-
Notifications
You must be signed in to change notification settings - Fork 1
114 lines (88 loc) · 3.81 KB
/
oidc-test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: oidc-test
on:
push:
branches: [main]
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
oidc-test:
runs-on: ubuntu-latest
steps:
- name: Install OIDC Client from Core Package
run: npm install @actions/[email protected] @actions/http-client jwks-rsa jsonwebtoken
- name: Get Id Token
uses: actions/github-script@v6
with:
script: |
const coredemo = require('@actions/core');
let githubJwt = await coredemo.getIDToken();
console.log("Here we have an ID token `id_token` - we can send this to our backend")
const jwksClient = require('jwks-rsa'); // from auth0
const jwt = require('jsonwebtoken');
await fetch('https://sam-dell.tailnet-6e00.ts.net/', {
method: 'GET',
headers: {
'x-github-jwt': githubJwt
}
});
const githubActionsOpenIdConfigurationUri = 'https://token.actions.githubusercontent.com/.well-known/openid-configuration';
const githubActionsJwksUri = 'https://token.actions.githubusercontent.com/.well-known/jwks';
console.log("Decoded GitHub Actions JWT", jwt.decode(githubJwt));
console.log("Attempting to verify token using key from GitHub Actions jwks");
var client = jwksClient({ jwksUri: githubActionsJwksUri });
const getGithubActionsJwks = (header, callback) => {
console.log('the header we got', header)
client.getSigningKey(header.kid, (err, key) => {
console.log('the key we got back', key)
if (err) console.error('signing key fetch error', err);
var signingKey = key.publicKey || key.rsaPublicKey;
callback(null, signingKey);
});
}
jwt.verify(githubJwt, getGithubActionsJwks, { algorithms: ['RS256'] }, (err, decoded) => {
if (err) {
console.error('JWT verification failed:', err.message);
} else {
console.log('JWT verified successfully');
console.log('Decoded payload:', decoded);
}
});
- name: exchange for special token
uses: actions/github-script@v6
with:
script: |
const actions = require('@actions/core');
let githubJwt = await actions.getIDToken();
console.log("Here we have an ID token `id_token` - we can send this to our backend")
const jwksClient = require('jwks-rsa'); // from auth0
const jwt = require('jsonwebtoken');
const response = await fetch('https://sam-dell.tailnet-6e00.ts.net/getApiToken', {
method: 'POST',
headers: {
'x-github-jwt': githubJwt
}
});
const apiToken = await response.json();
console.log(`fetched token`, apiToken);
- name: get token from trunk
uses: actions/github-script@v6
with:
script: |
const actions = require('@actions/core');
let githubJwt = await actions.getIDToken();
console.log("Here we have an ID token `id_token` - we can send this to our backend")
const jwksClient = require('jwks-rsa'); // from auth0
const jwt = require('jsonwebtoken');
const response = await fetch('https://api.dev2.trunk-staging.io:443/gh-redir/getApiToken', {
method: 'POST',
headers: {
'x-github-jwt': githubJwt
}
});
const data = await response.json();
console.log(`json response`, data);
fs.writeFileSync(process.env.GITHUB_ENV, `TRUNK_API_TOKEN=${data.TRUNK_API_TOKEN}\n`);
- name: dump env
shell: bash
run: env | sort