Skip to content

Commit ecf0cf4

Browse files
fix(bots): fail fast on failed GitHub OIDC mint in install-bot-engine
Review follow-up: the JFrog OIDC exchange only validated ACCESS_TOKEN, so a failed ID_TOKEN mint (missing id-token:write, metadata hiccup → empty or the string "null") was still POSTed as subject_token and surfaced one step later as the misleading "Could not extract JFrog access token". Add an empty/null guard right after the OIDC curl so the diagnostic points at the real cause. Fails closed either way; this just improves the error message. Co-authored-by: Isaac Signed-off-by: eric-wang-1990 <e.wang@databricks.com>
1 parent 5093ee1 commit ecf0cf4

1 file changed

Lines changed: 7 additions & 0 deletions

File tree

.github/actions/install-bot-engine/action.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,13 @@ runs:
5656
-H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
5757
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
5858
echo "::add-mask::${ID_TOKEN}"
59+
# Fail fast HERE if the OIDC mint failed (jq prints `null` for a missing
60+
# .value; a request error yields empty), so the diagnostic points at the
61+
# real cause instead of surfacing later as a misleading "could not extract
62+
# JFrog access token" from the exchange below.
63+
if [ -z "$ID_TOKEN" ] || [ "$ID_TOKEN" = "null" ]; then
64+
echo "::error::Could not mint GitHub OIDC token (is id-token:write granted?)"; exit 1
65+
fi
5966
ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
6067
"https://databricks.jfrog.io/access/api/v1/oidc/token" \
6168
-d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')

0 commit comments

Comments
 (0)