
241
|
+
const keys = Object.keys(obj);
|
|
242
|
+
return keys.length === 1 && obj.release === "current";
|
|
243
|
+
}
|
|
244
|
+
function throwCiDeploySpecError(resource, message) {
|
|
245
|
+
throw new Run402DeployError(message, {
|
|
246
|
+
code: "forbidden_spec_field",
|
|
247
|
+
phase: "validate",
|
|
248
|
+
resource,
|
|
249
|
+
retryable: false,
|
|
250
|
+
context: "validating CI deploy spec",
|
|
251
|
+
});
|
|
252
|
+
}
|
|
253
|
+
//# sourceMappingURL=ci.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci.js","sourceRoot":"","sources":["../../src/namespaces/ci.ts"],"names":[],"mappings":"AAAA,qEAAqE;AAGrE,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAa7D,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,0BAA0B,GAI3B,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,GAC7B,MAAM,eAAe,CAAC;AAEvB,MAAM,yBAAyB,GAC7B,iDAA0D,CAAC;AAC7D,MAAM,iCAAiC,GACrC,sCAA+C,CAAC;AAClD,MAAM,uBAAuB,GAAG,GAAG,CAAC;AACpC,MAAM,sBAAsB,GAAG,IAAI,CAAC;AACpC,MAAM,mBAAmB,GAAG,IAAI,CAAC;AACjC,MAAM,QAAQ,GAAG,mBAAmB,CAAC;AACrC,MAAM,2BAA2B,GAAG,IAAI,GAAG,CAAC;IAC1C,SAAS;IACT,UAAU;IACV,WAAW;IACX,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,OAAO,EAAE;IACgB;IAA7B,YAA6B,MAAc;QAAd,WAAM,GAAN,MAAM,CAAQ;IAAG,CAAC;IAE/C,KAAK,CAAC,aAAa,CAAC,KAA2B;QAC7C,IAAI,KAAK,EAAE,QAAQ,KAAK,0BAA0B,EAAE,CAAC;YACnD,MAAM,IAAI,UAAU,CAClB,0DAA0D,EAC1D,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC7B,MAAM,IAAI,UAAU,CAClB,6CAA6C,EAC7C,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,2BAA2B,CAAC,KAAK,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAe,iBAAiB,EAAE;YAC1D,MAAM,EAAE,MAAM;YACd,IAAI,EAAE;gBACJ,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,cAAc,EAAE,MAAM,CAAC,cAAc;gBACrC,oBAAoB,EAAE,MAAM,CAAC,oBAAoB;gBACjD,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;aAC3C;YACD,OAAO,EAAE,qBAAqB;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA0B;QAC3C,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,UAAU,CAClB,sCAAsC,EACtC,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CACxB,mBAAmB,EAAE,CAAC,QAAQ,EAAE,EAAE,EAClC,EAAE,OAAO,EAAE,qBAAqB,EAAE,CACnC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,UAAU,CAAC,qCAAqC,EAAE,oBAAoB,CAAC,CAAC;QACpF,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CACxB,mBAAmB,kBAAkB,CAAC,SAAS,CAAC,EAAE,EAClD,EAAE,OAAO,EAAE,oBAAoB,EAAE,CAClC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,UAAU,CAAC,wCAAwC,EAAE,qBAAqB,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CACxB,mBAAmB,kBAAkB,CAAC,SAAS,CAAC,SAAS,EACzD,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,qBAAqB,EAAE,CACnD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAA2B;QAC7C,IAAI,CAAC,KAAK,EAAE,UAAU,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YAC/C,MAAM,IAAI,UAAU,CAClB,yDAAyD,EACzD,0BAA0B,CAC3B,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAA+B;YACvC,UAAU,EAAE,yBAAyB;YACrC,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,kBAAkB,EAAE,iCAAiC;YACrD,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B,CAAC;QACF,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAA0B,uBAAuB,EAAE;YAC3E,MAAM,EAAE,MAAM;YACd,IAAI;YACJ,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,0BAA0B;SACpC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,2BAA2B,CACzC,MAA0B;IAE1B,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,UAAU,CAAC,wCAAwC,EAAE,0BAA0B,CAAC,CAAC;IAC7F,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,IAAI,UAAU,CAAC,sCAAsC,EAAE,0BAA0B,CAAC,CAAC;IAC3F,CAAC;IACD,MAAM,aAAa,GAAG,sBAAsB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,uBAAuB,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACxE,MAAM,cAAc,GAAG,oBAAoB,CAAC,MAAM,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC;IACrF,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,UAAU,CAClB,8DAA8D,EAC9D,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,wBAAwB;QACjD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,WAAW;QACxC,aAAa;QACb,eAAe;QACf,cAAc;QACd,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI;QACrC,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,IAAI,IAAI;QACzD,KAAK;KACN,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,MAA0B;IACnE,MAAM,CAAC,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG;QAChB,iEAAiE,CAAC,CAAC,aAAa,gCAAgC,CAAC,CAAC,UAAU,GAAG;QAC/H,EAAE;QACF,oBAAoB;QACpB,4MAA4M;QAC5M,gGAAgG;QAChG,EAAE;QACF,wNAAwN;QACxN,EAAE;QACF,aAAa,CAAC,CAAC,QAAQ,EAAE;QACzB,mBAAmB,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;QAC/C,kBAAkB,CAAC,CAAC,oBAAoB,IAAI,iBAAiB,EAAE;QAC/D,YAAY,CAAC,CAAC,UAAU,IAAI,OAAO,EAAE;QACrC,UAAU,CAAC,CAAC,KAAK,EAAE;QACnB,EAAE;QACF,obAAob;KACrb,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,IAAI,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,UAAU,GAAG,mBAAmB,EAAE,CAAC;QACzE,MAAM,IAAI,UAAU,CAClB,mCAAmC,mBAAmB,QAAQ,EAC9D,kCAAkC,CACnC,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAA0B;IACrE,MAAM,CAAC,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG;QACZ,cAAc,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE;QAC3C,UAAU,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE;QACnC,YAAY,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE;QACvC,iBAAiB,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,EAAE;QACjD,mBAAmB,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;QACnE,kBAAkB,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;KAClE,CAAC;IACF,IAAI,CAAC,CAAC,UAAU,KAAK,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IACnF,IAAI,CAAC,CAAC,oBAAoB,KAAK,IAAI,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,wBAAwB,aAAa,CAAC,CAAC,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,SAAS,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,2BAA2B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IACzD,IAAI,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,UAAU,GAAG,sBAAsB,EAAE,CAAC;QACtE,MAAM,IAAI,UAAU,CAClB,sCAAsC,sBAAsB,QAAQ,EACpE,qCAAqC,CACtC,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,UAAU,CAAC,6CAA6C,EAAE,uBAAuB,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,uBAAuB,EAAE,CAAC;QAC7C,MAAM,IAAI,UAAU,CAClB,4BAA4B,uBAAuB,sBAAsB,EACzE,uBAAuB,CACxB,CAAC;IACJ,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,UAAU,CAAC,sDAAsD,EAAE,uBAAuB,CAAC,CAAC;IACxG,CAAC;IACD,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;QACvB,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,UAAU,CAAC,4CAA4C,EAAE,uBAAuB,CAAC,CAAC;QAC9F,CAAC;QACD,IAAI,aAAa,KAAK,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,UAAU,CAClB,kEAAkE,EAClE,uBAAuB,CACxB,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,UAAU,CAAC,mDAAmD,EAAE,uBAAuB,CAAC,CAAC;QACrG,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,UAAU,CAClB,wEAAwE,EACxE,qBAAqB,CACtB,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,cAAmD;IACxF,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;IACnE,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACtD,sBAAsB,CACpB,cAAc,EACd,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,sBAAsB,CAAC,MAAM,EAAE,0CAA0C,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,GAAG,GAAG,IAA+B,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,2BAA2B,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,sBAAsB,CACpB,GAAG,EACH,8BAA8B,GAAG,sFAAsF,CACxH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAClF,sBAAsB,CACpB,MAAM,EACN,kEAAkE,CACnE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,MAAqC;IACpE,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,IAAI,UAAU,CAClB,gEAAgE,EAChE,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,QAAQ,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAqC,EAAE,KAAa;IAChF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,UAAU,CAAC,iBAAiB,KAAK,mBAAmB,EAAE,0BAA0B,CAAC,CAAC;IAC9F,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,UAAU,CAClB,iBAAiB,KAAK,sCAAsC,EAC5D,0BAA0B,CAC3B,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAC5D,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CACpD,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,KAA0C;IAE1C,IACE,KAAK;QACL,OAAO,KAAK,KAAK,QAAQ;QACzB,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACrB,MAAM,IAAI,KAAK;QACf,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC,EACrB,CAAC;QACD,MAAM,IAAI,GAAG,KAAmD,CAAC;QACjE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;IAC7D,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AACzB,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9E,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,OAAO,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAgB,EAAE,OAAe;IAC/D,MAAM,IAAI,iBAAiB,CAAC,OAAO,EAAE;QACnC,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,UAAU;QACjB,QAAQ;QACR,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,2BAA2B;KACrC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
/** Types and constants for GitHub Actions OIDC federation (`/ci/v1/*`). */
|
|
2
|
+
export declare const CI_GITHUB_ACTIONS_PROVIDER: "github-actions";
|
|
3
|
+
export declare const CI_GITHUB_ACTIONS_ISSUER: "https://token.actions.githubusercontent.com";
|
|
4
|
+
export declare const CI_AUDIENCE: "https://api.run402.com";
|
|
5
|
+
export declare const DEFAULT_CI_DELEGATION_CHAIN_ID: "eip155:84532";
|
|
6
|
+
export declare const V1_CI_ALLOWED_ACTIONS: readonly ["deploy"];
|
|
7
|
+
export declare const V1_CI_ALLOWED_EVENTS_DEFAULT: readonly ["push", "workflow_dispatch"];
|
|
8
|
+
export type CiProvider = typeof CI_GITHUB_ACTIONS_PROVIDER;
|
|
9
|
+
export type CiAllowedAction = (typeof V1_CI_ALLOWED_ACTIONS)[number];
|
|
10
|
+
export type CiAllowedEvent = (typeof V1_CI_ALLOWED_EVENTS_DEFAULT)[number] | (string & {});
|
|
11
|
+
export type CiBindingErrorCode = "nonce_replay" | "delegation_statement_mismatch" | "delegation_resource_uri_mismatch" | "signer_mismatch" | "delegation_oversized" | "delegation_parse_failed" | "delegation_signature_invalid" | "delegation_nonce_invalid" | "duplicate";
|
|
12
|
+
export type CiTokenExchangeErrorCode = "invalid_request" | "invalid_token" | "access_denied" | "event_not_allowed" | "repository_id_mismatch" | "ambiguous_binding";
|
|
13
|
+
export type CiDeployErrorCode = "payment_required" | "insufficient_scope" | "forbidden_spec_field" | "forbidden_plan";
|
|
14
|
+
export type CiErrorCode = CiBindingErrorCode | CiTokenExchangeErrorCode | CiDeployErrorCode | (string & {});
|
|
15
|
+
export interface ParsedDelegation {
|
|
16
|
+
payload: Record<string, unknown>;
|
|
17
|
+
raw: string;
|
|
18
|
+
signer: string;
