From 530fcb3bbf6b4ec77dc7c4e7cd1ebcdeaef33be1 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Sat, 25 Apr 2026 17:07:33 +0100
Subject: [PATCH] Group OIDC schemas into an array

---
 lib/start-proxy-action.js          | 18 +++++++++++-------
 src/json/testing-util.ts           | 15 +++++++++++++++
 src/start-proxy.test.ts            | 23 +++++++----------------
 src/start-proxy/types.ts           |  7 +++++++
 src/start-proxy/validation.test.ts | 25 +++----------------------
 src/start-proxy/validation.ts      | 15 ++++++++-------
 6 files changed, 51 insertions(+), 52 deletions(-)
 create mode 100644 src/json/testing-util.ts

diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index ae42e20aa..ad1558e75 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -122045,6 +122045,11 @@ var jfrogConfigSchema = {
 function isJFrogConfig(config) {
   return validateSchema(jfrogConfigSchema, config);
 }
+var oidcSchemas = [
+  { schema: azureConfigSchema, name: "Azure" },
+  { schema: awsConfigSchema, name: "AWS" },
+  { schema: jfrogConfigSchema, name: "JFrog" }
+];
 function credentialToStr(credential) {
   let result = `Type: ${credential.type};`;
   const appendIfDefined = (name, val) => {
@@ -122107,13 +122112,12 @@ function cloneCredential(schema2, obj) {
   return result;
 }
 function getAuthConfig(config) {
-  if (isAzureConfig(config)) {
-    return cloneCredential(azureConfigSchema, config);
-  } else if (isAWSConfig(config)) {
-    return cloneCredential(awsConfigSchema, config);
-  } else if (isJFrogConfig(config)) {
-    return cloneCredential(jfrogConfigSchema, config);
-  } else if (isToken(config)) {
+  for (const oidcSchema of oidcSchemas) {
+    if (validateSchema(oidcSchema.schema, config)) {
+      return cloneCredential(oidcSchema.schema, config);
+    }
+  }
+  if (isToken(config)) {
     if (isDefined2(config.token)) {
       core8.setSecret(config.token);
     }
diff --git a/src/json/testing-util.ts b/src/json/testing-util.ts
new file mode 100644
index 000000000..1fc928967
--- /dev/null
+++ b/src/json/testing-util.ts
@@ -0,0 +1,15 @@
+import * as json from ".";
+
+export function makeFromSchema<S extends json.Schema>(
+  includeOptional: boolean,
+  schema: S,
+): json.FromSchema<S> {
+  const result = {};
+  for (const [key, validator] of Object.entries(schema)) {
+    if (!validator.required && !includeOptional) {
+      continue;
+    }
+    result[key] = `value-for-${key}`;
+  }
+  return result as json.FromSchema<S>;
+}
diff --git a/src/start-proxy.test.ts b/src/start-proxy.test.ts
index 4d8f4afee..babbfb43c 100644
--- a/src/start-proxy.test.ts
+++ b/src/start-proxy.test.ts
@@ -8,6 +8,7 @@ import sinon from "sinon";
 import * as apiClient from "./api-client";
 import * as defaults from "./defaults.json";
 import { setUpFeatureFlagTests } from "./feature-flags/testing-util";
+import { makeFromSchema } from "./json/testing-util";
 import { BuiltInLanguage } from "./languages";
 import { getRunnerLogger, Logger } from "./logging";
 import * as startProxyExports from "./start-proxy";
@@ -457,23 +458,13 @@ test("getCredentials throws an error when non-printable characters are used for
 });
 
 test("getCredentials accepts OIDC configurations", (t) => {
-  const oidcConfigurations = [
-    {
+  const oidcConfigurations = startProxyExports.oidcSchemas.map(
+    (schemaInfo) => ({
       type: "nuget_feed",
-      host: "azure.pkg.github.com",
-      ...validAzureCredential,
-    },
-    {
-      type: "nuget_feed",
-      host: "aws.pkg.github.com",
-      ...validAwsCredential,
-    },
-    {
-      type: "nuget_feed",
-      host: "jfrog.pkg.github.com",
-      ...validJFrogCredential,
-    },
-  ];
+      host: `${schemaInfo.name.toLowerCase()}.pkg.github.com`,
+      ...makeFromSchema(true, schemaInfo.schema),
+    }),
+  );
 
