From 3c2b39158b50330e08b996eb35a755f5eaa87f8e Mon Sep 17 00:00:00 2001 From: Mario Minardi Date: Wed, 31 Dec 2025 13:47:09 -0700 Subject: [PATCH] feat: add OIDC workload identity federation tests Add end-to-end tests for workload identity federation. Depends on https://code.forgejo.org/forgejo/runner/pulls/1232 Depends on https://codeberg.org/forgejo/forgejo/pulls/10481 Signed-off-by: Mario Minardi --- actions/actions.sh | 4 ++ .../.forgejo/workflows/test.yml | 45 +++++++++++++++++++ forgejo/build-from-sources | 1 + forgejo/sources/15.0 | 2 +- 4 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 actions/example-id-tokens/.forgejo/workflows/test.yml create mode 100644 forgejo/build-from-sources diff --git a/actions/actions.sh b/actions/actions.sh index 9ee52ef0..e1ef3312 100755 --- a/actions/actions.sh +++ b/actions/actions.sh @@ -184,5 +184,9 @@ function test_actions() { if dpkg --compare-versions $version ge 15.0; then run actions_verify_example workflow-call-expansion fi + + if dpkg --compare-versions $version ge 15.0; then + run actions_verify_example id-tokens + fi done } diff --git a/actions/example-id-tokens/.forgejo/workflows/test.yml b/actions/example-id-tokens/.forgejo/workflows/test.yml new file mode 100644 index 00000000..107891b6 --- /dev/null +++ b/actions/example-id-tokens/.forgejo/workflows/test.yml @@ -0,0 +1,45 @@ +on: [push] +jobs: + generation-allowed: + enable-openid-connect: true + runs-on: docker + steps: + - run: curl -L -o jq https://github.com/jqlang/jq/releases/latest/download/jq-linux-amd64 && chmod a+x ./jq + - name: validate token generation works + run: | + DECODED_JWT_BODY=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | ./jq -r ".value" | ./jq -R 'split(".") | .[1] | @base64d | fromjson') + if [[ -z "$DECODED_JWT_BODY" ]]; then + echo "Error: DECODED_JWT_BODY should be set" + exit 1 + fi + + WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq '.workflow') + AUD=$(echo $DECODED_JWT_BODY | ./jq '.aud') + EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq '.event_name') + if [[ "$WORKFLOW" != '"test.yml"' ]]; then + echo "Error: WORKFLOW should be test.yml but is $WORKFLOW" + exit 1 + fi + if [[ "$AUD" != '"exampleAudience"' ]]; then + echo "Error: AUD should be exampleAudience but is $AUD" + exit 1 + fi + if [[ "$EVENT_NAME" != '"push"' ]]; then + echo "Error: EVENT_NAME should be push but is $EVENT_NAME" + exit 1 + fi + + generation-not-allowed: + enable-openid-connect: false + runs-on: docker + steps: + - name: check variables are unset + run: | + if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then + echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset" + exit 1 + fi + if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]]; then + echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset" + exit 1 + fi diff --git a/forgejo/build-from-sources b/forgejo/build-from-sources new file mode 100644 index 00000000..fe6b09a7 --- /dev/null +++ b/forgejo/build-from-sources @@ -0,0 +1 @@ +15.0 diff --git a/forgejo/sources/15.0 b/forgejo/sources/15.0 index 595283d3..1f1a4eae 100644 --- a/forgejo/sources/15.0 +++ b/forgejo/sources/15.0 @@ -1 +1 @@ -https://codeberg.org/forgejo/forgejo forgejo 15.0.0 +https://codeberg.org/mpminardi/forgejo mpminardi/workload-identity 15.0.0-dev-165-789e8a2c3e+gitea-1.22.0