Fix OIDC credential property names

CHANGELOG.md

@@ -7,6 +7,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 - The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://github.com/github/codeql-action/pull/3795)
 - The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://github.com/github/codeql-action/pull/3789)
 - Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://github.com/github/codeql-action/pull/3794)
+- Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://github.com/github/codeql-action/pull/3807)
 
 ## 4.35.1 - 27 Mar 2026
 

src/start-proxy.test.ts

@@ -351,23 +351,23 @@ test("getCredentials throws an error when non-printable characters are used", as
 });
 
 const validAzureCredential: startProxyExports.AzureConfig = {
-  tenant_id: "12345678-1234-1234-1234-123456789012",
-  client_id: "abcdef01-2345-6789-abcd-ef0123456789",
+  "tenant-id": "12345678-1234-1234-1234-123456789012",
+  "client-id": "abcdef01-2345-6789-abcd-ef0123456789",
 };
 
 const validAwsCredential: startProxyExports.AWSConfig = {
-  aws_region: "us-east-1",
-  account_id: "123456789012",
-  role_name: "MY_ROLE",
+  "aws-region": "us-east-1",
+  "account-id": "123456789012",
+  "role-name": "MY_ROLE",
   domain: "MY_DOMAIN",
-  domain_owner: "987654321098",
+  "domain-owner": "987654321098",
   audience: "custom-audience",
 };
 
 const validJFrogCredential: startProxyExports.JFrogConfig = {
-  jfrog_oidc_provider_name: "MY_PROVIDER",
+  "jfrog-oidc-provider-name": "MY_PROVIDER",
   audience: "jfrog-audience",
-  identity_mapping_name: "my-mapping",
+  "identity-mapping-name": "my-mapping",
 };
 
 test("getCredentials throws an error when non-printable characters are used for Azure OIDC", (t) => {

src/start-proxy.ts

@@ -301,22 +301,22 @@ export function getAuthConfig(
   // which we can use to identify them.
   if (isAzureConfig(config)) {
     return {
-      tenant_id: config.tenant_id,
-      client_id: config.client_id,
+      "tenant-id": config["tenant-id"],
+      "client-id": config["client-id"],
     } satisfies AzureConfig;
   } else if (isAWSConfig(config)) {
     return {
-      aws_region: config.aws_region,
-      account_id: config.account_id,
-      role_name: config.role_name,
+      "aws-region": config["aws-region"],
+      "account-id": config["account-id"],
+      "role-name": config["role-name"],
       domain: config.domain,
-      domain_owner: config.domain_owner,
+      "domain-owner": config["domain-owner"],
       audience: config.audience,
     } satisfies AWSConfig;
   } else if (isJFrogConfig(config)) {
     return {
-      jfrog_oidc_provider_name: config.jfrog_oidc_provider_name,
-      identity_mapping_name: config.identity_mapping_name,
+      "jfrog-oidc-provider-name": config["jfrog-oidc-provider-name"],
+      "identity-mapping-name": config["identity-mapping-name"],
       audience: config.audience,
     } satisfies JFrogConfig;
   } else if (isToken(config)) {

src/start-proxy/types.test.ts

@@ -7,23 +7,23 @@ import * as types from "./types";
 setupTests(test);
 
 const validAzureCredential: types.AzureConfig = {
-  tenant_id: "12345678-1234-1234-1234-123456789012",
-  client_id: "abcdef01-2345-6789-abcd-ef0123456789",
+  "tenant-id": "12345678-1234-1234-1234-123456789012",
+  "client-id": "abcdef01-2345-6789-abcd-ef0123456789",
 };
 
 const validAwsCredential: types.AWSConfig = {
-  aws_region: "us-east-1",
-  account_id: "123456789012",
-  role_name: "MY_ROLE",
+  "aws-region": "us-east-1",
+  "account-id": "123456789012",
+  "role-name": "MY_ROLE",
   domain: "MY_DOMAIN",
-  domain_owner: "987654321098",
+  "domain-owner": "987654321098",
   audience: "custom-audience",
 };
 
 const validJFrogCredential: types.JFrogConfig = {
-  jfrog_oidc_provider_name: "MY_PROVIDER",
+  "jfrog-oidc-provider-name": "MY_PROVIDER",
   audience: "jfrog-audience",
-  identity_mapping_name: "my-mapping",
+  "identity-mapping-name": "my-mapping",
 };
 
 test("credentialToStr - pretty-prints valid username+password configurations", (t) => {

src/start-proxy/types.ts

@@ -59,29 +59,29 @@ export function isToken(
 }
 
 /** Configuration for Azure OIDC. */
-export type AzureConfig = { tenant_id: string; client_id: string };
+export type AzureConfig = { "tenant-id": string; "client-id": string };
 
