SonarSource
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎action.yml‎
Lines changed: 9 additions & 160 deletions b/‎action.yml‎
Lines changed: 9 additions & 160 deletions
diff --git a/‎package.json‎
Lines changed: 35 additions & 0 deletions b/‎package.json‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎src/auth/cognito.ts‎
Lines changed: 108 additions & 0 deletions b/‎src/auth/cognito.ts‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎src/auth/index.ts‎
Lines changed: 6 additions & 0 deletions b/‎src/auth/index.ts‎
Lines changed: 6 additions & 0 deletions
@@ -1 +1,4 @@
 .claude
+node_modules/
+*.log
+.DS_Store
@@ -15,181 +15,30 @@ inputs:
     description: The chunk size used to split up large files during upload, in bytes
   enableCrossOsArchive:
     description: When enabled, allows to save or restore caches that can be restored or saved respectively on other platforms
-    default: false
+    default: 'false'
   fail-on-cache-miss:
     description: Fail the workflow if cache entry is not found
-    default: false
+    default: 'false'
   lookup-only:
     description: Check if a cache entry exists for the given input(s) (key, restore-keys) without downloading the cache
-    default: false
+    default: 'false'
   environment:
-    description: Environment to use ('dev' or 'prod', 's3' backend only).
+    description: Environment to use ('dev' or 'prod', 's3' backend only)
     default: prod
   fallback-branch:
-    description: Optional maintenance branch for fallback restore keys (pattern 'branch-*', 's3' backend only). If not set, the repository
-      default branch is used.
+    description: Optional maintenance branch for fallback restore keys (pattern 'branch-*', 's3' backend only). If not set, the repository default branch is used.
   backend:
     description: Force cache backend ('github' or 's3'). If not set, automatically determined based on repository visibility.
 
 outputs:
   cache-hit:
     description: A boolean value to indicate an exact match was found for the primary key
-    value: ${{ steps.github-cache.outputs.cache-hit || steps.s3-cache.outputs.cache-hit }}
 
 runs:
-  using: composite
-  steps:
-    - name: Determine cache backend
-      id: cache-backend
-      shell: bash
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-        REPO_VISIBILITY: ${{ github.event.repository.visibility }}
-        FORCED_BACKEND: ${{ inputs.backend }}
-      run: |
-        if [[ "$FORCED_BACKEND" == "github" || "$FORCED_BACKEND" == "s3" ]]; then
-          CACHE_BACKEND="$FORCED_BACKEND"
-          echo "Using forced backend: $CACHE_BACKEND"
-        else
-          # If visibility is not available in the event, try to get it from the API
-          if [[ -z "$REPO_VISIBILITY" || "$REPO_VISIBILITY" = "null" ]]; then
-            REPO_VISIBILITY=$(curl -s -H "Authorization: token ${{ github.token }}" \
-              "https://api.github.com/repos/${{ github.repository }}" | \
-              jq -r '.visibility // "private"')
-          fi
-          echo "Repository visibility: $REPO_VISIBILITY"
-
-          if [[ "$REPO_VISIBILITY" == "public" ]]; then
-            CACHE_BACKEND="github"
-            echo "Using GitHub cache for public repository"
-          else
-            CACHE_BACKEND="s3"
-            echo "Using S3 cache for private/internal repository"
-          fi
-        fi
-
-        echo "cache-backend=$CACHE_BACKEND" >> "$GITHUB_OUTPUT"
-
-    - name: Cache with GitHub Actions (public repos)