|
|
19
|
+
verified_at: string;
|
|
20
|
+
}
|
|
21
|
+
export interface CiBindingRow {
|
|
22
|
+
id: string;
|
|
23
|
+
project_id: string;
|
|
24
|
+
issuer: string;
|
|
25
|
+
subject_match: string;
|
|
26
|
+
allowed_actions: string[];
|
|
27
|
+
allowed_events: string[];
|
|
28
|
+
github_repository_id: string | null;
|
|
29
|
+
created_by: string;
|
|
30
|
+
nonce: string;
|
|
31
|
+
created_sig?: ParsedDelegation | null;
|
|
32
|
+
created_at: string;
|
|
33
|
+
expires_at: string | null;
|
|
34
|
+
revoked_at: string | null;
|
|
35
|
+
last_used_at: string | null;
|
|
36
|
+
use_count: number;
|
|
37
|
+
}
|
|
38
|
+
export interface CiCreateBindingInput {
|
|
39
|
+
project_id: string;
|
|
40
|
+
provider: CiProvider;
|
|
41
|
+
subject_match: string;
|
|
42
|
+
allowed_actions: readonly CiAllowedAction[];
|
|
43
|
+
allowed_events: readonly CiAllowedEvent[];
|
|
44
|
+
github_repository_id?: string | null;
|
|
45
|
+
expires_at?: string | null;
|
|
46
|
+
nonce: string;
|
|
47
|
+
signed_delegation: string;
|
|
48
|
+
}
|
|
49
|
+
export interface CiListBindingsInput {
|
|
50
|
+
project: string;
|
|
51
|
+
}
|
|
52
|
+
export interface CiListBindingsResult {
|
|
53
|
+
bindings: CiBindingRow[];
|
|
54
|
+
}
|
|
55
|
+
export interface CiTokenExchangeInput {
|
|
56
|
+
project_id: string;
|
|
57
|
+
subject_token: string;
|
|
58
|
+
}
|
|
59
|
+
export interface CiTokenExchangeRequestBody extends CiTokenExchangeInput {
|
|
60
|
+
grant_type: "urn:ietf:params:oauth:grant-type:token-exchange";
|
|
61
|
+
subject_token_type: "urn:ietf:params:oauth:token-type:jwt";
|
|
62
|
+
}
|
|
63
|
+
export interface CiTokenExchangeResponse {
|
|
64
|
+
access_token: string;
|
|
65
|
+
token_type: "Bearer" | (string & {});
|
|
66
|
+
expires_in: number;
|
|
67
|
+
scope: string;
|
|
68
|
+
}
|
|
69
|
+
export interface CiDelegationValues {
|
|
70
|
+
project_id: string;
|
|
71
|
+
issuer?: string;
|
|
72
|
+
audience?: string;
|
|
73
|
+
subject_match: string;
|
|
74
|
+
allowed_actions: readonly string[];
|
|
75
|
+
allowed_events: readonly string[];
|
|
76
|
+
expires_at?: string | null;
|
|
77
|
+
github_repository_id?: string | null;
|
|
78
|
+
nonce: string;
|
|
79
|
+
}
|
|
80
|
+
export interface NormalizedCiDelegationValues {
|
|
81
|
+
project_id: string;
|
|
82
|
+
issuer: string;
|
|
83
|
+
audience: string;
|
|
84
|
+
subject_match: string;
|
|
85
|
+
allowed_actions: CiAllowedAction[];
|
|
86
|
+
allowed_events: string[];
|
|
87
|
+
expires_at: string | null;
|
|
88
|
+
github_repository_id: string | null;
|
|
89
|
+
nonce: string;
|
|
90
|
+
}
|
|
91
|
+
//# sourceMappingURL=ci.types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci.types.d.ts","sourceRoot":"","sources":["../../src/namespaces/ci.types.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAE3E,eAAO,MAAM,0BAA0B,EAAG,gBAAyB,CAAC;AACpE,eAAO,MAAM,wBAAwB,EAAG,6CAAsD,CAAC;AAC/F,eAAO,MAAM,WAAW,EAAG,wBAAiC,CAAC;AAC7D,eAAO,MAAM,8BAA8B,EAAG,cAAuB,CAAC;AAEtE,eAAO,MAAM,qBAAqB,qBAAsB,CAAC;AACzD,eAAO,MAAM,4BAA4B,wCAAyC,CAAC;AAEnF,MAAM,MAAM,UAAU,GAAG,OAAO,0BAA0B,CAAC;AAC3D,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AACrE,MAAM,MAAM,cAAc,GACtB,CAAC,OAAO,4BAA4B,CAAC,CAAC,MAAM,CAAC,GAC7C,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,kBAAkB,GAC1B,cAAc,GACd,+BAA+B,GAC/B,kCAAkC,GAClC,iBAAiB,GACjB,sBAAsB,GACtB,yBAAyB,GACzB,8BAA8B,GAC9B,0BAA0B,GAC1B,WAAW,CAAC;AAEhB,MAAM,MAAM,wBAAwB,GAChC,iBAAiB,GACjB,eAAe,GACf,eAAe,GACf,mBAAmB,GACnB,wBAAwB,GACxB,mBAAmB,CAAC;AAExB,MAAM,MAAM,iBAAiB,GACzB,kBAAkB,GAClB,oBAAoB,GACpB,sBAAsB,GACtB,gBAAgB,CAAC;AAErB,MAAM,MAAM,WAAW,GACnB,kBAAkB,GAClB,wBAAwB,GACxB,iBAAiB,GACjB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,UAAU,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,SAAS,eAAe,EAAE,CAAC;IAC5C,cAAc,EAAE,SAAS,cAAc,EAAE,CAAC;IAC1C,oBAAoB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,YAAY,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,0BAA2B,SAAQ,oBAAoB;IACtE,UAAU,EAAE,iDAAiD,CAAC;IAC9D,kBAAkB,EAAE,sCAAsC,CAAC;CAC5D;AAED,MAAM,WAAW,uBAAuB;IACtC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,eAAe,EAAE,CAAC;IACnC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,KAAK,EAAE,MAAM,CAAC;CACf"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
/** Types and constants for GitHub Actions OIDC federation (`/ci/v1/*`). */
|
|
2
|
+
export const CI_GITHUB_ACTIONS_PROVIDER = "github-actions";
|
|
3
|
+
export const CI_GITHUB_ACTIONS_ISSUER = "https://token.actions.githubusercontent.com";
|
|
4
|
+
export const CI_AUDIENCE = "https://api.run402.com";
|
|
5
|
+
export const DEFAULT_CI_DELEGATION_CHAIN_ID = "eip155:84532";
|
|
6
|
+
export const V1_CI_ALLOWED_ACTIONS = ["deploy"];
|
|
7
|
+
export const V1_CI_ALLOWED_EVENTS_DEFAULT = ["push", "workflow_dispatch"];
|
|
8
|
+
//# sourceMappingURL=ci.types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci.types.js","sourceRoot":"","sources":["../../src/namespaces/ci.types.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAE3E,MAAM,CAAC,MAAM,0BAA0B,GAAG,gBAAyB,CAAC;AACpE,MAAM,CAAC,MAAM,wBAAwB,GAAG,6CAAsD,CAAC;AAC/F,MAAM,CAAC,MAAM,WAAW,GAAG,wBAAiC,CAAC;AAC7D,MAAM,CAAC,MAAM,8BAA8B,GAAG,cAAuB,CAAC;AAEtE,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,QAAQ,CAAU,CAAC;AACzD,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAU,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAa3C,OAAO,KAAK,EACV,YAAY,EAKZ,WAAW,EACX,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,YAAY,EAWZ,iBAAiB,EAGjB,YAAY,EACZ,WAAW,EACX,YAAY,EACb,MAAM,mBAAmB,CAAC;AAwB3B,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAE3C;;;;OAIG;IACG,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,YAAY,CAAC;IA4B9E;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI3E;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAA;KAAO,GACrC,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;KAAE,CAAC;IAIxE;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;KACxC,GACA,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;OAKG;IACG,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;QACJ,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QACvC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC;KACb,GACL,OAAO,CAAC,YAAY,CAAC;IAMxB;;;;;;;;;OASG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GACtE,OAAO,CAAC,YAAY,CAAC;IAqBxB;;;;OAIG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9B,OAAO,CAAC,iBAAiB,CAAC;IAQ7B;;;;;;OAMG;IACG,IAAI,CACR,IAAI,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GACjD,OAAO,CAAC,kBAAkB,CAAC;IAsB9B;;;;;;;;OAQG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAmBhC;;;OAGG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMrD;;OAEG;IACG,IAAI,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC;CAMjE;AAqnBD;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB"}
|
|
@@ -18,7 +18,9 @@
|
|
|
18
18
|
* See `unified-deploy` and `cas-content` capability specs for normative
|
|
19
19
|
* behavior; this file is the implementation.
