logging

Signed-off-by: Javan lacerda <javanlacerda@google.com>
javanlacerda · Jun 19, 2024 · f011ffd · f011ffd
1 parent c68bcee
commit f011ffd
Show file tree

Hide file tree

Showing 15 changed files with 33 additions and 1,123 deletions.
diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml
@@ -84,12 +84,6 @@ data:
               "ClientID": "sigstore",
               "Type": "gitlab-pipeline",
               "SubType": ""
-            },
-            "https://token.actions.githubusercontent.com": {
-              "IssuerURL": "https://token.actions.githubusercontent.com",
-              "ClientID": "sigstore",
-              "Type": "github-workflow",
-              "SubType": ""
             }
           },
           "MetaIssuers": {
@@ -112,11 +106,6 @@ data:
               "ClientID": "sigstore",
               "Type": "kubernetes",
               "SubType": ""
-            },
-            "https://token.actions.githubusercontent.com/*": {
-              "ClientID": "sigstore",
-              "Type": "github-workflow",
-              "SubType": ""
             }
           },
           "IssuersMetadata": null

diff --git a/federation/main.go b/federation/main.go
@@ -80,11 +80,6 @@ func main() {
 				ClientID: "sigstore",
 				Type:     "kubernetes",
 			},
-			// GitHub Actions OIDC unique enterprise issuers
-			"https://token.actions.githubusercontent.com/*": {
-				ClientID: "sigstore",
-				Type:     "github-workflow",
-			},
 		},
 	}
 	for _, m := range matches {

diff --git a/federation/token.actions.githubusercontent.com/config.yaml b/federation/token.actions.githubusercontent.com/config.yaml
diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go
@@ -29,7 +29,6 @@ import (
 	"github.com/sigstore/fulcio/pkg/identity/buildkite"
 	"github.com/sigstore/fulcio/pkg/identity/ciprovider"
 	"github.com/sigstore/fulcio/pkg/identity/email"
-	"github.com/sigstore/fulcio/pkg/identity/github"
 	"github.com/sigstore/fulcio/pkg/identity/gitlabcom"
 	"github.com/sigstore/fulcio/pkg/identity/kubernetes"
 	"github.com/sigstore/fulcio/pkg/identity/spiffe"
@@ -68,8 +67,6 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 		principal, err = email.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeSpiffe:
 		principal, err = spiffe.PrincipalFromIDToken(ctx, tok)
-	case config.IssuerTypeGithubWorkflow:
-		principal, err = github.WorkflowPrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeKubernetes:
 		principal, err = kubernetes.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeURI:
@@ -84,7 +81,6 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 	if err != nil {
 		return nil, err
 	}
-
 	return principal, nil
 }
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -290,7 +290,6 @@ type IssuerType string
 const (
 	IssuerTypeBuildkiteJob      = "buildkite-job"
 	IssuerTypeEmail             = "email"
-	IssuerTypeGithubWorkflow    = "github-workflow"
 	IssuerTypeCodefreshWorkflow = "codefresh-workflow"
 	IssuerTypeGitLabPipeline    = "gitlab-pipeline"
 	IssuerTypeKubernetes        = "kubernetes"
@@ -421,11 +420,6 @@ var DefaultConfig = &FulcioConfig{
 			ClientID:  "sigstore",
 			Type:      IssuerTypeEmail,
 		},
-		"https://token.actions.githubusercontent.com": {
-			IssuerURL: "https://token.actions.githubusercontent.com",
-			ClientID:  "sigstore",
-			Type:      IssuerTypeGithubWorkflow,
-		},
 	},
 }
 
@@ -579,8 +573,6 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
 		return "sub"
 	case IssuerTypeEmail:
 		return "email"
-	case IssuerTypeGithubWorkflow:
-		return "sub"
 	case IssuerTypeCiProvider:
 		return "sub"
 	case IssuerTypeCodefreshWorkflow:

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -489,9 +489,6 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeBuildkiteJob, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for Buildkite issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" {
-		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
-	}
 	if claim := issuerToChallengeClaim(IssuerTypeCiProvider, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
 	}

diff --git a/pkg/config/providers_config.yaml b/pkg/config/providers_config.yaml
@@ -13,3 +13,31 @@
 # limitations under the License.
 
 providers:
+    github-workflow:
+        extensions:
+            build-signer-uri: "{{.url}}/{{.job_workflow_ref}}"
+            build-signer-digest: job_workflow_sha
+            runner-environment: runner_environment
+            source-repository-uri: "{{.url}}/{{.repository}}"
+            source-repository-digest: sha
+            source-repository-ref: ref
+            source-repository-identifier: repository_id
+            source-repository-owner-uri: "{{.url}}/{{.repository_owner}}"
+            source-repository-owner-identifier: repository_owner_id
+            build-config-uri: "{{.url}}/{{.workflow_ref}}"
+            build-config-digest: workflow_sha
+            build-trigger: event_name
+            run-invocation-uri: "{{.url}}/{{.repository}}/actions/runs/{{.run_id}}/attempts/{{.run_attempt}}"
+            source-repository-visibility-at-signing: repository_visibility
+        uris:
+            - "{{.url}}/{{.job_workflow_ref}}"
+        defaults:
+            url: https://github.com
+        meta-issuers:
+            - issuer-url: "https://token.actions.githubusercontent.com/*"
+              client-id: sigstore
+        oidc-issuers:
+            - issuer-url: https://token.actions.githubusercontent.com
+              client-id: sigstore
+              contact: tac@sigstore.dev
+              description: "GitHub Actions OIDC auth"
diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go
@@ -32,7 +32,7 @@ import (
 func claimsToString(claims map[string]interface{}) map[string]string {
 	stringClaims := make(map[string]string)
 	for k, v := range claims {
-		stringClaims[k] = v.(string)
+		stringClaims[k] = fmt.Sprintf("%v", v)
 	}
 	return stringClaims
 }

diff --git a/pkg/identity/github/issuer.go b/pkg/identity/github/issuer.go
diff --git a/pkg/identity/github/issuer_test.go b/pkg/identity/github/issuer_test.go