-      if: steps.cache-backend.outputs.cache-backend == 'github'
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      id: github-cache
-      with:
-        path: ${{ inputs.path }}
-        key: ${{ inputs.key }}
-        restore-keys: ${{ inputs.restore-keys }}
-        upload-chunk-size: ${{ inputs.upload-chunk-size }}
-        enableCrossOsArchive: ${{ inputs.enableCrossOsArchive }}
-        fail-on-cache-miss: ${{ inputs.fail-on-cache-miss }}
-        lookup-only: ${{ inputs.lookup-only }}
-
-    # Cache with S3 (private/internal repos)
-    - name: Authenticate to AWS
-      if: steps.cache-backend.outputs.cache-backend == 's3'
-      id: aws-auth
-      shell: bash
-      env:
-        POOL_ID: ${{ inputs.environment == 'prod' && 'eu-central-1:511fe374-ae4f-46d0-adb7-9246e570c7f4' || 'eu-central-1:3221c6ea-3f67-4fd8-a7ff-7426f96add89' }}
-        AWS_ACCOUNT_ID: ${{ inputs.environment == 'prod' && '275878209202' || '460386131003' }}
-        IDENTITY_PROVIDER_NAME: token.actions.githubusercontent.com
-        AUDIENCE: cognito-identity.amazonaws.com
-        AWS_REGION: eu-central-1
-        GITHUB_RUN_ID: ${{ github.run_id }}
-      run: |
-        # Get GitHub Actions ID token using script
-        ACCESS_TOKEN=$("$GITHUB_ACTION_PATH/scripts/get-github-token.sh")
-        echo "::add-mask::$ACCESS_TOKEN"
-
-        # Get Identity ID
-        identityId=$(aws cognito-identity get-id \
-        --identity-pool-id "$POOL_ID" \
-        --account-id "$AWS_ACCOUNT_ID" \
-        --logins '{"'"$IDENTITY_PROVIDER_NAME"'":"'"$ACCESS_TOKEN"'"}' \
-        --query 'IdentityId' --output text)
-
-        # Validate Identity ID was obtained
-        if [[ "$identityId" == "null" || -z "$identityId" ]]; then
-          echo "::error::Failed to obtain Identity ID from Cognito Identity Pool"
-          echo "::error::Check identity pool configuration and IAM roles"
-          exit 1
-        fi
-
-        # Get and validate AWS credentials
-        awsCredentials=$(aws cognito-identity get-credentials-for-identity \
-        --identity-id "$identityId" \
-        --logins '{"'"$IDENTITY_PROVIDER_NAME"'":"'"$ACCESS_TOKEN"'"}')
-
-        AWS_ACCESS_KEY_ID=$(echo "$awsCredentials" | jq -r ".Credentials.AccessKeyId")
-        AWS_SECRET_ACCESS_KEY=$(echo "$awsCredentials" | jq -r ".Credentials.SecretKey")
-        AWS_SESSION_TOKEN=$(echo "$awsCredentials" | jq -r ".Credentials.SessionToken")
-        if [[ "$AWS_ACCESS_KEY_ID" == "null" || -z "$AWS_ACCESS_KEY_ID" ]]; then
-          echo "::error::Failed to obtain AWS Access Key ID"
-          exit 1
-        fi
-        if [[ "$AWS_SECRET_ACCESS_KEY" == "null" || -z "$AWS_SECRET_ACCESS_KEY" ]]; then
-          echo "::error::Failed to obtain AWS Secret Access Key"
-          exit 1
-        fi
-        if [[ "$AWS_SESSION_TOKEN" == "null" || -z "$AWS_SESSION_TOKEN" ]]; then
-          echo "::error::Failed to obtain AWS Session Token"
-          exit 1
-        fi
-        echo "::add-mask::$AWS_ACCESS_KEY_ID"
-        echo "::add-mask::$AWS_SECRET_ACCESS_KEY"
-        echo "::add-mask::$AWS_SESSION_TOKEN"
-
-        # Create a unique AWS profile to isolate credentials from user-configured AWS credentials
-        # This prevents credential override when users call aws-actions/configure-aws-credentials
-        # between the cache restore (main step) and cache save (post step)
-        PROFILE_NAME="gh-action-cache-${GITHUB_RUN_ID}"
-
-        mkdir -p ~/.aws
-        chmod 700 ~/.aws
-
-        # Write credentials to a dedicated profile using AWS CLI (handles file format and permissions correctly)
