npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@electron/circleci-oidc-secret-exchange

v1.6.0

Published

Provides dynamic access to secrets in exchange for a valid OIDC token

Downloads

75

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

electron-cfaelectron-cfa

Keywords

Readme

@electron/circleci-oidc-secret-exchange

Provides dynamic access to secrets in exchange for a valid OIDC token

CircleCI

Usage

import { configureAndListen } from '@electron/circleci-oidc-secret-exchange';

configureAndListen([
  {
    organizationId: 'foo',
    secrets: [ ... ],
  },
  {
    organizationId: 'bar',
    secrets: [ ... ]
  }
])

By default configureAndListen listens on $PORT for incoming requests. In CircleCI you just need to POST a valid OIDC token to the /exchange endpoint. You'll receive a JSON key<>value map of secrets for your build job.

Secret Providers

All secret providers are configured with a filters object which dictates which CircleCI projects and contexts are allowed access to the secrets it provides. Please note that we apply an and operation to the projectIds and contextIds filters. So the OIDC token must be issued for an allowed project and an allowed context. Not just one or the other.

// Will only use this provider if the OIDC token is generated for project abc-def and the build is running in context 123-456
{
  provider: () => ...,
  filters: {
    projectIds: ['abc-def'],
    contextIds: ['123-456'],
  }
}

We have a few built-in secret providers documented below, you can build your own provider by importing and implementing the base SecretProvider class.

Generic Secret Provider

This provider allows you to load secrets from anywhere and hand them back in key<>value form.

import { GenericSecretProvider } from '@electron/circleci-oidc-secret-exchange';

export const config = [
  {
    organizationId: 'foo',
    secrets: [
      provider: () => new GenericSecretProvider(
        async () => ({
          MY_COOL_SECRET: process.env.MY_COOL_SECRET,
          OTHER_SECRET: await getFromSomewhere(),
        })
      ),
      filters: { ... },
    ]
  }
]

File Secret Provider

This provider loads a JSON file from disk and let's you read and provide secrets from it. The file is read fresh on every request so if you change the file on disk even without restarting the service the updated secrets will be read

import { FileSecretProvider } from '@electron/circleci-oidc-secret-exchange';

export const config = [
  {
    organizationId: 'foo',
    secrets: [
      provider: () => new FileSecretProvider('/etc/org.d/secrets.json', (secrets) => ({
        MY_SECRET_KEY: secrets.fooSecret,
        OTHER_SECRET_KEY: secrets.barSecret,
      })),
      filters: { ... },
    ]
  }
]

GitHub App Token Provider

This provider hands off a permission-scoped, repo-scoped GitHub App installation token as a secret. These tokens last ~60 minutes so you if your job takes longer than that the token will no longer be valid.

To generate the credentials bundle for credsString, see the instructions on electron/github-app-auth.

import { GitHubAppTokenProvider } from '@electron/circleci-oidc-secret-exchange';

export const config = [
  {
    organizationId: 'foo',
    secrets: [
      provider: () => new GitHubAppTokenProvider({
        // Creds bundle generated for `@electron/github-app-auth`
        credsString: process.env.MY_GITHUB_APP_CREDS,
        // The repo to generate this token for, could be any repo
        // not just the repo that generated the OIDC token
        repo: {
          owner: 'my-org',
          name: 'my-repo',
        },
        // A key<>value map of GitHub app permissions and their values
        permissions: {
          members: 'read',
          contents: 'write',
        }
      }),
      filters: { ... },
    ]
  }
]

By default the GitHubAppTokenProvider provides a secret with the name GITHUB_TOKEN. You can change that name by providing it as a second parameter to the constructor.