anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-26 08:54:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: send additional_permissions in token exchange request

Browse Source 
Parse the ADDITIONAL_PERMISSIONS env var and send it as a JSON body
in the OIDC token exchange request. Permissions are merged on top of
the standard defaults (contents: write, pull_requests: write,
issues: write).
This commit is contained in:
Ashwin Bhat
2026-01-24 17:03:44 -08:00
parent f64219702d
commit 774d5204a1
3 changed files with 156 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
test/parse-permissions.test.ts Normal file
View File

@@ -0,0 +1,97 @@
import { describe, expect, test, beforeEach, afterEach } from "bun:test";
import { parseAdditionalPermissions } from "../src/github/token";
describe("parseAdditionalPermissions", () => {
let originalEnv: string | undefined;
beforeEach(() => {
originalEnv = process.env.ADDITIONAL_PERMISSIONS;
});
afterEach(() => {
if (originalEnv === undefined) {
delete process.env.ADDITIONAL_PERMISSIONS;
} else {
process.env.ADDITIONAL_PERMISSIONS = originalEnv;
}
});
test("returns undefined when env var is not set", () => {
delete process.env.ADDITIONAL_PERMISSIONS;
expect(parseAdditionalPermissions()).toBeUndefined();
});
test("returns undefined when env var is empty string", () => {
process.env.ADDITIONAL_PERMISSIONS = "";
expect(parseAdditionalPermissions()).toBeUndefined();
});
test("returns undefined when env var is only whitespace", () => {
process.env.ADDITIONAL_PERMISSIONS = " \n \n ";
expect(parseAdditionalPermissions()).toBeUndefined();
});
test("parses single permission and merges with defaults", () => {
process.env.ADDITIONAL_PERMISSIONS = "actions: read";
expect(parseAdditionalPermissions()).toEqual({
contents: "write",
pull_requests: "write",
issues: "write",
actions: "read",
});
});
test("parses multiple permissions", () => {
process.env.ADDITIONAL_PERMISSIONS = "actions: read\nworkflows: write";
expect(parseAdditionalPermissions()).toEqual({
contents: "write",
pull_requests: "write",
issues: "write",
actions: "read",
workflows: "write",
});
});
test("additional permissions can override defaults", () => {
process.env.ADDITIONAL_PERMISSIONS = "contents: read";
expect(parseAdditionalPermissions()).toEqual({
contents: "read",
pull_requests: "write",
issues: "write",
});
});
test("handles extra whitespace around keys and values", () => {
process.env.ADDITIONAL_PERMISSIONS = " actions : read ";
expect(parseAdditionalPermissions()).toEqual({
contents: "write",
pull_requests: "write",
issues: "write",
actions: "read",
});
});
test("skips empty lines", () => {
process.env.ADDITIONAL_PERMISSIONS =
"actions: read\n\n\nworkflows: write\n\n";
expect(parseAdditionalPermissions()).toEqual({
contents: "write",
pull_requests: "write",
issues: "write",
actions: "read",
workflows: "write",
});
});
test("skips lines without colons", () => {
process.env.ADDITIONAL_PERMISSIONS =
"actions: read\ninvalid line\nworkflows: write";
expect(parseAdditionalPermissions()).toEqual({
contents: "write",
pull_requests: "write",
issues: "write",
actions: "read",
workflows: "write",
});
});
});