{"id":20102927,"url":"https://github.com/stackrox/central-login","last_synced_at":"2025-10-09T01:16:40.125Z","repository":{"id":260058064,"uuid":"712687633","full_name":"stackrox/central-login","owner":"stackrox","description":null,"archived":false,"fork":false,"pushed_at":"2025-10-03T20:10:04.000Z","size":5499,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-10-03T22:15:09.593Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-11-01T01:27:08.000Z","updated_at":"2025-10-03T20:10:08.000Z","dependencies_parsed_at":"2024-12-17T14:32:38.843Z","dependency_job_id":"e7731cfa-797c-404d-9704-e6201147f584","html_url":"https://github.com/stackrox/central-login","commit_stats":null,"previous_names":["stackrox/central-login"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/stackrox/central-login","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fcentral-login","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fcentral-login/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fcentral-login/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fcentral-login/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/central-login/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fcentral-login/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279000722,"owners_count":26082894,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T17:33:31.711Z","updated_at":"2025-10-09T01:16:40.103Z","avatar_url":"https://github.com/stackrox.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Central Login GitHub Action\n\n![E2E tests](https://github.com/stackrox/central-login/actions/workflows/e2e.yml/badge.svg)\n\nConfigure your Central login credentials for use in other GitHub Actions.\n\nThis action obtains an access token to\na [Red Hat Advanced Cluster Security (ACS)](https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes)\nCentral instance and configures environment variables for your\nother actions to use.\n\nThis is as simple as adding the following step to your workflow:\n\n```yaml\n    - name: Central Login\n      uses: stackrox/central-login@v1\n      with:\n        endpoint: https://\u003ccentral-endpoint\u003e:443\n```\n\n## Parameters\n\n| Parameter name    | Required?      | Description                                                      |\n|-------------------|----------------|------------------------------------------------------------------|\n| `endpoint`        | **(required)** | API endpoint of the ACS Central instance.                        |\n| `skip-tls-verify` | (optional)     | Skip TLS certificat verification for ACS Central's API endpoint. |\n\n## Overview\n\nIt is currently only supported to retrieve credentials by\nusing [GitHub's OIDC provider](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers).\n\nWith [GitHub's OIDC provider](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers),\nthis action will be issued with an ID token unique to this workflow run, which will then\nbe exchanged for a ACS Central access token.\n\nFor creating the ID\ntoken, [it is required for your workflow to have the `id-token: write` permission](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings):\n\n```yaml\npermissions:\n  id-token: write # This is required for requesting the JWT\n```\n\n### Sample Central configuration\n\nBefore being able to exchange tokens, the ACS Central instance needs to be configured to allow exchanging tokens\noriginating from GitHub Action workflow runs.\n\nFor more information on how to configure this, follow the [RHACS documentation](https://docs.openshift.com/acs/4.4/operating/manage-user-access/configure-short-lived-access.html).\n\nBelow is a sample configuration via API you can use:\n```bash\ncurl \\\n  https://\u003ccentral-endpoint\u003e/v1/auth/m2m \\\n  -d  @- \u003c\u003c EOF\n  {\n    \"config\": {\n      \"type\": \"GITHUB_ACTIONS\",\n      \"tokenExpirationDuration\": \"5m\", // This can be used to specify the expiration of the exchanged access token.\n      \"mappings\": [ // Mappings configure which token claims to map to which roles within the ACS Central instance.\n        {\n          \"key\": \"sub\",\n          \"valueExpression\": \"repo:octo-org/octo-repo.*\", // This supports https://github.com/google/re2/wiki/Syntax expressions.\n          \"role\": \"Continuous Integration\"\n        }\n      ],\n    }\n  }\n  EOF\n```\n\n**Recommendations**\n\n- For specifics on the claim values on the ID tokens issued by GitHub's OIDC\n  provider, [check out this documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).\n- Make sure to map claim values _specific_ to your repository. It is recommended to use the `sub` claim for that.\n  For more information about the subject claim's structure for tokens issued by GitHub's OIDC\n  provider, [check out this documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims).\n\n## Using this action in your workflow\n\nAfter the ACS Central instance has been configured to allow exchanging tokens from GitHub Action workflow runs, you can\nadd the following step to your workflow:\n\n```yaml\n    - name: Central Login\n      uses: stackrox/central-login@v1\n      with:\n        endpoint: https://\u003ccentral-endpoint\u003e:443\n```\n\nAfter the central login step has succeeded, the following environment variables are configured for other steps to use:\n\n- `ROX_API_TOKEN` which contains the exchanged access token for the ACS Central instance.\n- `ROX_ENDPOINT` which contains the ACS Central instance endpoint correlated with the access token.\n\nFor verifying everything works correctly, the example below can be used:\n\n```yaml\n    - name: Login to Central\n      uses: stackrox/central-login@v1\n      with:\n        endpoint: https://\u003ccentral-endpoint\u003e:443\n\n    - name: Install roxctl from Central\n      uses: stackrox/roxctl-installer-action@v1\n      with:\n        central-endpoint: https://${{ env.ROX_ENDPOINT }}\n        central-token: ${{ env.ROX_API_TOKEN }}\n\n    - name: roxctl central whoami\n      run: |\n        roxctl central whoami\n```\n\nThis will output the specifics about the access token (i.e. it's associated permissions and roles) as well as the\noriginating user.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fcentral-login","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Fcentral-login","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fcentral-login/lists"}