New OIDC auth method

Author: rgharris

action.yml

@@ -4,11 +4,17 @@ branding:
   icon: 'lock'
   color: 'blue'
 inputs:
+  auth-method:
+    description: >- 
+      Auth method to use - set this to "oidc" for identity auth via OIDC.
+      Note that this requires the `id-token: write` permission on the Github 
+      job or workflow. See https://docs.doppler.com/docs/service-account-identities
+    default: "token"
   doppler-token:
     description: >-
       Doppler Service Token that grants access to a single Config within a Project. 
       See https://docs.doppler.com/docs/service-tokens
-    required: true
+    required: false
   doppler-project:
     description: >-
       Doppler Project
@@ -21,6 +27,10 @@ inputs:
     description: >-
       Inject secrets as environment variables for subsequent steps if set to `true`.
     required: false
+  doppler-identity-id:
+    description: >-
+      Identity to use, required when auth-method is "oidc".
+    required: false
 runs:
   using: 'node20'
   main: 'index.js'

doppler.js

@@ -8,7 +8,7 @@ import { VERSION } from "./meta.js";
  * @param {string | null} [dopplerConfig]
  * @returns {() => Promise<Record<string, Record>>}
  */
-async function fetch(dopplerToken, dopplerProject, dopplerConfig) {
+export async function fetch(dopplerToken, dopplerProject, dopplerConfig) {
   return new Promise(function (resolve, reject) {
     const encodedAuthData = Buffer.from(`${dopplerToken}:`).toString("base64");
     const authHeader = `Basic ${encodedAuthData}`;
@@ -54,4 +54,60 @@ async function fetch(dopplerToken, dopplerProject, dopplerConfig) {
   });
 }
 
-export default fetch;
+/**
+ * Exchange an OIDC token for a short lived Doppler service account token
+ * @param {string} identityId 
+ * @param {string} oidcToken 
+ * @returns {() => Promise<string>}
+ */
+export async function oidcAuth(identityId, oidcToken) {
+  return new Promise(function (resolve, reject) {
+    const userAgent = `secrets-fetch-github-action/${VERSION}`;
+
+    const url = new URL("https://api.doppler.com/v3/auth/oidc");
+    const body = JSON.stringify({
+      identity: identityId,
+      token: oidcToken
+    });
+   
+    const request = https
+      .request(
+        url.href,
+        {
+          headers: {
+            "user-agent": userAgent,
+            "accepts": "application/json",
+            "Content-Type": "application/json",
+            "Content-Length": body.length,
+          },
+          method: 'POST'
+        },
+        (res) => {
+          let payload = "";
+          res.on("data", (data) => (payload += data));
+          res.on("end", () => {
+            if (res.statusCode === 200) {
+              resolve(JSON.parse(payload).token);
+            } else {
+              try {
+                const error = JSON.parse(payload).messages.join(" ");
+                reject(new Error(`Doppler API Error: ${error}`));
+              } catch (error) {
+                // In the event an upstream issue occurs and no JSON payload is supplied
+                reject(new Error(`Doppler API Error: ${res.statusCode} ${res.statusMessage}`));
+              }
+            }
+          });
+        }
+      );
+
+    request
+      .on("error", (error) => {
+        reject(new Error(`Doppler API Error: ${error}`));
+      });
+
+    request.write(body);
+
+    request.end()
+  });
+}

index.js

@@ -1,5 +1,5 @@
 import core from "@actions/core";
-import fetch from "./doppler.js";
+import { fetch, oidcAuth } from "./doppler.js";
 
 // For local testing
 if (process.env.NODE_ENV === "development" && process.env.DOPPLER_TOKEN) {
@@ -8,11 +8,25 @@ if (process.env.NODE_ENV === "development" && process.env.DOPPLER_TOKEN) {
   process.env["INPUT_DOPPLER-CONFIG"] = process.env.DOPPLER_CONFIG;
 }
 
+const AUTH_METHOD = core.getInput("auth-method");
+let DOPPLER_TOKEN = "";
+
+if (AUTH_METHOD === "oidc") {
+  const DOPPLER_IDENTITY_ID = core.getInput("doppler-identity-id", { required: true });
+  const oidcToken = await core.getIDToken();
+  core.setSecret(oidcToken);
+  DOPPLER_TOKEN = await oidcAuth(DOPPLER_IDENTITY_ID, oidcToken)
+} else if (AUTH_METHOD === "token") {
+  DOPPLER_TOKEN = core.getInput("doppler-token", { required: true });
+}else {
+  core.setFailed("Unsupported auth-method");
+  process.exit();
+}
+
 const DOPPLER_META = ["DOPPLER_PROJECT", "DOPPLER_CONFIG", "DOPPLER_ENVIRONMENT"];
-const DOPPLER_TOKEN = core.getInput("doppler-token", { required: true });
 core.setSecret(DOPPLER_TOKEN);
 
-const IS_SA_TOKEN = DOPPLER_TOKEN.startsWith("dp.sa.");
+const IS_SA_TOKEN = DOPPLER_TOKEN.startsWith("dp.sa.") || DOPPLER_TOKEN.startsWith("dp.said.");
 const IS_PERSONAL_TOKEN = DOPPLER_TOKEN.startsWith("dp.pt.");
 const DOPPLER_PROJECT = (IS_SA_TOKEN || IS_PERSONAL_TOKEN) ? core.getInput("doppler-project") : null;
 const DOPPLER_CONFIG = (IS_SA_TOKEN || IS_PERSONAL_TOKEN) ? core.getInput("doppler-config") : null;