Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the start-proxy action’s credential parsing/types so it can accept and forward future OIDC-based private registry authentication configurations (Azure/AWS/JFrog) to the Dependabot authentication proxy.
Changes:
- Extend registry credential typing/validation to include OIDC configuration shapes (Azure/AWS/JFrog) and add a redacting
credentialToStrinsrc/start-proxy/types.ts. - Add/adjust unit tests to cover OIDC acceptance, printable-character validation for OIDC fields, and new
credentialToStrformatting/redaction. - Add a changelog entry describing upcoming OIDC-registry compatibility.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/start-proxy/types.ts | Adds OIDC auth config types/guards and a new credentialToStr implementation for safe logging. |
| src/start-proxy/types.test.ts | New unit tests for credentialToStr across password/token/OIDC credential shapes. |
| src/start-proxy.ts | Adds getAuthConfig and updates credential validation/handling to propagate OIDC configs. |
| src/start-proxy.test.ts | Updates and expands tests for OIDC credential acceptance and validation behaviors. |
| lib/start-proxy-action.js | Generated build output (not reviewed). |
| CHANGELOG.md | Documents OIDC-registry config acceptance. |
Comments suppressed due to low confidence (2)
src/start-proxy/types.ts:93
isAWSConfigtreats any defined values as valid (including numbers/objects). Since these fields are declared as strings, the guard should also enforcetypeof config[property] === "string"for required properties (andaudienceif present) so invalid types don't slip through validation and reach the proxy.
/** Decides whether `config` is an AWS OIDC configuration. */
export function isAWSConfig(config: Partial<AuthConfig>): config is AWSConfig {
// All of these properties are required.
const requiredProperties = [
"aws_region",
"account_id",
"role_name",
"domain",
"domain_owner",
];
for (const property of requiredProperties) {
if (!(property in config) || !isDefined(config[property])) {
return false;
}
}
return true;
}
src/start-proxy/types.ts:109
isJFrogConfigonly checks thatjfrog_oidc_provider_nameis defined, but not that it's a string. Consider requiringtypeof jfrog_oidc_provider_name === "string"(and validating optional fields if present) to avoid propagating malformed configs.
/** Decides whether `config` is a JFrog OIDC configuration. */
export function isJFrogConfig(
config: Partial<AuthConfig>,
): config is JFrogConfig {
return (
"jfrog_oidc_provider_name" in config &&
isDefined(config.jfrog_oidc_provider_name)
);
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
sam-robson
requested changes
Mar 10, 2026
Contributor
sam-robson
left a comment
sam-robson
left a comment
There was a problem hiding this comment.
A minor thing, otherwise lgtm!
sam-robson
previously approved these changes
Mar 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Dependabot team have been working on support for OIDC-based authentication in the Dependabot authentication proxy, which we also use to support private package registries in Default Setup.
This PR modifies the
start-proxyaction to accept such configurations and propagate them to the proxy. This will ensure that we are ready to support OIDC-based authentication when such configurations are available to us. This is not yet the case at the time of writing.However, that should not block this PR from being merged, since we just perform validation that will allow such configurations to be propagated to the proxy in the future.
Notes for reviewers
Best reviewed commit-by-commit. See the internal issue for more context and references.
Risk assessment
For internal use only. Please select the risk level of this change:
Which use cases does this change impact?
Workflow types:
dynamicworkflows (Default Setup, Code Quality, ...).Products:
analysis-kinds: code-scanning.analysis-kinds: code-quality.Environments:
github.comand/or GitHub Enterprise Cloud with Data Residency.How did/will you validate this change?
.test.tsfiles).pr-checks).If something goes wrong after this change is released, what are the mitigation and rollback strategies?
How will you know if something goes wrong after this change is released?
Are there any special considerations for merging or releasing this change?
Merge / deployment checklist