Add oidc-only flag

[pavelzw]

• All tests passed. If this feature is not already covered by the tests, I added new tests.
• I used npm run format for formatting the code before submitting the pull request.

---

Closes #209

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[pavelzw]

I have read the CLA Document and I hereby sign the CLA

[pavelzw]

@sverdlov93 could you please take a look at this PR and tell me what you think?

[pavelzw]

@RobiNino could you please take a look?

[EyalDelarea]

Hey @pavelzw,

Thank you for opening this pull request!

I believe a better approach to achieve your goal is to export the OIDC token as an environment variable, which can then be utilized throughout the rest of your workflow.

Make sure to use clear and descriptive names for the variables and ensure they are cleared during the post-action phase to avoid any security risks.

[pavelzw]

Hey @EyalDelarea, thanks for your response!

I believe a better approach to achieve your goal is to export the OIDC token as an environment variable, which can then be utilized throughout the rest of your workflow

As mentioned in #209 (comment), I don't think that exporting the env variables is a good idea. I would prefer to just keep the output of the oidc credentials as it is right now (just using core.setOutput, see below[1])

I could use the oidc outputs in the following way:

- uses: jfrog/setup-jfrog-cli@v4
  id: artifactory
  with:
    oidc-provider-name: ${{ vars.ARTIFACTORY_OIDC_PROVIDER }}
    oidc-audience: ${{ vars.ARTIFACTORY_OIDC_AUDIENCE }}
    oidc-only: true
  env:
    JF_URL: ${{ vars.ARTIFACTORY_URL }}
- uses: prefix-dev/[email protected]
  with:
    auth-host: ${{ vars.ARTIFACTORY_URL }}
    auth-username: ${{ steps.artifactory.outputs.oidc-user }}
    auth-password: ${{ steps.artifactory.outputs.oidc-token }}
# OIDC credentials are not leaked to subsequent steps
- run: some-other-tool

I'm happy to add some additional documentation if you wish.

[1]:

setup-jfrog-cli/src/utils.ts

Lines 290 to 300 in f748a05

	core.setSecret(oidcToken);
	// Output the oidc access token as a secret
	core.setOutput('oidc-token', oidcToken);
	// Output the user from the oidc access token subject as a secret
	let payload: JWTTokenData = this.decodeOidcToken(oidcToken);
	let tokenUser: string = this.extractTokenUser(payload.sub);
	// Mark the user as a secret
	core.setSecret(tokenUser);
	// Output the user from the oidc access token subject extracted from the last section of the subject
	core.setOutput('oidc-user', tokenUser);

[pavelzw]

@EyalDelarea i just rebased on the latest master and fixed all conflicts, let me know what you think!

[EyalDelarea]

Hey @pavelzw,

Apologies for the late response — and thank you so much for the great work on this PR! 🙏 Really appreciate the effort you put in.

We’re currently working on some OIDC-related improvements that will address your use case, though in a slightly different way than suggested here.

Once those changes are in place, you’ll be able to configure a JFrog server with OIDC parameters directly ( i.e jf c add myServer --oidc-provider-name=myProvider, so you won’t need to manually pass the token between jobs anymore.

Do you think this approach would work for your use case? Would love to hear your thoughts.

Thanks again!