|
|
20
20
|
*/
|
|
21
|
-
import {
|
|
21
|
+
import { isCiSessionCredentials } from "../ci-credentials.js";
|
|
22
|
+
import { assertCiDeployableSpec } from "./ci.js";
|
|
23
|
+
import { ApiError, LocalError, NetworkError, PaymentRequired, Run402DeployError, Unauthorized, } from "../errors.js";
|
|
22
24
|
// ─── Constants ───────────────────────────────────────────────────────────────
|
|
23
25
|
const PLAN_BODY_LIMIT_BYTES = 5 * 1024 * 1024;
|
|
24
26
|
const COMMIT_POLL_INITIAL_MS = 1_000;
|
|
@@ -212,6 +214,9 @@ export class Deploy {
|
|
|
212
214
|
}
|
|
213
215
|
// ─── Internal pipeline ───────────────────────────────────────────────────────
|
|
214
216
|
async function planInternal(client, spec, idempotencyKey) {
|
|
217
|
+
const ciCredentials = isCiClient(client);
|
|
218
|
+
if (ciCredentials)
|
|
219
|
+
assertCiDeployableSpec(spec);
|
|
215
220
|
validateSpec(spec);
|
|
216
221
|
const { normalized, byteReaders } = await normalizeReleaseSpec(client, spec);
|
|
217
222
|
// The gateway expects { spec, manifest_ref?, idempotency_key? } with
|
|
@@ -228,6 +233,15 @@ async function planInternal(client, spec, idempotencyKey) {
|
|
|
228
233
|
body = inlineBody;
|
|
229
234
|
}
|
|
230
235
|
else {
|
|
236
|
+
if (ciCredentials) {
|
|
237
|
+
throw new Run402DeployError("CI deploys must use inline specs under the gateway body cap; the normalized deploy plan would require manifest_ref.", {
|
|
238
|
+
code: "forbidden_spec_field",
|
|
239
|
+
phase: "validate",
|
|
240
|
+
resource: "manifest_ref",
|
|
241
|
+
retryable: false,
|
|
242
|
+
context: "validating CI deploy spec",
|
|
243
|
+
});
|
|
244
|
+
}
|
|
231
245
|
// Upload the normalized manifest itself as a CAS object so the gateway
|
|
232
246
|
// can pick it up via `manifest_ref`. The body still carries a minimal
|
|
233
247
|
// `spec` so the gateway has the project for auth + plan persistence.
|
|
@@ -285,6 +299,7 @@ async function uploadMissing(client, projectId, presence, byteReaders, emit) {
|
|
|
285
299
|
// refs, it issues an upload session per ref with presigned PUT URLs,
|
|
286
300
|
// then we PUT the bytes and commit the content plan.