-        aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile "$PROFILE_NAME"
-        aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile "$PROFILE_NAME"
-        aws configure set aws_session_token "$AWS_SESSION_TOKEN" --profile "$PROFILE_NAME"
-        aws configure set region eu-central-1 --profile "$PROFILE_NAME"
-        echo "Created AWS profile: $PROFILE_NAME"
-        echo "AWS_PROFILE=$PROFILE_NAME" >> "$GITHUB_OUTPUT"
-        # Export to GITHUB_ENV so the profile persists to post steps (cache save)
-        # This is necessary because step-level env vars don't persist to post steps
-        echo "AWS_PROFILE=$PROFILE_NAME" >> "$GITHUB_ENV"
-        echo "AWS_DEFAULT_PROFILE=$PROFILE_NAME" >> "$GITHUB_ENV"
-
-    - name: Prepare cache keys
-      if: steps.cache-backend.outputs.cache-backend == 's3'
-      shell: bash
-      id: prepare-keys
-      env:
-        INPUT_KEY: ${{ inputs.key }}
-        INPUT_RESTORE_KEYS: ${{ inputs.restore-keys }}
-        INPUT_FALLBACK_BRANCH: ${{ inputs.fallback-branch }}
-        GITHUB_TOKEN: ${{ github.token }}
-        GITHUB_REPOSITORY: ${{ github.repository }}
-      run: $GITHUB_ACTION_PATH/scripts/prepare-keys.sh
-
-    - name: Cache on S3
-      if: steps.cache-backend.outputs.cache-backend == 's3'
-      uses: runs-on/cache@50350ad4242587b6c8c2baa2e740b1bc11285ff4 # v4.3.0
-      id: s3-cache
-      env:
-        RUNS_ON_S3_BUCKET_CACHE: sonarsource-s3-cache-${{ inputs.environment }}-bucket
-        AWS_DEFAULT_REGION: eu-central-1
-        AWS_REGION: eu-central-1
-        # Use AWS profile instead of direct credentials to prevent override issues
-        # When users configure their own AWS credentials mid-job, the profile remains isolated
-        AWS_PROFILE: ${{ steps.aws-auth.outputs.AWS_PROFILE }}
-        AWS_DEFAULT_PROFILE: ${{ steps.aws-auth.outputs.AWS_PROFILE }}
-      with:
-        path: ${{ inputs.path }}
-        key: ${{ steps.prepare-keys.outputs.branch-key }}
-        restore-keys: ${{ steps.prepare-keys.outputs.branch-restore-keys }}
-        upload-chunk-size: ${{ inputs.upload-chunk-size }}
-        enableCrossOsArchive: ${{ inputs.enableCrossOsArchive }}
-        fail-on-cache-miss: ${{ inputs.fail-on-cache-miss }}
-        lookup-only: ${{ inputs.lookup-only }}
+  using: 'node20'
+  main: 'dist/main/index.js'
+  post: 'dist/post/index.js'
+  post-if: success()
 
 branding:
   icon: upload-cloud
 
@@ -0,0 +1,35 @@
+{
+  "name": "gh-action-cache",
+  "version": "2.0.0",
+  "private": true,
+  "description": "Cache files on S3 with branch-specific paths for granular permissions",
+  "scripts": {
+    "build": "npm run build:main && npm run build:post",
+    "build:main": "ncc build src/main.ts -o dist/main --source-map",
+    "build:post": "ncc build src/post.ts -o dist/post --source-map",
+    "test": "jest",
+    "lint": "eslint src/**/*.ts",
+    "all": "npm run lint && npm run test && npm run build"
+  },
+  "dependencies": {
+    "@actions/cache": "^3.2.4",
+    "@actions/core": "^1.10.1",
+    "@actions/github": "^6.0.0",
+    "@actions/http-client": "^2.2.0",
+    "@aws-sdk/client-cognito-identity": "^3.500.0",
+    "@aws-sdk/client-s3": "^3.500.0",
+    "tar": "^6.2.0"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.11",
+    "@types/node": "^20.10.6",
+    "@types/tar": "^6.1.11",
+    "@vercel/ncc": "^0.38.1",
+    "eslint": "^8.56.0",
+    "@typescript-eslint/eslint-plugin": "^6.18.0",
