Affected by 
Documentation
¶
Index ¶
Constants ¶
View Source
const IssuerURL = "https://token.actions.githubusercontent.com"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type IDTokenClaims ¶
type IDTokenClaims struct {
// Sub also known as Subject is a string that roughly uniquely indentifies
// the workload. The format of this varies depending on the type of
// github action run.
Sub string `json:"sub"`
// The personal account that initiated the workflow run.
Actor string `json:"actor"`
// The ID of personal account that initiated the workflow run.
ActorID string `json:"actor_id"`
// The target branch of the pull request in a workflow run.
BaseRef string `json:"base_ref"`
// The name of the environment used by the job.
Environment string `json:"environment"`
// The name of the event that triggered the workflow run.
EventName string `json:"event_name"`
// The source branch of the pull request in a workflow run.
HeadRef string `json:"head_ref"`
// This is the ref path to the reusable workflow used by this job.
JobWorkflowRef string `json:"job_workflow_ref"`
// The git ref that triggered the workflow run.
Ref string `json:"ref"`
// The type of ref, for example: "branch".
RefType string `json:"ref_type"`
// The visibility of the repository where the workflow is running. Accepts the following values: internal, private, or public.
RepositoryVisibility string `json:"repository_visibility"`
// The repository from where the workflow is running.
// This includes the name of the owner e.g `gravitational/teleport`
Repository string `json:"repository"`
// The ID of the repository from where the workflow is running.
RepositoryID string `json:"repository_id"`
// The name of the organization in which the repository is stored.
RepositoryOwner string `json:"repository_owner"`
// The ID of the organization in which the repository is stored.
RepositoryOwnerID string `json:"repository_owner_id"`
// The ID of the workflow run that triggered the workflow.
RunID string `json:"run_id"`
// The number of times this workflow has been run.
RunNumber string `json:"run_number"`
// The number of times this workflow run has been retried.
RunAttempt string `json:"run_attempt"`
// SHA is the commit SHA that triggered the workflow run.
SHA string `json:"sha"`
// The name of the workflow.
Workflow string `json:"workflow"`
}
IDTokenClaims is the structure of claims contained within a Github issued ID token.
See the following for the structure: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
type IDTokenSource ¶
type IDTokenSource struct {
// contains filtered or unexported fields
}
IDTokenSource allows a GitHub ID token to be fetched whilst executing within the context of a GitHub actions workflow.
func NewIDTokenSource ¶
func NewIDTokenSource() *IDTokenSource
func (*IDTokenSource) GetIDToken ¶
func (ip *IDTokenSource) GetIDToken(ctx context.Context) (string, error)
GetIDToken utilizes values set in the environment and the GitHub API to fetch a GitHub issued IDToken.
type IDTokenValidator ¶
type IDTokenValidator struct {
IDTokenValidatorConfig
// contains filtered or unexported fields
}
func NewIDTokenValidator ¶
func NewIDTokenValidator(cfg IDTokenValidatorConfig) *IDTokenValidator
func (*IDTokenValidator) Validate ¶
func (id *IDTokenValidator) Validate(ctx context.Context, token string) (*IDTokenClaims, error)
type IDTokenValidatorConfig ¶
type IDTokenValidatorConfig struct {
// Clock is used by the validator when checking expiry and issuer times of
// tokens. If omitted, a real clock will be used.
Clock clockwork.Clock
// IssuerURL is the URL of the OIDC token issuer, on which the
// /well-known/openid-configuration endpoint can be found.
// If this is omitted, a default value will be set.
IssuerURL string
}
Source Files
Click to show internal directories.
Click to hide internal directories.