docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon github

Clarify use of repository and context claims in OIDC setup

Open johanredeploy opened this issue 2 years ago • 9 comments

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

What part(s) of the article would you like to see updated?

The article contains a list of possible claims here.

Repository claim

One of these claims is repository, which corresponds to repository name and the owner. However, the subject examples do not reference this claim name but rather repo:

repo:octo-org/octo-repo:environment:prod

In the above subject, environment is a claim listed in table of available claims but repo is not listed. Additionally, the API accepts repo but not repository. This sample also only talks about repo.

A clarification of this claim would be nice.

Context claim

This section talks about using context.

It goes on to say:

This example also demonstrates how to use "context" to define your conditions. This is the part that follows the repository in the default sub format. For example, when the job references an environment, the context contains: environment:<environmentName>.

I can't piece this one together from the available informationl. What can contextcontain? If it is always everything after repo, what happens when I customize my token claims?

The default sub format then mentions the job context, which in turn doesn't mention environment as a part of that context.

Some more samples to clarify the use of context would be nice.

Additional information

No response

johanredeploy avatar Nov 25 '22 10:11 johanredeploy

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar Nov 25 '22 10:11 welcome[bot]

@johanredeploy Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:

cmwilson21 avatar Nov 25 '22 16:11 cmwilson21

Sorry, I forgot to mention one thing above.

Example: Granting access to a specific repository links to Customizing the token URL for an enterprise, which seems to lead nowhere.

ghost avatar Nov 28 '22 09:11 ghost

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:

github-actions[bot] avatar Nov 30 '22 01:11 github-actions[bot]

None

remadrivan avatar Dec 04 '22 07:12 remadrivan

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jan 01 '23 16:01 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jan 31 '23 16:01 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Mar 02 '23 16:03 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Apr 12 '23 16:04 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jul 12 '23 16:07 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Aug 10 '23 16:08 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Sep 08 '23 16:09 github-actions[bot]

I'm not sure what the hold up has been with this. I'll get some expert 👀 to take a look at this.

As regards this:

Example: Granting access to a specific repository links to Customizing the token URL for an enterprise, which seems to lead nowhere.

The link seems to have been fixed now.

hubwriter avatar Sep 15 '23 13:09 hubwriter

An SME in this area has told me:

repo is the same as repository. repo prefix in the subject claim contains NWO for the repository. repository claim in ID token would have the same data.

I don't personally know enough about this area to determine exactly what changes we need to make. If anyone reading this issue feels confident to suggest changes then it would be great if you can create a pull request and we can get a technical review of it.

Meanwhile I'll continue looking for some more assistance with this.

hubwriter avatar Sep 15 '23 15:09 hubwriter

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Oct 13 '23 16:10 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Nov 29 '23 16:11 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jan 04 '24 16:01 github-actions[bot]