Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

job_workflow_ref is insufficient to disambiguate actions workflows #305

Closed
mattmoor opened this issue Jan 3, 2022 · 0 comments · Fixed by #306
Closed

job_workflow_ref is insufficient to disambiguate actions workflows #305

mattmoor opened this issue Jan 3, 2022 · 0 comments · Fixed by #306
Labels
enhancement New feature or request

Comments

@mattmoor
Copy link
Member

mattmoor commented Jan 3, 2022

Description

Github launched the ability to call other workflows like a step: https://github.blog/2021-11-29-github-actions-reusable-workflows-is-generally-available/ In these cases the launched job shows up as the job_workflow_ref, and NOT the workflow definition that lives in the user's repository.

Prior to this feature, the job_workflow_ref effectively codified the repo, workflow, and ref attributes into a single string, but with this feature all of that context is now lost!

I believe that the job_workflow_ref is still the correct identity for us to encode (it is what's doing the work), but we should also include (the no longer redundant) metadata about the originating workflow.

We already have a handful of Github extensions here:

fulcio/pkg/challenges/challenges.go

Lines 254 to 270 in f4746cc

func workflowInfoFromIDToken(token *oidc.IDToken) (map[AdditionalInfo]string, error) {
// Extract custom claims
var claims struct {
Sha string `json:"sha"`
Trigger string `json:"event_name"`
// The other fields that are present here seem to depend on the type
// of workflow trigger that initiated the action.
}
if err := token.Claims(&claims); err != nil {
return nil, err
}
// We use this in URIs, so it has to be a URI.
return map[AdditionalInfo]string{
GithubWorkflowSha: claims.Sha,
GithubWorkflowTrigger: claims.Trigger}, nil
}

I'd propose we also add: repo, workflow, and ref to enable folks to disambiguate callers.
@mattmoor mattmoor added the enhancement New feature or request label Jan 3, 2022
jdolitsky added a commit to jdolitsky/fulcio that referenced this issue Jan 3, 2022
@jdolitsky
Extract additional claims from GitHub OIDC token
ef7c5a6 
Add Repo, Workflow, and Ref fields on the
AdditionalInfo map when parsing GitHub OIDC tokens
in order to identify the originating GitHub Actions
workflow.

Resolves sigstore#305

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@ckotzbauer ckotzbauer mentioned this issue Jan 3, 2022
Merged
dlorenc pushed a commit that referenced this issue Jan 6, 2022
@ckotzbauer
Extract additional claims from github-workflow token (#306)
dcfd3e8 
With reusable github-workflows the "job_workflow_ref" will reference the shared workflow instead the actual calling workflow.

Fixes #305

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
@ckotzbauer ckotzbauer mentioned this issue Feb 12, 2022
Closed
This was referenced Sep 14, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Extract additional claims from github-workflow token
1 participant
@mattmoor