dump env in oidc-test #46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: oidc-test | |
on: | |
pull_request: {} | |
push: | |
branches: [main] | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
oidc-test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install OIDC Client from Core Package | |
run: npm install @actions/[email protected] @actions/http-client jwks-rsa jsonwebtoken | |
- name: Dump env | |
shell: bash | |
run: env | sort | |
- name: Get Id Token | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const actions = require('@actions/core'); | |
let githubJwt = await actions.getIDToken(); | |
console.log("Here we have an ID token `id_token` - we can send this to our backend") | |
const jwksClient = require('jwks-rsa'); // from auth0 | |
const jwt = require('jsonwebtoken'); | |
if (false) { | |
await fetch('https://sam-dell.tailnet-6e00.ts.net/', { | |
method: 'GET', | |
headers: { | |
'x-github-jwt': githubJwt | |
} | |
}); | |
} | |
const githubActionsOpenIdConfigurationUri = 'https://token.actions.githubusercontent.com/.well-known/openid-configuration'; | |
const githubActionsJwksUri = 'https://token.actions.githubusercontent.com/.well-known/jwks'; | |
console.log("Decoded GitHub Actions JWT", jwt.decode(githubJwt)); | |
console.log("Attempting to verify token using key from GitHub Actions jwks"); | |
var client = jwksClient({ jwksUri: githubActionsJwksUri }); | |
const getGithubActionsJwks = async (header, callback) => { | |
const key = await client.getSigningKey(header.kid); | |
const signingKey = key.getPublicKey(); | |
callback(null, signingKey); | |
}; | |
try { | |
await jwt.verify( | |
githubJwt, | |
getGithubActionsJwks, | |
{ algorithms: ["RS256"] }, | |
async (err, decoded) => { | |
await fetch("http://does.not.exist"); | |
if (err) { | |
console.error("JWT verification failed:", err.message); | |
throw err; | |
} | |
console.log("JWT verified successfully"); | |
console.log("Decoded payload:", decoded); | |
}, | |
); | |
} catch (err) { | |
console.error("outer error handling"); | |
} |