jfrog
Use oidc-user and oidc-token to run actions in a container
How can we help?
What is the expected way to run a github action in a container from an artifactory private registry using OIDC authentication? As far as I can tell the credentials need to be provided prior to any steps being executed and secrets can't be passed between jobs.
hello-from-container:
runs-on: ubuntu-latest
needs: login-via-oidc
container:
image: ${{ env.registry }}/ubuntu:latest
credentials:
username: "${{ needs.login-via-oidc.outputs.docker_user }}"
password: "${{ needs.login-via-oidc.outputs.docker_pass }}"
steps:
- name: hello
run: |
"echo hello"
Thanks for the question!
Once the next version of the JFrog CLI is released with OIDC support — specifically the new jf exchange-oidc-token (jf eot) command — you'll be able to extract a username and password (access token) at any step you'd like and use it as needed in your pipeline.
Does this approach sound like it would fit your use case? Would love to hear your thoughts so we can make sure it covers what you need.
Hi @EyalDelarea,
I'm not sure the new command will help. The issue, as I see, is that the credentials (username and a token) has to be provided prior to an execution of the steps. JFrog CLI can be called as a step of the workflow not beforehand.
I am guessing the expected use case is something like the following...
hello-from-container:
runs-on: ubuntu-latest
steps:
- id: setup
name: setup jfrog
uses: jfrog/setup-jfrog-cli@v4
with:
...
- name: authenticate docker client
run: >-
echo "${{ needs.setup.outputs.oidc-token }}" | docker login my.registry -u
"${{ needs.setup.outputs.oidc-user }}" --password-stdin
- name: hello from container
run: docker run --rm my.registry/my-image:tag "echo hello world"
