From 9d50b88fdc0f294023e1cd621e09b1f22daf4577 Mon Sep 17 00:00:00 2001
From: Jacob Gillespie <jacobwgillespie@gmail.com>
Date: Mon, 5 Sep 2022 16:53:21 +0100
Subject: [PATCH] Add OIDC token support

---
 README.md     |  1 +
 action.yml    |  6 ++++++
 dist/index.js | 16 ++++++++++++++++
 src/index.ts  | 19 +++++++++++++++++++
 4 files changed, 42 insertions(+)

diff --git a/README.md b/README.md
index aa87ab6..b9d4fed 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ jobs:
 ## Inputs
 
 - `version` (optional) - A string representing the version of the Depot CLI to install (e.g. `1.2.3`). The default value is `latest` which will install the latest available version. Can also specify a semver version range selector (e.g. `0.x.x`).
+- `oidc` (optional) - A boolean value indicating, if `true` the action will authenticate with the Depot API using GitHub Actions OIDC and set the `DEPOT_TOKEN` environment variable for future steps. This is typically not needed if you are using the `depot/build-push-action` action. The default value is `false`.
 
 ## Authentication
 
diff --git a/action.yml b/action.yml
index b07cc44..b1f3443 100644
--- a/action.yml
+++ b/action.yml
@@ -14,3 +14,9 @@ inputs:
       the latest version for the target platform will be installed. Example: "0.0.2".
     default: latest
     required: false
+  oidc:
+    description: |-
+      If set to true, the action will authenticate with the Depot API using OIDC
+      and save the returned token as environment a `DEPOT_TOKEN` environment variable.
+    default: 'false'
+    required: false
diff --git a/dist/index.js b/dist/index.js
index 3180d77..d4afe72 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -5454,6 +5454,22 @@ async function run() {
         await installDepotCLI(url, resolvedVersion);
     }
     core.info(`depot ${resolvedVersion} is installed`);
+    // Attempt to exchange GitHub Actions OIDC token for temporary Depot trust relationship token
+    if (core.getBooleanInput('oidc')) {
+        if (!process.env.DEPOT_TOKEN) {
+            try {
+                const odicToken = await core.getIDToken('https://depot.dev');
+                const res = await client.postJson('https://depot.dev/api/auth/oidc/github-actions', { token: odicToken });
+                if (res.result && res.result.token) {
+                    core.info(`Exchanged GitHub Actions OIDC token for temporary Depot token`);
+                    core.exportVariable('DEPOT_TOKEN', res.result.token);
+                }
+            }
+            catch (err) {
+                core.info(`Unable to exchange GitHub OIDC token for temporary Depot token: ${err}`);
+            }
+        }
+    }
 }
 async function resolveVersion(version) {
     const res = await client.get(`https://depot.dev/api/cli/release/${process.platform}/${process.arch}/${version}`);
diff --git a/src/index.ts b/src/index.ts
index 79a8372..3f228cb 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -23,6 +23,25 @@ async function run() {
   }
 
   core.info(`depot ${resolvedVersion} is installed`)
+
+  // Attempt to exchange GitHub Actions OIDC token for temporary Depot trust relationship token
+  if (core.getBooleanInput('oidc')) {
+    if (!process.env.DEPOT_TOKEN) {
+      try {
+        const odicToken = await core.getIDToken('https://depot.dev')
+        const res = await client.postJson<{ok: boolean; token: string}>(
+          'https://depot.dev/api/auth/oidc/github-actions',
+          {token: odicToken},
+        )
+        if (res.result && res.result.token) {
+          core.info(`Exchanged GitHub Actions OIDC token for temporary Depot token`)
+          core.exportVariable('DEPOT_TOKEN', res.result.token)
+        }
+      } catch (err) {
+        core.info(`Unable to exchange GitHub OIDC token for temporary Depot token: ${err}`)
+      }
+    }
+  }
 }
 
 async function resolveVersion(version: string) {