minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

Add support for fetching and using a GitHub Actions OIDC token

Open evankanderson opened this issue 1 year ago • 0 comments

Please describe the enhancement

With https://github.com/mindersec/minder/issues/5145, the Minder server will be able to accept a GitHub Actions OIDC token for authentication. If no other authentication source is available (MINDER_AUTH_TOKEN, ~/.config/minder/credentials.json, etc), the Minder CLI should check for the ACTIONS_ID_TOKEN_REQUEST_URL environment variable (and the ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variable), and use those to fetch an OIDC token to present to the Minder service.

See https://github.com/evankanderson/actions-id-token-testing/blob/main/.github/workflows/minder-auth-token-test.yaml#L17 for an example in shell of this flow.

Solution Proposal

When used in GitHub Actions flows where no other credentials are available, the Minder CLI should automatically authenticate using the ambient GitHub Actions OIDC identity, with an audience of minder (or as set by configuration / determined by #5145).

Describe alternatives you've considered

Manually setting MINDER_AUTH_TOKEN in GitHub Actions, which is a bit gross to document.

Additional context

No response

Acceptance Criteria

No response

evankanderson avatar Dec 05 '24 13:12 evankanderson