fix: only emit warning if the lifetime exceeds 1 hour

google-github-actions · May 16, 2022 · f322a0d · f322a0d
1 parent ce2cf1a
commit f322a0d
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -158,14 +158,17 @@ workflow. By default, this action does not generate any tokens.
     [`constraints/iam.allowServiceAccountCredentialLifetimeExtension`
     organization policy][orgpolicy-creds-lifetime] is enabled.
 
-    Note: In order to support Domain-Wide Delegation via Workload Identity
-    Federation, you must grant the external identity ("principalSet")
+    In order to support Domain-Wide Delegation via Workload Identity Federation,
+    you must grant the external identity ("principalSet")
     `roles/iam.serviceAccountTokenCreator` in addition to
     `roles/iam.workloadIdentityUser`. The default Workload Identity setup will
     only grant the latter role. If you want to use this GitHub Action with
     Domain-Wide Delegation, you must manually add the "Service Account Token
     Creator" role onto the external identity.
 
+    You will also need to customize the `access_token_scopes` value to
+    correspond to the OAuth scopes required for the API(s) you will access.
+
 ### Generating ID tokens
 
 The following inputs are for _generating_ ID tokens for authenticating to Google

diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md
@@ -91,7 +91,7 @@ If you get an error like:
 The size of mapped attribute exceeds the 127 bytes limit.
 ```
 
-it means  that the GitHub OIDC token had a claim that exceeded the maximum
+it means that the GitHub OIDC token had a claim that exceeded the maximum
 allowed value of 127 bytes. In general, 1 byte = 1 character. This most common
 reason this occurs is due to long repo names or long branch names.
 

diff --git a/src/main.ts b/src/main.ts
@@ -210,7 +210,7 @@ async function run(): Promise<void> {
         // perform Domain-Wide Delegation. Otherwise, use the modern IAM
         // Credentials endpoints.
         let accessToken, expiration;
-        if (accessTokenSubject) {
+        if (accessTokenSubject && accessTokenLifetime > 3600) {
           logInfo(
             `An access token subject was specified, triggering Domain-Wide ` +
               `Delegation flow. This flow does not support specifying an ` +