feat: Add ability to use GitHub OIDC

[nicholas-codecov]

Description

This PR adds in support for using GitHub OIDC with the bundler plugins.

Closes codecov/engineering-team#2209

Notable Changes

• Add new config options to enable OIDC
• Add in @actions/core package
• Add in logic in getPreSignedUrl to grab the token through GitHub OIDC

[codecov-notifications]

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

Components	Coverage Δ
Plugin core	96.84% <100.00%> (+<0.01%)	⬆️
Rollup plugin	10.81% <ø> (ø)
Vite plugin	11.02% <ø> (ø)
Webpack plugin	50.11% <ø> (ø)

📢 Thoughts on this report? Let us know!

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.43%. Comparing base (be89828) to head (d3aa674).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

Components	Coverage Δ
Plugin core	96.84% <100.00%> (+<0.01%)	⬆️
Rollup plugin	10.81% <ø> (ø)
Vite plugin	11.02% <ø> (ø)
Webpack plugin	50.11% <ø> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codecov]

Bundle Report

Changes will increase total bundle size by 183.02kB ⬆️

Bundle name	Size	Change
@codecov/bundler-plugin-core-cjs	46.59kB	1.16kB ⬆️
@codecov/bundler-plugin-core-esm	41.56kB	31.3kB ⬆️
@codecov/example-sveltekit-app-client-esm	714.98kB	2 bytes ⬆️
@codecov/example-oidc-app-esm	150.57kB	150.57kB ⬆️

[codecov-staging]

Bundle Report

Changes will increase total bundle size by 446.46kB ⬆️

Bundle name	Size	Change
@codecov/vite-plugin-cjs	2.8kB	2.8kB ⬆️
@codecov/vite-plugin-esm	1.24kB	1.24kB ⬆️
@codecov/nextjs-webpack-plugin-cjs	2.11kB	2.11kB ⬆️
@codecov/nuxt-plugin-cjs	1.41kB	1.41kB ⬆️
@codecov/nextjs-webpack-plugin-esm	1.88kB	1.88kB ⬆️
@codecov/example-next-15-app-server-cjs	359.11kB	359.11kB ⬆️
@codecov/rollup-plugin-esm	1.3kB	1.3kB ⬆️
@codecov/remix-vite-plugin-esm	1.1kB	1.1kB ⬆️
@codecov/remix-vite-plugin-cjs	1.32kB	1.32kB ⬆️
@codecov/solidstart-plugin-cjs	1.33kB	1.33kB ⬆️
@codecov/sveltekit-plugin-cjs	1.33kB	1.33kB ⬆️
@codecov/sveltekit-plugin-esm	1.1kB	1.1kB ⬆️
@codecov/solidstart-plugin-esm	949 bytes	949 bytes ⬆️
@codecov/webpack-plugin-cjs	4.35kB	4.35kB ⬆️
@codecov/nuxt-plugin-esm	830 bytes	830 bytes ⬆️
@codecov/webpack-plugin-esm	3.36kB	3.36kB ⬆️
@codecov/rollup-plugin-cjs	2.82kB	2.82kB ⬆️
@codecov/bundler-plugin-core-cjs	46.59kB	46.59kB ⬆️
@codecov/bundler-plugin-core-esm	12.24kB	12.24kB ⬆️
@codecov/example-next-app-edge-server-array-push	(removed)	354 bytes ⬇️
@codecov/example-next-15-app-edge-server-array-push	(removed)	356 bytes ⬇️

[suejung-sentry]

Awesome stuff!! 🚀
Sorry for the long comments - let me know what you think!

[suejung-sentry]

From the docs, it seems we need to pass to getIDToken() the audience to match that as we set in codecov-api here.
For example in prod that would be either settings.CODECOV_API_URL = https://api.codecov.io or settings.CODECOV_URL = https://codecov.io

Given that I think we should name that variable something like gitHubOIDCTokenAudience

[nicholas-codecov]

So the audience is the OIDC endpoint, which I can rename to your suggestion. To implement this I followed along with how we have this done up in our action

[suejung-sentry]

Ah gotcha. I'd argue the variable over there is misnamed too 🙃 . And arguably relying on a (potentially changing) implementation detail of our codecov-api server.

As in re: "the audience is the OIDC endpoint" - that works as long as the server consuming the JWT token issued through GitHub OIDC validates the JWT expecting the audience to be the same string as the url host. Which may not always hold true, but happens to in our case. Other servers perhaps may be hosted at https://mysubdomain.myhost.com while the audience is expected to be https://*.myhost.com or https://myhost.com or other..

In any case I like what you've got here now - thank you for all this!

[suejung-sentry]

(See other PR comment re: this variable.)

Technically, something like below may be a little clearer:

/**
 * The expected audience in the GitHub OIDC JWT token to be validated by the apiUrl.
 *
 * Defaults to `https://codecov.io`
 */
gitHubOIDCTokenAudience?: string;

The value of this string needs to match that at codecov-api here.

We are never actually hitting this "endpoint" and technically the value of this doesn't need to be a url at all.

[AbhiPrasad]

we should attach err as the error.cause of the FailedOIDCFetchError

[nicholas-codecov]

Hrm, I'm getting type errors trying to add a second argument to Error, I see it in the MDN docs. I tried updating the @types/node however that didn't resolve the issue, any other ideas/guidance 👀

[AbhiPrasad]

Hmm it might be because of the tsconfig here:

codecov-javascript-bundler-plugins/tsconfig.json

Line 11 in be89828

"lib": ["DOM", "DOM.Iterable", "ES2021"],

try setting it to be ES2022?

if that doesn't work feel free to ignore this and more forward.

[nicholas-codecov]

ahh yea that did the trick

[suejung-sentry]

This is amazing, thank you so much for all this work!!