provenance by default

Author: reggi

lib/utils/oidc.js

@@ -116,6 +116,29 @@ async function oidc ({ packageName, registry, opts, config }) {
       return undefined
     }
 
+    const [headerB64, payloadB64] = idToken.split('.')
+    let isPublicRepo = false
+    if (headerB64 && payloadB64) {
+      const payloadJson = Buffer.from(payloadB64, 'base64').toString('utf8')
+      try {
+        const payload = JSON.parse(payloadJson)
+        if (ciInfo.GITHUB_ACTIONS && payload.repository_visibility) {
+          isPublicRepo = payload.repository_visibility
+        }
+        if (ciInfo.GITLAB && payload.project_visibility) {
+          isPublicRepo = payload.project_visibility
+        }
+      } catch (e) {
+        log.silly('oidc', 'Failed to parse idToken payload as JSON')
+      }
+    }
+
+    if (isPublicRepo) {
+      log.silly('oidc', 'Repository is public, setting access to public')
+      opts.provenance = true
+      config.set('provenance', true, 'user')
+    }
+
     log.silly('oidc', `id_token has a length of ${idToken.length} characters`)
 
     const parsedRegistry = new URL(registry)
@@ -157,6 +180,7 @@ async function oidc ({ packageName, registry, opts, config }) {
     opts[authTokenKey] = response.token
     config.set(authTokenKey, response.token, 'user')
     log.silly('oidc', `OIDC token successfully retrieved`)
+
   } catch (error) {
     /* istanbul ignore next */
     log.verbose('oidc', 'Failure checking OIDC config', error)