feat!: initial v6 work

Author: kellertk

biome.jsonc

@@ -12,10 +12,6 @@
       "performance": {
         "noDelete": "off"
       },
-      "correctness": {
-        // Specifying a radix disables interpretation of 0x as a number (needed for backwards compat)
-        "useParseIntRadix": "off"
-      },
       "complexity": {
         "noExtraBooleanCast": "off"
       }

src/CredentialsClient.ts

@@ -1,104 +1,96 @@
-import { info } from '@actions/core';
-import { STSClient } from '@aws-sdk/client-sts';
-import type { AwsCredentialIdentity } from '@aws-sdk/types';
-import { NodeHttpHandler } from '@smithy/node-http-handler';
-import { ProxyAgent } from 'proxy-agent';
-import { errorMessage, getCallerIdentity } from './helpers';
-import { ProxyResolver } from './ProxyResolver';
+import {
+  fromContainerMetadata,
+  fromEnv,
+  fromInstanceMetadata,
+  fromNodeProviderChain,
+  fromTemporaryCredentials,
+  fromWebToken,
+} from '@aws-sdk/credential-providers';
+import type { AwsCredentialIdentityProvider } from '@aws-sdk/types';
+import type { NodeHttpHandler } from '@smithy/node-http-handler';
 
-const USER_AGENT = 'configure-aws-credentials-for-github-actions';
+type EnvMode = { mode: 'env' };
+type WebIdentityMode = { mode: 'web-identity'; webIdentityToken: string } & AssumeRoleOptions;
+type StsMode = { mode: 'sts'; masterCredentials?: AwsCredentialIdentityProvider } & AssumeRoleOptions;
+type ContainerMetadataMode = { mode: 'container-metadata' };
+type InstanceMetadataMode = { mode: 'instance-metadata' };
 
-export interface CredentialsClientProps {
-  region?: string;
-  proxyServer?: string;
-  noProxy?: string;
-}
+type AssumeRoleOptions = {
+  roleArn: string;
+  roleSessionName?: string;
+  durationSeconds?: number;
+  policy?: string;
+  policyArns?: { arn: string }[];
+  region: string;
+  requestHandler?: NodeHttpHandler;
+};
+
+export type CredentialsClientProps = EnvMode | WebIdentityMode | StsMode | ContainerMetadataMode | InstanceMetadataMode;
 
 export class CredentialsClient {
-  public region?: string;
-  private _stsClient?: STSClient;
-  private readonly requestHandler?: NodeHttpHandler;
+  readonly DEFAULT_ROLE_DURATION = 3600;
+  readonly DEFAULT_ROLE_SESSION_NAME = 'GitHubActions';
+  private provider: AwsCredentialIdentityProvider;
 
   constructor(props: CredentialsClientProps) {
-    if (props.region !== undefined) {
-      this.region = props.region;
-    }
-    if (props.proxyServer) {
-      info('Configuring proxy handler for STS client');
-      const proxyOptions: { httpProxy: string; httpsProxy: string; noProxy?: string } = {
-        httpProxy: props.proxyServer,
-        httpsProxy: props.proxyServer,
-      };
-      if (props.noProxy !== undefined) {
-        proxyOptions.noProxy = props.noProxy;
-      }
-      const getProxyForUrl = new ProxyResolver(proxyOptions).getProxyForUrl;
-      const handler = new ProxyAgent({ getProxyForUrl });
-      this.requestHandler = new NodeHttpHandler({
-        httpsAgent: handler,
-        httpAgent: handler,
-      });
-    }
+    this.provider = this.createCredentialChain(props);
   }
 
-  public get stsClient(): STSClient {
-    if (!this._stsClient) {
-      const config = { customUserAgent: USER_AGENT } as {
-        customUserAgent: string;
-        region?: string;
-        requestHandler?: NodeHttpHandler;
-      };
-      if (this.region !== undefined) config.region = this.region;
-      if (this.requestHandler !== undefined) config.requestHandler = this.requestHandler;
-      this._stsClient = new STSClient(config);
-    }
-    return this._stsClient;
-  }
+  private createCredentialChain(props: CredentialsClientProps): AwsCredentialIdentityProvider {
+    const primaryProvider = this.getPrimaryProvider(props);
+    const fallbackProvider = fromNodeProviderChain();
 
