{"id":17697303,"url":"https://github.com/waigel/cf-oidc-proxy","last_synced_at":"2026-02-11T16:36:11.333Z","repository":{"id":311440817,"uuid":"621866648","full_name":"waigel/cf-oidc-proxy","owner":"waigel","description":"Connect GitHub Actions OIDC with Cloudflare by using CF-OIDC-Proxy","archived":false,"fork":false,"pushed_at":"2025-08-04T20:53:28.000Z","size":7346,"stargazers_count":1,"open_issues_count":14,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-24T18:39:25.062Z","etag":null,"topics":["cloudflare","github","oidc","proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/waigel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-03-31T14:57:05.000Z","updated_at":"2025-06-05T07:19:32.000Z","dependencies_parsed_at":"2025-08-24T18:39:38.324Z","dependency_job_id":"9ae8d07a-ada7-49de-bf1e-63330f010565","html_url":"https://github.com/waigel/cf-oidc-proxy","commit_stats":null,"previous_names":["waigel/cf-oidc-proxy"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/waigel/cf-oidc-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waigel%2Fcf-oidc-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waigel%2Fcf-oidc-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waigel%2Fcf-oidc-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waigel%2Fcf-oidc-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/waigel","download_url":"https://codeload.github.com/waigel/cf-oidc-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waigel%2Fcf-oidc-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29338456,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T16:14:43.024Z","status":"ssl_error","status_checked_at":"2026-02-11T16:14:15.258Z","response_time":97,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare","github","oidc","proxy"],"created_at":"2024-10-24T14:47:02.662Z","updated_at":"2026-02-11T16:36:11.321Z","avatar_url":"https://github.com/waigel.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cf-oidc-proxy\nConnect GitHub Actions OIDC with Cloudflare using CF-OIDC-Proxy.\n\n# Introduction\nAPI keys for cloud infrastructure providers are important credentials that must be protected. A one-time issued token deposited with GitHub Actions carries a higher security risk. Additionally, static tokens complicate best practices such as regular key rotation and constant authorization checks.\n\nOIDC is an optimal solution to this problem. However, Cloudflare does not support issuing tokens based on OIDC, unlike other providers such as AWS, Azure, and Google Cloud.\n\nTo solve this problem, the CF-OIDC-Proxy acts as a middleware between Cloudflare and GitHub OIDC, allowing the issuance of short-living API tokens with limited permissions and additional conditions like IP address whitelisting for workers.\n\n## Usage\n\nThe proxy server is only required when GitHub Actions requests a Cloudflare API token. To protect the environment and your wallet, a Lambda-based serverless application was written that can be deployed to the cloud via \"serverless.\"\n\n1. Install dependencies:\n```sh\n$ npm i\n```\n\n2. Build and deploy to Lambda:\n```sh\n$ npm run deploy\n```\n\n### Configuration\n\nBefore deploying your application, you need to configure it. A sample configuration can be found in the samples/ folder.\n\n1. Copy `samples/config.yml` to the root and set your apiToken. You can use the Cloudflare API Token template \"Create Additional Tokens\" for this step.\n2. Copy `samples/roles.yml` to the root. You need to configure roles in the `roles.yml` config. Permissions represent the \"scopes,\" and the name is ignored, but the ID needs to match an existing Cloudflare permission group ID. You can get all permission group IDs from Cloudflare API using:\n```sh\ncurl https://api.cloudflare.com/client/v4/user/tokens/permission_groups -H \"Authorization: Bearer \u003ctoken\u003e\"\n```\n3. Matchers: You need to configure matchers to ensure that only your repositories/workflows can request an API token for this role. Operators include:\n- \"StringEquals\"\n- \"StringNotEquals\"\n- \"StringEqualsIgnoreCase\"\n- \"StringNotEqualsIgnoreCase\"\nClaims: You can use matchers for all JWT claims. See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token for more information.\n  \n# Action\n\nYou can use the CF-OIDC-Proxy with waigel/cf-oidc-proxy-action@main to get a Cloudflare short-lived API token over the OIDC proxy.\n\nExample workflow:\n\n```yaml\nname: Cloudflare OIDC Test\non:\n  workflow_dispatch:\n  \npermissions:\n  id-token: write\njobs:\n  cloudflare:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: waigel/cf-oidc-proxy-action@main\n        id: cloudflare\n        with:\n          proxy-url: https://\u003clambda-id\u003e.execute-api.eu-central-1.amazonaws.com\n          role-to-assume: dns\n      - name: Verify API token is valid\n        run: |\n          curl \"https://api.cloudflare.com/client/v4/user/tokens/verify\" \\\n          -H  \"Authorization: Bearer ${{ steps.cloudflare.outputs.api_token }}\" \\\n          | grep -o '\"message\":\"[^\"]*\"' | sed 's/\"message\":\"\\(.*\\)\"/\\1/\n```\n---\nThis project is licensed under the MIT License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaigel%2Fcf-oidc-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwaigel%2Fcf-oidc-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaigel%2Fcf-oidc-proxy/lists"}