Use GitHub Actions OpenID Connect Identity Provider to authenticate

Parzivail-Modding-Team · Nov 6, 2023 · f055d59 · hakkimx · Oct 12, 2024 · f055d59
1 parent 3f62d14
commit f055d59
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,6 +7,10 @@ on:
     branches-ignore:
       - l10n
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build:
     strategy:

diff --git a/scripts/upload_dev.py b/scripts/upload_dev.py
@@ -17,23 +17,48 @@
 
 print("Current directory: " + os.getcwd())
 
-files = [file for file in os.listdir(".") if file.rpartition("-")[2] not in {"sources.jar", "javadoc.jar", "dev.jar"}]
+files = [
+    file
+    for file in os.listdir(".")
+    if file.rpartition("-")[2] not in {"sources.jar", "javadoc.jar", "dev.jar"}
+]
 
 if files and args.result == "success":
-    file, = files
+    (file,) = files
     print("Trying to upload", os.path.realpath(file))
     if args.webhook:
         for url in args.webhook:
             with open(file, "rb") as fp:
-                with requests.post(url, files={"file": fp}, data={
-                        "content": f"Build {os.environ['BUILD_NUMBER']} built! <:mc_cake:711406798292254792>"}) as resp:
+                with requests.post(
+                    url,
+                    files={"file": fp},
+                    data={
+                        "content": f"Build {os.environ['BUILD_NUMBER']} built! <:mc_cake:711406798292254792>"
+                    },
+                ) as resp:
                     print("discord response:", resp.text)
     if args.serverupdate:
         for url in args.serverupdate:
-            subprocess.check_call(["curl", "--location", "--request", "POST", url, "--form", f"file=@{file}"])
+            with requests.post(
+                f"{os.environ['ACTIONS_ID_TOKEN_REQUEST_URL']}&audience=https://mc.pswg.dev"
+            ) as resp:
+                token = resp.json().value
+            with open(file, "rb") as fp:
+                with requests.post(
+                    url,
+                    files={"file": fp},
+                    headers={"Authorization": f"Bearer {token}"},
+                ) as resp:
+                    resp.raise_for_status()
+                    print("server updater response:", resp.text)
 else:
     if not files:
         print("Did not find file")
     for url in args.webhook:
-        with requests.post(url, data={"content": f"Build {os.environ['BUILD_NUMBER']} failed! \N{CROSS MARK}"}) as resp:
+        with requests.post(
+            url,
+            data={
+                "content": f"Build {os.environ['BUILD_NUMBER']} failed! \N{CROSS MARK}"
+            },
+        ) as resp:
             print("discord response:", resp.text)