Skip to content

Commit

Permalink
Example CI job for GitHub Actions OIDC authenticated notary
Browse files Browse the repository at this point in the history
Token is not available within pull_request context.

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
  • Loading branch information
pdxjohnny committed Sep 12, 2023
1 parent b40b5ee commit d73b102
Showing 1 changed file with 85 additions and 0 deletions.
85 changes: 85 additions & 0 deletions .github/workflows/notarize.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: "SCITT Notary"

on:
push:
branches:
- main
paths-ignore:
- '**.md'
workflow_dispatch:
inputs:
scitt-url:
description: 'URL of SCITT instance'
type: string
payload:
description: 'Payload for claim'
default: ''
type: string
workflow_call:
inputs:
scitt-url:
description: 'URL of SCITT instance'
type: string
payload:
description: 'Payload for claim'
type: string

jobs:
notarize:
runs-on: ubuntu-latest
permissions:
id-token: write
env:
SCITT_URL: '${{ inputs.scitt-url || github.event.inputs.scitt-url }}'
PAYLOAD: '${{ inputs.payload || github.event.inputs.payload }}'
steps:
- name: Set defaults if env vars not set (as happens with on.push trigger)
run: |
if [[ "x${SCITT_URL}" = "x" ]]; then
echo "SCITT_URL=http://localhost:8080" >> "${GITHUB_ENV}"
fi
if [[ "x${PAYLOAD}" = "x" ]]; then
echo 'PAYLOAD={"key": "value"}' >> "${GITHUB_ENV}"
fi
- uses: actions/checkout@v4
- name: Set up Python 3.8
uses: actions/setup-python@v4
with:
python-version: 3.8
- name: Install SCITT API Emulator
run: |
pip install -U pip setuptools wheel
pip install .[oidc]
- name: Install github-script dependencies
run: |
npm install @actions/core
- name: Get OIDC token to use as bearer token for auth to SCITT
uses: actions/github-script@v6
id: github-oidc
with:
script: |
const {SCITT_URL} = process.env;
const core = require('@actions/core');
core.setOutput('token', await core.getIDToken(SCITT_URL));
- name: Create claim
run: |
scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload "${PAYLOAD}" --out claim.cose
- name: Submit claim
env:
OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}'
run: |
# Create the middleware config file
cat > oidc-middleware-config.json <<EOF
{
"issuer": "https://token.actions.githubusercontent.com",
"audience": "${SCITT_URL}"
}
EOF
# Start SCITT using the `OIDCAuthMiddleware` and associated config.
if [[ "x${SCITT_URL}" != "http://localhost:8080" ]]; then
scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
--middleware scitt_emulator.oidc:OIDCAuthMiddleware \
--middleware-config-path oidc-middleware-config.json &
fi
# Submit the claim using OIDC token as auth
scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor

0 comments on commit d73b102

Please sign in to comment.