Skip to content

Commit b47b8fb

Browse files
committed
ci: remove OIDC claim debug step — pipeline is green
Run 24637725063 published all 8 @perryts/perry* packages to npm at 0.5.106 (workflow ✓, all sigstore-provenance-attested, latest dist-tag moved off 0.0.1-bootstrap placeholders). The debug step was only needed to prove the OIDC claim fields matched the Trusted Publisher config; it showed everything matched, which pointed at npm/cli#9088 (fixed in c7cc823 by upgrading npm to >= 11.5.1).
1 parent c7cc823 commit b47b8fb

1 file changed

Lines changed: 0 additions & 24 deletions

File tree

.github/workflows/release-packages.yml

Lines changed: 0 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -529,30 +529,6 @@ jobs:
529529
- name: Stage npm packages
530530
run: ./scripts/stage-npm.sh release-artifacts/
531531

532-
- name: Debug — decode OIDC claim npm will receive
533-
# Same audience npm uses for Trusted Publisher auth. Decodes the
534-
# JWT payload and prints the fields that must match the npmjs.com
535-
# Trusted Publisher config (sub, repository, workflow, ref, etc.).
536-
run: |
537-
set -e
538-
AUD="npm:registry.npmjs.org"
539-
TOKEN=$(curl -sSL \
540-
-H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
541-
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$AUD" \
542-
| python3 -c "import sys,json; print(json.load(sys.stdin)['value'])")
543-
PAYLOAD=$(echo "$TOKEN" | cut -d. -f2)
544-
# base64url -> base64 pad + decode
545-
PAD=$(( (4 - ${#PAYLOAD} % 4) % 4 ))
546-
PADDED="${PAYLOAD}$(printf '=%.0s' $(seq 1 $PAD))"
547-
DECODED=$(echo "$PADDED" | tr '_-' '/+' | base64 -d 2>/dev/null)
548-
echo "--- OIDC claim (audience=$AUD) ---"
549-
echo "$DECODED" | python3 -c "
550-
import sys, json
551-
c = json.load(sys.stdin)
552-
for k in ['sub','repository','repository_owner','workflow','workflow_ref','job_workflow_ref','ref','ref_type','event_name','environment','runner_environment','actor']:
553-
print(f' {k}: {c.get(k)!r}')
554-
"
555-
556532
- name: Sanity-check staged packages
557533
run: |
558534
for dir in npm/perry npm/perry-*; do

0 commit comments

Comments
 (0)