run the thing #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: oidc-test | |
on: | |
push: | |
branches: [main] | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
oidc-test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install OIDC Client from Core Package | |
run: npm install @actions/[email protected] @actions/http-client jwks-rsa jsonwebtoken | |
- name: Get Id Token | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const coredemo = require('@actions/core'); | |
let githubJwt = await coredemo.getIDToken(); | |
console.log("Here we have an ID token `id_token` - we can send this to our backend") | |
const jwksClient = require('jwks-rsa'); // from auth0 | |
const jwt = require('jsonwebtoken'); | |
await fetch('https://sam-dell.tailnet-6e00.ts.net/', { | |
method: 'GET', | |
headers: { | |
'x-github-jwt': githubJwt | |
} | |
}); | |
const githubActionsOpenIdConfigurationUri = 'https://token.actions.githubusercontent.com/.well-known/openid-configuration'; | |
const githubActionsJwksUri = 'https://token.actions.githubusercontent.com/.well-known/jwks'; | |
console.log("Decoded GitHub Actions JWT", jwt.decode(githubJwt)); | |
console.log("Attempting to verify token using key from GitHub Actions jwks"); | |
var client = jwksClient({ jwksUri: githubActionsJwksUri }); | |
const getGithubActionsJwks = (header, callback) => { | |
console.log('the header we got', header) | |
client.getSigningKey(header.kid, (err, key) => { | |
console.log('the key we got back', key) | |
if (err) console.error('signing key fetch error', err); | |
var signingKey = key.publicKey || key.rsaPublicKey; | |
callback(null, signingKey); | |
}); | |
} | |
jwt.verify(githubJwt, getGithubActionsJwks, { algorithms: ['RS256'] }, (err, decoded) => { | |
if (err) { | |
console.error('JWT verification failed:', err.message); | |
} else { | |
console.log('JWT verified successfully'); | |
console.log('Decoded payload:', decoded); | |
} | |
}); | |
- name: exchange for special token | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const actions = require('@actions/core'); | |
let githubJwt = await actions.getIDToken(); | |
console.log("Here we have an ID token `id_token` - we can send this to our backend") | |
const jwksClient = require('jwks-rsa'); // from auth0 | |
const jwt = require('jsonwebtoken'); | |
const response = await fetch('https://sam-dell.tailnet-6e00.ts.net/getApiToken', { | |
method: 'POST', | |
headers: { | |
'x-github-jwt': githubJwt | |
} | |
}); | |
const apiToken = await response.json(); | |
console.log(`fetched token`, apiToken); | |
- name: get token from trunk | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const actions = require('@actions/core'); | |
let githubJwt = await actions.getIDToken(); | |
console.log("Here we have an ID token `id_token` - we can send this to our backend") | |
const jwksClient = require('jwks-rsa'); // from auth0 | |
const jwt = require('jsonwebtoken'); | |
const response = await fetch('https://api.dev2.trunk-staging.io:443/gh-redir/getApiToken', { | |
method: 'POST', | |
headers: { | |
'x-github-jwt': githubJwt | |
} | |
}); | |
const data = await response.json(); | |
console.log(`json response`, data); | |
fs.writeFileSync(process.env.GITHUB_ENV, `TRUNK_API_TOKEN=${data.TRUNK_API_TOKEN}\n`); | |
- name: dump env | |
shell: bash | |
run: env | sort | |