-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgithub-script-oidc.yaml
More file actions
47 lines (39 loc) · 1.79 KB
/
github-script-oidc.yaml
File metadata and controls
47 lines (39 loc) · 1.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: OIDC Access Test with GitHub Actions (using github-script)
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
# Official GitHub documentation on configuring OIDC tokens for GitHub Enterprise Server:
# https://docs.github.com/en/enterprise-server@3.17/actions/how-tos/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
# NOTE: OIDC tokens should be requested just before they are used, as they are short-lived.
jobs:
access-protected-service:
runs-on: kubernetes
steps:
- name: Get OIDC token with correct audience
id: get-token-correct
uses: actions/github-script@v6
with:
script: |
const core = require('@actions/core');
const token = await core.getIDToken("protected-nginx");
core.addMask(token);
core.setOutput('token', token);
- name: Access protected NGINX # this should succeed, since the audience is correct
run: |
curl -v -H "Authorization: Bearer ${{ steps.get-token-correct.outputs.token }}" \
http://secured-nginx-service.oidc-experiments.svc.cluster.local/
- name: Get OIDC token with incorrect audience
id: get-token-incorrect
uses: actions/github-script@v6
with:
script: |
const core = require('@actions/core');
const token = await core.getIDToken("foobar");
core.addMask(token);
core.setOutput('token', token);
- name: Access protected NGINX # this should fail, since the audience is incorrect
run: |
curl -v -H "Authorization: Bearer ${{ steps.get-token-incorrect.outputs.token }}" \
http://secured-nginx-service.oidc-experiments.svc.cluster.local/