   const credentials = startProxyExports.getCredentials(
     getRunnerLogger(true),
diff --git a/src/start-proxy/types.ts b/src/start-proxy/types.ts
index 500f7fcf7..ddc4e6d79 100644
--- a/src/start-proxy/types.ts
+++ b/src/start-proxy/types.ts
@@ -118,6 +118,13 @@ export function isJFrogConfig(
   return json.validateSchema(jfrogConfigSchema, config);
 }
 
+/** An array of all OIDC configuration schemas along with output-friendly names. */
+export const oidcSchemas = [
+  { schema: azureConfigSchema, name: "Azure" },
+  { schema: awsConfigSchema, name: "AWS" },
+  { schema: jfrogConfigSchema, name: "JFrog" },
+];
+
 /** Represents all supported OIDC configurations. */
 export type OIDC = AzureConfig | AWSConfig | JFrogConfig;
 
diff --git a/src/start-proxy/validation.test.ts b/src/start-proxy/validation.test.ts
index a8f2b0102..7c0cc1652 100644
--- a/src/start-proxy/validation.test.ts
+++ b/src/start-proxy/validation.test.ts
@@ -1,6 +1,7 @@
 import test from "ava";
 
 import * as json from "../json";
+import { makeFromSchema } from "../json/testing-util";
 import { setupTests } from "../testing-utils";
 
 import * as types from "./types";
@@ -8,27 +9,7 @@ import { getAuthConfig } from "./validation";
 
 setupTests(test);
 
-function makeFromSchema(
-  includeOptional: boolean,
-  schema: json.Schema,
-): json.FromSchema<typeof schema> {
-  const result = {};
-  for (const [key, validator] of Object.entries(schema)) {
-    if (!validator.required && !includeOptional) {
-      continue;
-    }
-    result[key] = `value-for-${key}`;
-  }
-  return result;
-}
-
-const schemaTests = [
-  { schema: types.azureConfigSchema, name: "isAzureConfig" },
-  { schema: types.awsConfigSchema, name: "isAWSConfig" },
-  { schema: types.jfrogConfigSchema, name: "isJFrogConfig" },
-] as Array<{ schema: json.Schema; name: string }>;
-
-for (const schemaTest of schemaTests) {
+for (const schemaTest of types.oidcSchemas) {
   for (const includeOptional of [true, false]) {
     const minimalName = includeOptional ? "full" : "minimal";
 
@@ -39,7 +20,7 @@ for (const schemaTest of schemaTests) {
         getAuthConfig({
           ...config,
           unexpected: "unexpected-value",
-        } as json.UnvalidatedObject<types.AuthConfig>),
+        } as unknown as json.UnvalidatedObject<types.AuthConfig>),
         config,
       );
     });
diff --git a/src/start-proxy/validation.ts b/src/start-proxy/validation.ts
index 15ec21603..878f2eb4d 100644
--- a/src/start-proxy/validation.ts
+++ b/src/start-proxy/validation.ts
@@ -30,13 +30,14 @@ export function getAuthConfig(
 ): AuthConfig {
   // Start by checking for the OIDC configurations, since they have required properties
   // which we can use to identify them.
-  if (types.isAzureConfig(config)) {
-    return cloneCredential(types.azureConfigSchema, config);
-  } else if (types.isAWSConfig(config)) {
-    return cloneCredential(types.awsConfigSchema, config);
-  } else if (types.isJFrogConfig(config)) {
-    return cloneCredential(types.jfrogConfigSchema, config);
-  } else if (types.isToken(config)) {
+  for (const oidcSchema of types.oidcSchemas) {
+    if (json.validateSchema(oidcSchema.schema, config)) {
+      return cloneCredential(oidcSchema.schema, config);
+    }
+  }
+
+  // Otherwise, try the basic configuration types.
+  if (types.isToken(config)) {
     // There are three scenarios for non-OIDC authentication based on the registry type:
     //
     // 1. `username`+`token`