{"id":50760189,"url":"https://github.com/open-component-model/.github-oidc","last_synced_at":"2026-06-11T09:01:55.355Z","repository":{"id":362004747,"uuid":"1164599680","full_name":"open-component-model/.github-oidc","owner":"open-component-model","description":"Hosts OIDC federation configuration to map repository access for ODG pipelines","archived":false,"fork":false,"pushed_at":"2026-06-02T06:09:17.000Z","size":7,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-02T08:11:47.298Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/open-component-model.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-23T09:17:16.000Z","updated_at":"2026-06-02T06:09:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/open-component-model/.github-oidc","commit_stats":null,"previous_names":["open-component-model/.github-oidc"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/open-component-model/.github-oidc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2F.github-oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2F.github-oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2F.github-oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2F.github-oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/open-component-model","download_url":"https://codeload.github.com/open-component-model/.github-oidc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2F.github-oidc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34190585,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-11T09:01:54.218Z","updated_at":"2026-06-11T09:01:55.343Z","avatar_url":"https://github.com/open-component-model.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitHub OIDC Federation\n\nThis repository contains the OIDC federation configuration to allow trust-based access of the\nrepositories contained in the `open-component-model` organization. See below for more information\non the [GitHub OIDC Federation service](https://github.com/gardener/github-oidc-federation).\n\n# GitHub OIDC Federation Service\n\nThe GitHub OIDC Federation service provides the capability to exchange an OIDC identity token for\na short-lived GitHub access token. Hence, it allows cross GitHub instance/organization/repository\naccess without the need for static credentials (e.g. GitHub service accounts, GitHub App private\nkeys). The short-lived GitHub access tokens are created by a central GitHub App for the individual\nrequesters. The federated access is managed in the `.github-oidc` repository (`.github` for GHE) of\nthe target GitHub organization, via a `oidc-federation.(yaml|json)` file.\n\n\u003e [!NOTE]  \n\u003e By design, the central GitHub App must be granted all the permissions requesters should be able to\n\u003e request, and must be installed into the target GitHub organization with access to its repositories\n\u003e (including the `.github-oidc` or `.github` repository).\n\n## OIDC Federation Configuration\n\nTo configure the federated access, a `oidc-federation.(yaml|json)` file is required in the target\norganization's `.github-oidc` (`.github` for GHE) repository. It is used to map the supported issuer\nand subject/token claim to the allowed repositories and permissions. Example:\n\n```yaml\n- issuer: https://token.actions.githubusercontent.com\n  subject: repo:gardener/github-oidc-federation:ref:refs/heads/main\n  permissions: # can be omitted for full access\n    contents: read\n  repositories: # can be omitted for global organization access\n    - github-oidc-federation\n- issuer: https://token.actions.githubusercontent.com\n  principals:\n    - repository: gardener/github-oidc-federation\n      ref: refs/heads/foo\n```\n\n## Token Request\n\nTo request a short-lived GitHub access token, a POST request to the `/token-exchange` endpoint must\nbe done including the desired GitHub `host` and `organization` as well as the identity `token` and\nrequested `permissions`. Optionally, the GitHub `repositories` can be specified to limit the scope\nof the access token. Example:\n\n```bash\ncurl -sLS -X POST \"\u003ctoken-server-url\u003e/token-exchange\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"host\": \"github.com\",\n    \"organization\": \"gardener\",\n    \"token\": \"\u003cidentity-token\u003e\",\n    \"repositories\": [\"github-oidc-federation\"],\n    \"permissions\": {\n      \"contents\": \"read\"\n    }\n  }'\n```\n\n## Supported Permissions\n\nThe supported permissions are mapped to the permissions of the central GitHub App in use. For a full\nlist of available permissions for GitHub Apps, please refer to the\n[documentation](https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps).\nThe permission names are expected to be in kebab-case format.\n\n## Usage in GitHub Actions\n\nTo generate a short-lived GitHub access token from within GitHub Actions, please use the available\n[gardener/cc-utils/.github/actions/github-auth@master](https://github.com/gardener/cc-utils/tree/master/.github/actions/github-auth)\nAction. Example:\n\n```yaml\n- uses: gardener/cc-utils/.github/actions/github-auth@master\n  id: token\n  with:\n    token-server: ${{ vars.FEDERATED_GITHUB_ACCESS_TOKEN_SERVER }}\n    host: github.com # defaults to current GitHub host\n    organization: gardener # defaults to current GitHub owner\n    repositories: | # defaults to all repositories of the specified `organization`\n      github-oidc-federation\n      cc-utils\n    permissions: | # defaults to `contents: read`\n      contents: read\n      pull-requests: write\n- shell: bash\n  run: |\n    echo \"${{ steps.token.outputs.token }}\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-component-model%2F.github-oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopen-component-model%2F.github-oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-component-model%2F.github-oidc/lists"}