 /** Decides whether `config` is an Azure OIDC configuration. */
 export function isAzureConfig(
   config: UnvalidatedObject<AuthConfig>,
 ): config is AzureConfig {
   return (
-    "tenant_id" in config &&
-    "client_id" in config &&
-    isDefined(config.tenant_id) &&
-    isDefined(config.client_id) &&
-    json.isString(config.tenant_id) &&
-    json.isString(config.client_id)
+    "tenant-id" in config &&
+    "client-id" in config &&
+    isDefined(config["tenant-id"]) &&
+    isDefined(config["client-id"]) &&
+    json.isString(config["tenant-id"]) &&
+    json.isString(config["client-id"])
   );
 }
 
 /** Configuration for AWS OIDC. */
 export type AWSConfig = {
-  aws_region: string;
-  account_id: string;
-  role_name: string;
+  "aws-region": string;
+  "account-id": string;
+  "role-name": string;
   domain: string;
-  domain_owner: string;
+  "domain-owner": string;
   audience?: string;
 };
 
@@ -91,11 +91,11 @@ export function isAWSConfig(
 ): config is AWSConfig {
   // All of these properties are required.
   const requiredProperties = [
-    "aws_region",
-    "account_id",
-    "role_name",
+    "aws-region",
+    "account-id",
+    "role-name",
     "domain",
-    "domain_owner",
+    "domain-owner",
   ];
 
   for (const property of requiredProperties) {
@@ -118,30 +118,30 @@ export function isAWSConfig(
 
 /** Configuration for JFrog OIDC. */
 export type JFrogConfig = {
-  jfrog_oidc_provider_name: string;
+  "jfrog-oidc-provider-name": string;
   audience?: string;
-  identity_mapping_name?: string;
+  "identity-mapping-name"?: string;
 };
 
 /** Decides whether `config` is a JFrog OIDC configuration. */
 export function isJFrogConfig(
   config: UnvalidatedObject<AuthConfig>,
 ): config is JFrogConfig {
-  // The "audience" and "identity_mapping_name" fields are optional, but should be strings if present.
+  // The "audience" and "identity-mapping-name" fields are optional, but should be strings if present.
   if ("audience" in config && !json.isStringOrUndefined(config.audience)) {
     return false;
   }
   if (
-    "identity_mapping_name" in config &&
-    !json.isStringOrUndefined(config.identity_mapping_name)
+    "identity-mapping-name" in config &&
+    !json.isStringOrUndefined(config["identity-mapping-name"])
   ) {
     return false;
   }
 
   return (
-    "jfrog_oidc_provider_name" in config &&
-    isDefined(config.jfrog_oidc_provider_name) &&
-    json.isString(config.jfrog_oidc_provider_name)
+    "jfrog-oidc-provider-name" in config &&
+    isDefined(config["jfrog-oidc-provider-name"]) &&
+    json.isString(config["jfrog-oidc-provider-name"])
   );
 }
 
@@ -189,18 +189,21 @@ export function credentialToStr(credential: Credential): string {
   }
 
   if (isAzureConfig(credential)) {
-    appendIfDefined("Tenant", credential.tenant_id);
-    appendIfDefined("Client", credential.client_id);
+    appendIfDefined("Tenant", credential["tenant-id"]);
+    appendIfDefined("Client", credential["client-id"]);
   } else if (isAWSConfig(credential)) {
-    appendIfDefined("AWS Region", credential.aws_region);
-    appendIfDefined("AWS Account", credential.account_id);
-    appendIfDefined("AWS Role", credential.role_name);
+    appendIfDefined("AWS Region", credential["aws-region"]);
+    appendIfDefined("AWS Account", credential["account-id"]);
+    appendIfDefined("AWS Role", credential["role-name"]);
     appendIfDefined("AWS Domain", credential.domain);
-    appendIfDefined("AWS Domain Owner", credential.domain_owner);
+    appendIfDefined("AWS Domain Owner", credential["domain-owner"]);
     appendIfDefined("AWS Audience", credential.audience);
   } else if (isJFrogConfig(credential)) {
-    appendIfDefined("JFrog Provider", credential.jfrog_oidc_provider_name);
-    appendIfDefined("JFrog Identity Mapping", credential.identity_mapping_name);
+    appendIfDefined("JFrog Provider", credential["jfrog-oidc-provider-name"]);
+    appendIfDefined(
+      "JFrog Identity Mapping",
+      credential["identity-mapping-name"],
+    );
     appendIfDefined("JFrog Audience", credential.audience);
   }