Merge pull request #1 from dmarcucci/main

Update logic to use native node features (e.g., crypto and fetch)

Author: dmarcucci

.gitignore

@@ -1,2 +1 @@
-.DS_Store
-node_modules/
+.DS_Store

Dockerfile

@@ -1,6 +1,6 @@
-FROM node:12.10.0-alpine
+FROM node:22.11.0-bookworm-slim
 
-LABEL "version"="0.1.4"
+LABEL "version"="1.0.0"
 LABEL "repository"="https://github.com/Greenlight-Simulation/secure-actions-webhook"
 LABEL "homepage"="https://github.com/Greenlight-Simulation/secure-actions-webhook"
 LABEL "maintainer"="Dan Marcucci <[email protected]>"
@@ -9,16 +9,12 @@ LABEL "com.github.actions.description"="Post data and an hmac signature to an en
 LABEL "com.github.actions.icon"="message-square"
 LABEL "com.github.actions.color"="gray-dark"
 
-# Add the entry point
 RUN mkdir /app
-ADD main.js /app/main.js
-ADD package.json /app/package.json
+ADD main.mjs /app/main.mjs
 ADD entrypoint.sh /app/entrypoint.sh
 RUN chmod +x /app/entrypoint.sh
 
 RUN cd /app
 WORKDIR /app
-RUN npm install
 
-# Load the entry point
 ENTRYPOINT ["/app/entrypoint.sh"]

README.md

@@ -8,7 +8,7 @@ Sending a string:
 
 ```yaml
 - name: Webhook
-  uses: Greenlight-Simulation/secure-actions-webhook@0.1.4
+  uses: Greenlight-Simulation/secure-actions-webhook@1.0.0
   env:
     REQUEST_URI: ${{ secrets.REQUEST_URI }}
     REQUEST_DATA: "something_interesting"
@@ -19,7 +19,7 @@ Sending a json string:
 
 ```yaml
 - name: Webhook
-  uses: Greenlight-Simulation/secure-actions-webhook@0.1.4
+  uses: Greenlight-Simulation/secure-actions-webhook@1.0.0
   env:
     REQUEST_URI: ${{ secrets.REQUEST_URI }}
     REQUEST_DATA: '{ "something": "interesting" }'

entrypoint.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 set -eu
 
-node /app/main.js
+node /app/main.mjs

main.js

@@ -0,0 +1,45 @@
+const hmacSecret = process.env.HMAC_SECRET
+
+if (!hmacSecret || hmacSecret === "" || hmacSecret.trim() === "") {
+    console.warn("HMAC_SECRET secret seems empty. This doesn't seem like what you want.")
+}
+
+if (hmacSecret.length < 32) {
+    console.warn("HMAC_SECRET seems weak. You should use at least 32 secure random hex chars.")
+}
+
+const createHmacSignature = async (jsonBody) => {
+    const key =
+        await crypto.subtle.importKey("raw",
+                                      new TextEncoder().encode(hmacSecret),
+                                      { name: "HMAC", hash: "SHA-256" },
+                                      false,
+                                      ["sign"])
+
+    const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(jsonBody))
+
+    return Buffer.from(new Uint8Array(signature)).toString('base64')
+}
+
+const jsonBody = process.env.REQUEST_DATA
+
+try {
+    JSON.parse(jsonBody)
+} catch (e) {
+    console.error("REQUEST_DATA is not a valid JSON string.")
+    process.exit(1)
+}
+
+const signature = await createHmacSignature(jsonBody)
+
+const response =
+    await fetch(process.env.REQUEST_URI, {
+        method: `${process.env.METHOD ? process.env.METHOD : 'POST'}`,
+        body: jsonBody,
+        headers: { 'X-Request-Signature': signature }
+    })
+
+if (response.status < 200 || response.status > 299) {
+    console.error(`Request failed with status code ${response.status}!`)
+    process.exit(1)
+} else process.exit()