feat: add publicAccess config for providerS3

Author: LukasMod

packages/provider-s3/README.md

@@ -46,6 +46,10 @@ type ProviderConfig = {
    * The time in seconds for the presigned URL to expire. By default, it is 24 hours.
    */
   linkExpirationTime?: number;
+  /**
+   * If true, the provider will not sign requests and will try to access the S3 bucket without authentication.
+   */
+  publicAccess?: boolean;
 };
 ```
 
@@ -87,6 +91,22 @@ export default {
 };
 ```
 
+### Public S3 Bucket
+
+```ts
+// rock.config.mjs
+import { providerS3 } from '@rock-js/provider-s3';
+
+export default {
+  // ...
+  remoteCacheProvider: providerS3({
+    bucket: 'your-public-bucket',
+    region: 'your-region',
+    publicAccess: true, // Access public bucket without authentication
+  }),
+};
+```
+
 ## Documentation
 
 For detailed documentation about Rock and its tools, visit [Rock Documentation](https://rockjs.dev)

packages/provider-s3/src/__tests__/providerS3.test.ts

@@ -214,7 +214,7 @@ test('providerS3 supports R2', async () => {
   ]);
 });
 
-test('providerS3 supports public access without credentials', async () => {
+test('providerS3 supports public access', async () => {
   (clientS3.S3Client as ReturnType<typeof vi.fn>).mockClear();
   const mockSend = (clientS3 as any).mockSend;
   const mockStream = {
@@ -232,6 +232,7 @@ test('providerS3 supports public access without credentials', async () => {
   const cacheProvider = providerS3({
     bucket: 'test-bucket',
     region: 'us-east-1',
+    publicAccess: true,
   })();
 
   expect(clientS3.S3Client).toHaveBeenCalledWith(

packages/provider-s3/src/lib/providerS3.ts

@@ -65,6 +65,10 @@ type ProviderConfig = {
    * External ID when assuming a role (for additional security).
    */
   externalId?: string;
+  /**
+   * If true, the provider will not sign requests and will try to access the S3 bucket without authentication.
+   */
+  publicAccess?: boolean;
 };
 
 export class S3BuildCache implements RemoteBuildCache {
@@ -104,8 +108,8 @@ export class S3BuildCache implements RemoteBuildCache {
     } else if (config.profile) {
       // Use shared config file (e.g. ~/.aws/credentials) with a profile
       s3Config.credentials = fromIni({ profile: config.profile });
-    } else {
-      // Fallback to public access
+    } else if (config.publicAccess) {
+      // Access the S3 bucket without authentication
       s3Config.signer = {
         sign: async (request) => request,
       };

website/src/docs/configuration.md

@@ -249,6 +249,7 @@ In case you use a different env variable, you can pass it as a `accessKeyId` and
 | `directory`          | `string` | No       | The directory to store artifacts in the S3 server (defaults to `rock-artifacts`)                 |
 | `name`               | `string` | No       | The display name of the provider (defaults to `S3`)                                              |
 | `linkExpirationTime` | `number` | No       | The time in seconds for presigned URLs to expire (defaults to 24 hours)                          |
+| `publicAccess`      | `boolean`| No       | If true, the provider will not sign requests and will try to access the S3 bucket without authentication |
 
 #### Authentication Methods
 
@@ -259,7 +260,7 @@ The S3 provider supports multiple authentication methods through the underlying
 - **AWS credentials file**: Use `~/.aws/credentials` with the `profile` option
 - **Role assumption**: Use `roleArn` to assume a different role, optionally with `profile` as source credentials
 - **Temporary credentials**: Set `AWS_SESSION_TOKEN` environment variable for temporary credentials
-- **Public access**: When no credentials are provided, the provider configures a custom signer that doesn't sign requests, allowing access to public S3 buckets without authentication
+- **Public access**: Set `publicAccess: true` to explicitly disable request signing and access public S3 buckets without authentication
 
 #### Cloudflare R2