dd-sts-action/index.js at main · DataDog/dd-sts-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
/*
* SPDX-License-Identifier: Apache-2.0
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
* Copyright 2026-present Datadog, Inc.
*/

'use strict';

const fs = require('fs');

const summaryPath = process.env.GITHUB_STEP_SUMMARY;
const actionsToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
const actionsUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;

if (!actionsToken || !actionsUrl) {
    console.log(`::error::Missing required environment variables; have you set 'id-token: write' in your workflow permissions?`);
    process.exit(1);
}

const domain = process.env.INPUT_DOMAIN;
const policy = process.env.INPUT_POLICY;
const audience = process.env.INPUT_AUDIENCE;

// note that audience has a default value so it's required here
// but it's not required for the user to set it in the workflow
if (!domain || !policy || !audience) {
    console.log(`::error::Missing required inputs 'domain', 'policy', and 'audience'`);
    process.exit(1);
}

async function fetchWithRetry(url, options = {}, retries = 3, initialDelay = 1000) {
    let attempt = 1;

    while (retries > 0) {
        try {
            const response = await fetch(url, options);
            if (!response.ok) {
                const errorBody = await response.text();
                throw new Error(`HTTP error! status: ${response.status}, ${errorBody}`);
            }

            return response;
        } catch (error) {
            console.warn(`Attempt ${attempt} failed. Error: ${error.message}`);

            const jitter = Math.floor(Math.random() * 5000);
            const delay = Math.min(2 ** attempt * initialDelay + jitter, 10000); // Limit max delay to 10 seconds

            await new Promise(resolve => setTimeout(resolve, delay));

            attempt++;
            retries--;
        }
    }

    throw new Error(`Fetch failed after ${attempt} attempts.`);
}

async function getOidcToken(actionsUrl, audience, actionsToken) {
    const res = await fetchWithRetry(`${actionsUrl}&audience=${audience}`, { headers: { 'Authorization': `Bearer ${actionsToken}` } }, 5);
    const json = await res.json();

    return json.value;
}

async function exchangeOidcForCredentials(domain, policy, oidcToken) {
    const res = await fetchWithRetry(
        `https://${domain}/sts/datadog/exchange?policy=${encodeURIComponent(policy)}`,
        {
            headers: {
                'Authorization': `Bearer ${oidcToken}`,
                'x-datadog-target-release': 'dd-sts.dd-sts'
            }
        }
    );

    const json = await res.json();

    if (!json.api_key) {
        throw new Error(json.message || 'Missing api_key in response');
    }

    return json;
}


(async function main() {
    try {
        const oidcToken = await getOidcToken(actionsUrl, audience, actionsToken);

        let credentials;

        try {
            credentials = await exchangeOidcForCredentials(domain, policy, oidcToken);
        } catch (error) {
            const claims = JSON.parse(Buffer.from(oidcToken.split('.')[1], 'base64').toString());
            const serializedClaims = JSON.stringify(claims, null, 2);

            console.log('JWT claims:\n', serializedClaims);

            const markdown = [
                '### ⚠️ DD STS request failed',
                '',
                'OIDC token claims for debugging:',
                '',
                '```json',
                serializedClaims,
                '```',
                '',
            ].join('\n');

            fs.appendFileSync(summaryPath, markdown + '\n');

            throw error;
        }

        // Mask sensitive credentials in logs
        console.log(`::add-mask::${credentials.api_key}`);
        if (credentials.application_key) {
            console.log(`::add-mask::${credentials.application_key}`);
        }

        // Build output string with only present fields
        const outputParts = [`api_key=${credentials.api_key}`];

        if (credentials.application_key) {
            outputParts.push(`app_key=${credentials.application_key}`);
        }

        if (credentials.expires_at) {
            outputParts.push(`app_key_expiration_timestamp=${credentials.expires_at}`);
        }

        fs.appendFile(process.env.GITHUB_OUTPUT, outputParts.join('\n'), function (err) { if (err) throw err; });

        // Save state for post cleanup
        if (credentials.application_key) {
            fs.appendFileSync(process.env.GITHUB_STATE, `APP_KEY=${credentials.application_key}\n`);
        }
    } catch (err) {
        console.log(`::error::${err.stack}`);
        process.exit(1);
    }
})();