create-github-app-token
create-github-app-token copied to clipboard
actions
How to use with actions toolkit core to getIDToken for OIDC?
In my workflow, I use aws-actions/configure-aws-credentials for OIDC authentication via GitHub.
This is a sample workflow:
name: Build
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Generate a token
id: generate_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_GITHUB_ROLE_ARN }}
aws-region: us-east-1
It fails because configure-aws-credentials action needs to get a JWT from Github using @actions/core, which in turn requires the environment variables below to be set:
- ACTIONS_ID_TOKEN_REQUEST_TOKEN
- ACTIONS_ID_TOKEN_REQUEST_URL
It seems these are only set when adding permissions with id-token: write to my workflow, but since I'm using my custom GitHub App token, I was expecting not to be required to add a permissions to my workflow since I want to leverage my GitHub App permissions, and permissions as far as I know is used to configure permissions to the GITHUB_TOKEN auto-generated by workflows (not to my custom app token).
Is it possible for the create-github-app-token to set the ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL so it can be used seamlessly with the actions/toolkit from GitHub (not only by AWS, but any action that relies on it for OIDC authentication)?
Thanks!!!
