Accept OIDC configurations in start-proxy

[mbg]

The Dependabot team have been working on support for OIDC-based authentication in the Dependabot authentication proxy, which we also use to support private package registries in Default Setup.

This PR modifies the start-proxy action to accept such configurations and propagate them to the proxy. This will ensure that we are ready to support OIDC-based authentication when such configurations are available to us. This is not yet the case at the time of writing.

However, that should not block this PR from being merged, since we just perform validation that will allow such configurations to be propagated to the proxy in the future.

Notes for reviewers

Best reviewed commit-by-commit. See the internal issue for more context and references.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.
• Other first-party - The changes impact other first-party analyses.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.
• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR updates the start-proxy action’s credential parsing/types so it can accept and forward future OIDC-based private registry authentication configurations (Azure/AWS/JFrog) to the Dependabot authentication proxy.

Changes:

• Extend registry credential typing/validation to include OIDC configuration shapes (Azure/AWS/JFrog) and add a redacting credentialToStr in src/start-proxy/types.ts.
• Add/adjust unit tests to cover OIDC acceptance, printable-character validation for OIDC fields, and new credentialToStr formatting/redaction.
• Add a changelog entry describing upcoming OIDC-registry compatibility.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/start-proxy/types.ts	Adds OIDC auth config types/guards and a new credentialToStr implementation for safe logging.
src/start-proxy/types.test.ts	New unit tests for credentialToStr across password/token/OIDC credential shapes.
src/start-proxy.ts	Adds getAuthConfig and updates credential validation/handling to propagate OIDC configs.
src/start-proxy.test.ts	Updates and expands tests for OIDC credential acceptance and validation behaviors.
lib/start-proxy-action.js	Generated build output (not reviewed).
CHANGELOG.md	Documents OIDC-registry config acceptance.

Comments suppressed due to low confidence (2)

src/start-proxy/types.ts:93

• isAWSConfig treats any defined values as valid (including numbers/objects). Since these fields are declared as strings, the guard should also enforce typeof config[property] === "string" for required properties (and audience if present) so invalid types don't slip through validation and reach the proxy.

/** Decides whether `config` is an AWS OIDC configuration. */
export function isAWSConfig(config: Partial<AuthConfig>): config is AWSConfig {
  // All of these properties are required.
  const requiredProperties = [
    "aws_region",
    "account_id",
    "role_name",
    "domain",
    "domain_owner",
  ];

  for (const property of requiredProperties) {
    if (!(property in config) || !isDefined(config[property])) {
      return false;
    }
  }
  return true;
}

src/start-proxy/types.ts:109

• isJFrogConfig only checks that jfrog_oidc_provider_name is defined, but not that it's a string. Consider requiring typeof jfrog_oidc_provider_name === "string" (and validating optional fields if present) to avoid propagating malformed configs.

/** Decides whether `config` is a JFrog OIDC configuration. */
export function isJFrogConfig(
  config: Partial<AuthConfig>,
): config is JFrogConfig {
  return (
    "jfrog_oidc_provider_name" in config &&
    isDefined(config.jfrog_oidc_provider_name)
  );

[Copilot]

isAzureConfig only checks that tenant_id/client_id are defined, but not that they are strings. This allows non-string values to be treated as valid Azure OIDC config and propagated to the proxy. Tighten the guard to require typeof tenant_id === "string" and typeof client_id === "string" (and optionally non-empty).

This issue also appears in the following locations of the same file:

• line 76
• line 102

Suggested change

	isDefined(config.client_id)
	isDefined(config.client_id) &&
	typeof config.tenant_id === "string" &&
	typeof config.client_id === "string" &&
	config.tenant_id.length > 0 &&
	config.client_id.length > 0

[sam-robson]

A minor thing, otherwise lgtm!