|
|
287
301
|
const headers = await apikeyHeaders(client, projectId);
|
|
302
|
+
const ciCredentials = isCiClient(client);
|
|
288
303
|
const contentRequest = needsUpload.map((p) => {
|
|
289
304
|
const reader = byteReaders.get(p.sha256);
|
|
290
305
|
return {
|
|
@@ -296,7 +311,9 @@ async function uploadMissing(client, projectId, presence, byteReaders, emit) {
|
|
|
296
311
|
const planRes = await client.request("/content/v1/plans", {
|
|
297
312
|
method: "POST",
|
|
298
313
|
headers,
|
|
299
|
-
body:
|
|
314
|
+
body: ciCredentials
|
|
315
|
+
? { project_id: projectId, content: contentRequest }
|
|
316
|
+
: { content: contentRequest },
|
|
300
317
|
context: "planning content upload",
|
|
301
318
|
});
|
|
302
319
|
const total = planRes.missing.length;
|
|
@@ -313,26 +330,25 @@ async function uploadMissing(client, projectId, presence, byteReaders, emit) {
|
|
|
313
330
|
}
|
|
314
331
|
const bytes = await reader();
|
|
315
332
|
await uploadOneWithRetry(client.fetch, session, bytes);
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
|
|
333
|
+
if (!ciCredentials) {
|
|
334
|
+
// Per-session completion — legacy non-CI promotion path via
|
|
335
|
+
// /storage/v1/uploads/:id/complete. CI sessions skip this route because
|
|
336
|
+
// the gateway contract only allows /content/v1/plans*; under CI the
|
|
337
|
+
// plan-level content commit performs the CAS promotion.
|
|
338
|
+
const completeBody = {};
|
|
339
|
+
if (session.mode === "multipart" && session.parts.length > 1) {
|
|
340
|
+
// Multipart completion needs per-part ETags. The SDK doesn't capture
|
|
341
|
+
// ETags during the PUT loop today (it would need a multi-PUT
|
|
342
|
+
// helper); for the common single-PUT case below this is empty.
|
|
343
|
+
// TODO: collect part ETags during uploadOne for true multipart.
|
|
344
|
+
}
|
|
345
|
+
await client.request(`/storage/v1/uploads/${encodeURIComponent(session.upload_id)}/complete`, {
|
|
346
|
+
method: "POST",
|
|
347
|
+
headers,
|
|
348
|
+
body: completeBody,
|
|
349
|
+
context: "completing content upload session",
|
|
350
|
+
});
|
|
329
351
|
}
|
|
330
|
-
await client.request(`/storage/v1/uploads/${encodeURIComponent(session.upload_id)}/complete`, {
|
|
331
|
-
method: "POST",
|
|
332
|
-
headers,
|
|
333
|
-
body: completeBody,
|
|
334
|
-
context: "completing content upload session",
|
|
335
|
-
});
|
|
336
352
|
done += 1;
|
|
337
353
|
emit({
|
|
338
354
|
type: "content.upload.progress",
|
|
@@ -1043,11 +1059,16 @@ async function uploadInlineCas(client, projectId, bytes, contentType) {
|
|
|
1043
1059
|
* projects in any of today's other apikey-auth tools).
|
|
1044
1060
|
*/
|
|
1045
1061
|
async function apikeyHeaders(client, projectId) {
|
|
1062
|
+
if (isCiClient(client))
|
|
1063
|
+
return {};
|
|
1046
1064
|
const project = await client.getProject(projectId);
|
|
1047
1065
|
if (!project)
|
|
1048
1066
|
return {};
|
|
1049
1067
|
return { apikey: project.anon_key };
|
|
1050
1068
|
}
|
|
1069
|
+
function isCiClient(client) {
|
|
1070
|
+
return isCiSessionCredentials(client.credentials);
|
|
1071
|
+
}
|
|
1051
1072
|
function makeEmitter(cb) {
|
|
1052
1073
|
if (!cb)
|
|
1053
1074
|
return () => { };
|
|
@@ -1199,6 +1220,9 @@ function translateDeployError(err, phase, planId, operationId) {
|
|
|
1199
1220
|
// Re-throw other Run402Error subclasses (PaymentRequired, Unauthorized, etc.)
|
|
1200
1221
|
// as-is — the consumer handles them at a different layer than
|
|
1201
1222
|
// deploy-state-machine errors.
|
|
1223
|
+
if (err instanceof PaymentRequired || err instanceof Unauthorized) {
|
|
1224
|
+
throw err;
|
|
1225
|
+
}
|
|
1202
1226
|
if (err instanceof Error) {
|
|
1203
1227
|
return new Run402DeployError(err.message, {
|
|
1204
1228
|
code: "INTERNAL_ERROR",
|