-  public async validateCredentials(
-    expectedAccessKeyId?: string,
-    roleChaining?: boolean,
-    expectedAccountIds?: string[],
-  ) {
-    let credentials: AwsCredentialIdentity;
-    try {
-      credentials = await this.loadCredentials();
-      if (!credentials.accessKeyId) {
-        throw new Error('Access key ID empty after loading credentials');
-      }
-    } catch (error) {
-      throw new Error(`Credentials could not be loaded, please check your action inputs: ${errorMessage(error)}`);
-    }
-    if (expectedAccountIds && expectedAccountIds.length > 0 && expectedAccountIds[0] !== '') {
-      let callerIdentity: Awaited<ReturnType<typeof getCallerIdentity>>;
+    return async () => {
       try {
-        callerIdentity = await getCallerIdentity(this.stsClient);
-      } catch (error) {
-        throw new Error(`Could not validate account ID of credentials: ${errorMessage(error)}`);
-      }
-      if (!callerIdentity.Account || !expectedAccountIds.includes(callerIdentity.Account)) {
-        throw new Error(
-          `The account ID of the provided credentials (${
-            callerIdentity.Account ?? 'unknown'
-          }) does not match any of the expected account IDs: ${expectedAccountIds.join(', ')}`,
-        );
+        return await primaryProvider();
+      } catch {
+        return await fallbackProvider();
       }
-    }
+    };
+  }
 
-    if (!roleChaining) {
-      const actualAccessKeyId = credentials.accessKeyId;
-      if (expectedAccessKeyId && expectedAccessKeyId !== actualAccessKeyId) {
-        throw new Error(
-          'Credentials loaded by the SDK do not match the expected access key ID configured by the action',
-        );
-      }
+  private getPrimaryProvider(props: CredentialsClientProps): AwsCredentialIdentityProvider {
+    switch (props.mode) {
+      case 'env':
+        return fromEnv();
+      case 'web-identity':
+        return fromWebToken({
+          clientConfig: {
+            region: props.region,
+            ...(props.requestHandler && { requestHandler: props.requestHandler }),
+            maxAttempts: 1, // Disable built-in retry logic
+          },
+          roleArn: props.roleArn,
+          webIdentityToken: props.webIdentityToken,
+          durationSeconds: props.durationSeconds ?? this.DEFAULT_ROLE_DURATION,
+          roleSessionName: props.roleSessionName ?? this.DEFAULT_ROLE_SESSION_NAME,
+          ...(props.policy && { policy: props.policy }),
+          ...(props.policyArns && { policyArns: props.policyArns }),
+        });
+      case 'sts':
+        return fromTemporaryCredentials({
+          params: {
+            RoleArn: props.roleArn,
+            DurationSeconds: props.durationSeconds ?? this.DEFAULT_ROLE_DURATION,
+            RoleSessionName: props.roleSessionName ?? this.DEFAULT_ROLE_SESSION_NAME,
+            ...(props.policy && { Policy: props.policy }),
+            ...(props.policyArns && { PolicyArns: props.policyArns }),
+          },
+          clientConfig: {
+            region: props.region,
+            ...(props.requestHandler && { requestHandler: props.requestHandler }),
+            maxAttempts: 1, // Disable built-in retry logic
+          },
+          ...(props.masterCredentials && { masterCredentials: props.masterCredentials }),
+        });
+      case 'container-metadata':
+        return fromContainerMetadata();
+      case 'instance-metadata':
+        return fromInstanceMetadata();
     }
   }
 
-  private async loadCredentials() {
-    const config = {} as { requestHandler?: NodeHttpHandler };
-    if (this.requestHandler !== undefined) config.requestHandler = this.requestHandler;
-    const client = new STSClient(config);
-    return client.config.credentials();
+  getCredentials(): AwsCredentialIdentityProvider {
+    return this.provider;
   }
 }

src/ProxyResolver.ts

@@ -33,7 +33,7 @@ export class ProxyResolver {
     const proto = parsedUrl.protocol.split(':', 1)[0];
     if (!proto) return ''; // Don't proxy URLs without a protocol.
     const hostname = parsedUrl.host;
-    const port = parseInt(parsedUrl.port || '') || DEFAULT_PORTS[proto] || 0;
+    const port = Number.parseInt(parsedUrl.port || '', 10) || DEFAULT_PORTS[proto] || 0;
 
     if (options?.noProxy && !this.shouldProxy(hostname, port, options.noProxy)) return '';
     if (proto === 'http' && options?.httpProxy) return options.httpProxy;
@@ -50,7 +50,7 @@ export class ProxyResolver {
 
       const parsedProxy = proxy.match(/^(.+):(\d+)$/);
       const parsedProxyHostname = parsedProxy ? parsedProxy[1] : proxy;
-      const parsedProxyPort = parsedProxy?.[2] ? parseInt(parsedProxy[2]) : 0;
+      const parsedProxyPort = parsedProxy?.[2] ? Number.parseInt(parsedProxy[2], 10) : 0;
 
       if (parsedProxyPort && parsedProxyPort !== port) return true; // Skip if ports don't match.