+    "@typescript-eslint/parser": "^6.18.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.1",
+    "typescript": "^5.3.3"
+  }
+}
@@ -0,0 +1,108 @@
+/**
+ * AWS Cognito Authentication
+ * Exchanges GitHub OIDC token for AWS credentials
+ */
+
+import * as core from '@actions/core';
+import {
+  CognitoIdentityClient,
+  GetIdCommand,
+  GetCredentialsForIdentityCommand,
+} from '@aws-sdk/client-cognito-identity';
+import { getGitHubOidcToken } from './oidc';
+import { AwsCredentials, CognitoConfig } from '../types';
+
+const COGNITO_CONFIG: Record<'prod' | 'dev', CognitoConfig> = {
+  prod: {
+    poolId: 'eu-central-1:511fe374-ae4f-46d0-adb7-9246e570c7f4',
+    accountId: '275878209202',
+    region: 'eu-central-1',
+  },
+  dev: {
+    poolId: 'eu-central-1:3221c6ea-3f67-4fd8-a7ff-7426f96add89',
+    accountId: '460386131003',
+    region: 'eu-central-1',
+  },
+};
+
+const IDENTITY_PROVIDER = 'token.actions.githubusercontent.com';
+const COGNITO_AUDIENCE = 'cognito-identity.amazonaws.com';
+
+/**
+ * Authenticate to AWS using GitHub OIDC and Cognito Identity Pool
+ */
+export async function authenticateAws(
+  environment: 'prod' | 'dev'
+): Promise<AwsCredentials> {
+  const config = COGNITO_CONFIG[environment];
+
+  core.info(`Authenticating to AWS Cognito (${environment} environment)...`);
+
+  // Create Cognito client without credentials (we're using OIDC)
+  const cognitoClient = new CognitoIdentityClient({
+    region: config.region,
+  });
+
+  // Step 1: Get GitHub OIDC token
+  core.debug('Requesting GitHub OIDC token...');
+  const oidcToken = await getGitHubOidcToken(COGNITO_AUDIENCE);
+  core.debug('OIDC token obtained successfully');
+
+  // Step 2: Get Cognito Identity ID
+  core.debug('Getting Cognito Identity ID...');
+  const getIdResponse = await cognitoClient.send(
+    new GetIdCommand({
+      IdentityPoolId: config.poolId,
+      AccountId: config.accountId,
+      Logins: {
+        [IDENTITY_PROVIDER]: oidcToken,
+      },
+    })
+  );
+
+  if (!getIdResponse.IdentityId) {
+    throw new Error(
+      'Failed to obtain Cognito Identity ID. ' +
+      'Check identity pool configuration and IAM trust policy.'
+    );
+  }
+
+  core.debug(`Identity ID: ${getIdResponse.IdentityId}`);
+
+  // Step 3: Get AWS credentials
+  core.debug('Getting AWS credentials from Cognito...');
+  const getCredentialsResponse = await cognitoClient.send(
+    new GetCredentialsForIdentityCommand({
+      IdentityId: getIdResponse.IdentityId,
+      Logins: {
+        [IDENTITY_PROVIDER]: oidcToken,
+      },
+    })
+  );
+
+  const credentials = getCredentialsResponse.Credentials;
+  if (
+    !credentials?.AccessKeyId ||
+    !credentials?.SecretKey ||
+    !credentials?.SessionToken
+  ) {
+    throw new Error(
+      'Failed to obtain AWS credentials from Cognito. ' +
+      'Check IAM role configuration and permissions.'
+    );
+  }
+
+  // Mask credentials in logs
+  core.setSecret(credentials.AccessKeyId);
+  core.setSecret(credentials.SecretKey);
+  core.setSecret(credentials.SessionToken);
+
+  core.info('AWS authentication successful');
+
+  return {
+    accessKeyId: credentials.AccessKeyId,
+    secretAccessKey: credentials.SecretKey,
+    sessionToken: credentials.SessionToken,
+    region: config.region,
+  };
+}
@@ -0,0 +1,6 @@
+/**
+ * Authentication module exports
+ */
+
+export { getGitHubOidcToken } from './oidc';
+export { authenticateAws } from './cognito';
-Original file line number
+Diff line change
@@ @@ -1 +1,4 @@ @@
 .claude
 +node_modules/
 +*.log
 +.DS_Store