Add oidc-only flag

[pavelzw]

• All tests passed. If this feature is not already covered by the tests, I added new tests.
• I used npm run format for formatting the code before submitting the pull request.

---

Closes #209

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[pavelzw]

I have read the CLA Document and I hereby sign the CLA

[pavelzw]

@sverdlov93 could you please take a look at this PR and tell me what you think?

[pavelzw]

@RobiNino could you please take a look?

[EyalDelarea]

Hey @pavelzw,

Thank you for opening this pull request!

I believe a better approach to achieve your goal is to export the OIDC token as an environment variable, which can then be utilized throughout the rest of your workflow.

Make sure to use clear and descriptive names for the variables and ensure they are cleared during the post-action phase to avoid any security risks.

[pavelzw]

Hey @EyalDelarea, thanks for your response!

I believe a better approach to achieve your goal is to export the OIDC token as an environment variable, which can then be utilized throughout the rest of your workflow

As mentioned in #209 (comment), I don't think that exporting the env variables is a good idea. I would prefer to just keep the output of the oidc credentials as it is right now (just using core.setOutput, see below[1])

I could use the oidc outputs in the following way:

- uses: jfrog/setup-jfrog-cli@v4
  id: artifactory
  with:
    oidc-provider-name: ${{ vars.ARTIFACTORY_OIDC_PROVIDER }}
    oidc-audience: ${{ vars.ARTIFACTORY_OIDC_AUDIENCE }}
    oidc-only: true
  env:
    JF_URL: ${{ vars.ARTIFACTORY_URL }}
- uses: prefix-dev/setup-pixi@v0.8.1
  with:
    auth-host: ${{ vars.ARTIFACTORY_URL }}
    auth-username: ${{ steps.artifactory.outputs.oidc-user }}
    auth-password: ${{ steps.artifactory.outputs.oidc-token }}
# OIDC credentials are not leaked to subsequent steps
- run: some-other-tool

I'm happy to add some additional documentation if you wish.

[1]:

setup-jfrog-cli/src/utils.ts

Lines 290 to 300 in f748a05

	core.setSecret(oidcToken);
	// Output the oidc access token as a secret
	core.setOutput('oidc-token', oidcToken);
	// Output the user from the oidc access token subject as a secret
	let payload: JWTTokenData = this.decodeOidcToken(oidcToken);
	let tokenUser: string = this.extractTokenUser(payload.sub);
	// Mark the user as a secret
	core.setSecret(tokenUser);
	// Output the user from the oidc access token subject extracted from the last section of the subject
	core.setOutput('oidc-user', tokenUser);

[pavelzw]

@EyalDelarea i just rebased on the latest master and fixed all conflicts, let me know what you think!

[EyalDelarea]

Hey @pavelzw,

Apologies for the late response — and thank you so much for the great work on this PR! 🙏 Really appreciate the effort you put in.

We’re currently working on some OIDC-related improvements that will address your use case, though in a slightly different way than suggested here.

Once those changes are in place, you’ll be able to configure a JFrog server with OIDC parameters directly ( i.e jf c add myServer --oidc-provider-name=myProvider, so you won’t need to manually pass the token between jobs anymore.

Do you think this approach would work for your use case? Would love to hear your thoughts.

Thanks again!

[AndreasAlbertQC]

Hi @EyalDelarea ! I -- and people in my organization -- would be very happy if this feature could be merged.

We like to use the setup-jfrog-cli action both in workflows where we really use jf to e.g. upload files, and in workflows where we only read packages using third party clients, which need the OIDC login token. Given the multitude of package managers available in the world, I think this is likely a common use case.

One big reason why I am eager to have the current PR merged is that it would significantly reduce the amount of "noise" generated by setup-jfrog-cli in those cases where I only need the login for read-only purposes. Currently, setup-jfrog-cli produces a large number of environment variables / outputs / log information that is simply not needed in this situation. It makes our workflows harder to read and maintain. Colleagues of mine have already proposed to stop using setup-jfrog-cli entirely and to implement the OIDC auth ourselves because they are frustrated with the clutter. With this in mind, I don't think your suggestion above via jf c add helps us in this situation because it still requires us to somehow set up jf in the first place, so we never get around having to run setup-jfrog-cli, and thus always incur env vars + log outputs.

TLDR: The feature in this PR is straightforward and very useful. I would appreciate it immensely if it could be merged, because I would love to keep using setup-jfrog-cli rather than having to solve the login through our own implementation.