Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/open-component-model/.github-oidc

Hosts OIDC federation configuration to map repository access for ODG pipelines
https://github.com/open-component-model/.github-oidc

Last synced: 19 days ago
JSON representation

Hosts OIDC federation configuration to map repository access for ODG pipelines

Awesome Lists containing this project

README 

          
# GitHub OIDC Federation



This repository contains the OIDC federation configuration to allow trust-based access of the

repositories contained in the `open-component-model` organization. See below for more information

on the [GitHub OIDC Federation service](https://github.com/gardener/github-oidc-federation).



# GitHub OIDC Federation Service



The GitHub OIDC Federation service provides the capability to exchange an OIDC identity token for

a short-lived GitHub access token. Hence, it allows cross GitHub instance/organization/repository

access without the need for static credentials (e.g. GitHub service accounts, GitHub App private

keys). The short-lived GitHub access tokens are created by a central GitHub App for the individual

requesters. The federated access is managed in the `.github-oidc` repository (`.github` for GHE) of

the target GitHub organization, via a `oidc-federation.(yaml|json)` file.



> [!NOTE]  

> By design, the central GitHub App must be granted all the permissions requesters should be able to

> request, and must be installed into the target GitHub organization with access to its repositories

> (including the `.github-oidc` or `.github` repository).



## OIDC Federation Configuration



To configure the federated access, a `oidc-federation.(yaml|json)` file is required in the target

organization's `.github-oidc` (`.github` for GHE) repository. It is used to map the supported issuer

and subject/token claim to the allowed repositories and permissions. Example:



```yaml

- issuer: https://token.actions.githubusercontent.com

  subject: repo:gardener/github-oidc-federation:ref:refs/heads/main

  permissions: # can be omitted for full access

    contents: read

  repositories: # can be omitted for global organization access

    - github-oidc-federation

- issuer: https://token.actions.githubusercontent.com

  principals:

    - repository: gardener/github-oidc-federation

      ref: refs/heads/foo

```



## Token Request



To request a short-lived GitHub access token, a POST request to the `/token-exchange` endpoint must

be done including the desired GitHub `host` and `organization` as well as the identity `token` and

requested `permissions`. Optionally, the GitHub `repositories` can be specified to limit the scope

of the access token. Example:



```bash

curl -sLS -X POST "/token-exchange" \

  -H "Content-Type: application/json" \

  -d '{

    "host": "github.com",

    "organization": "gardener",

    "token": "",

    "repositories": ["github-oidc-federation"],

    "permissions": {

      "contents": "read"

    }

  }'

```



## Supported Permissions



The supported permissions are mapped to the permissions of the central GitHub App in use. For a full

list of available permissions for GitHub Apps, please refer to the

[documentation](https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps).

The permission names are expected to be in kebab-case format.



## Usage in GitHub Actions



To generate a short-lived GitHub access token from within GitHub Actions, please use the available

[gardener/cc-utils/.github/actions/github-auth@master](https://github.com/gardener/cc-utils/tree/master/.github/actions/github-auth)

Action. Example:



```yaml

- uses: gardener/cc-utils/.github/actions/github-auth@master

  id: token

  with:

    token-server: ${{ vars.FEDERATED_GITHUB_ACCESS_TOKEN_SERVER }}

    host: github.com # defaults to current GitHub host

    organization: gardener # defaults to current GitHub owner

    repositories: | # defaults to all repositories of the specified `organization`

      github-oidc-federation

      cc-utils

    permissions: | # defaults to `contents: read`

      contents: read

      pull-requests: write

- shell: bash

  run: |

    echo "${{ steps.token.outputs.token }}"

```