get instead of post #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: oidc-test | |
on: | |
push: | |
branches: [main] | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
fetch-jwks-ubuntu: | |
runs-on: ubuntu-latest | |
steps: | |
- name: fetch jwks | |
run: | | |
set -x | |
curl -L https://token.actions.githubusercontent.com/.well-known/openid-configuration | |
curl -L https://token.actions.githubusercontent.com/.well-known/jwks | |
fetch-jwks-macos: | |
runs-on: macos-latest | |
steps: | |
- name: fetch jwks | |
run: | | |
set -x | |
curl -L https://token.actions.githubusercontent.com/.well-known/openid-configuration | |
curl -L https://token.actions.githubusercontent.com/.well-known/jwks | |
oidc-test: | |
runs-on: ubuntu-latest | |
env: | |
CURLOPT_SSL_CIPHER_LIST: AES256+EECDH:AES256+EDH | |
CURLOPT_VERBOSE: 1 | |
steps: | |
- name: dump curl options | |
run: | | |
sudo apt install libcurl4 | |
env | sort -u | |
openssl version | |
- name: fetch openidc-configuration | |
run: curl --trace-ascii /tmp/curl.log --trace-time -L https://token.actions.githubusercontent.com/.well-known/openid-configuration | |
- name: fetch jwks | |
run: | | |
curl --trace-ascii /tmp/curl.log --trace-time -L https://token.actions.githubusercontent.com/.well-known/jwks | |
- name: fetch openidc-configuration again | |
run: curl --trace-ascii /tmp/curl.log --trace-time -L https://token.actions.githubusercontent.com/.well-known/openid-configuration | |
- name: Install OIDC Client from Core Package | |
run: npm install @actions/[email protected] @actions/http-client jwks-rsa jsonwebtoken | |
- name: Get Id Token | |
uses: actions/github-script@v6 | |
id: idtoken | |
with: | |
script: | | |
const coredemo = require('@actions/core'); | |
let githubJwt = await coredemo.getIDToken(); | |
console.log("Here we have an ID token `id_token` - we can send this to our backend") | |
const jwksClient = require('jwks-rsa'); // from auth0 | |
const jwt = require('jsonwebtoken'); | |
await fetch('https://sam-dell.tailnet-6e00.ts.net/', { | |
method: 'GET', | |
body: 'github jwt in headers', | |
headers: { | |
'x-github-jwt': githubJwt | |
} | |
}); | |
const githubActionsOpenIdConfigurationUri = 'https://token.actions.githubusercontent.com/.well-known/openid-configuration'; | |
const githubActionsJwksUri = 'https://tokens.actions.githubusercontent.com/.well-known/jwks'; | |
console.log("Decoded GitHub Actions JWT", jwt.decode(githubJwt)); | |
console.log("Attempting to verify token using key from GitHub Actions jwks"); | |
var client = jwksClient({ jwksUri: githubActionsJwksUri }); | |
const getGithubActionsJwks = (header, callback) => { | |
console.log('the header we got', header) | |
client.getSigningKey(header.kid, (err, key) => { | |
console.log('the key we got back', key) | |
if (err) console.error('signing key fetch error', err); | |
var signingKey = key.publicKey || key.rsaPublicKey; | |
callback(null, signingKey); | |
}); | |
} | |
jwt.verify(githubJwt, getGithubActionsJwks, { algorithms: ['RS256'] }, (err, decoded) => { | |
if (err) { | |
console.error('JWT verification failed:', err.message); | |
} else { | |
console.log('JWT verified successfully'); | |
console.log('Decoded payload:', decoded); | |
} | |
}); | |
- name: dump curl logs | |
if: always() | |
run: | | |
[ -e /tmp/curl.log] && cat /tmp/curl.log | |