feat: add OIDC workload identity federation tests

Add end-to-end tests for workload identity federation. Depends on https://code.forgejo.org/forgejo/runner/pulls/1232 Depends on https://codeberg.org/forgejo/forgejo/pulls/10481 Signed-off-by: Mario Minardi <mminardi@shaw.ca>
2025-12-31 13:47:09 -07:00 · 2025-12-31 13:47:09 -07:00 · 3c2b39158b
commit 3c2b39158b
parent 372409f76b
4 changed files with 51 additions and 1 deletions
--- a/actions/actions.sh
+++ b/actions/actions.sh
@ -184,5 +184,9 @@ function test_actions() {
        if dpkg --compare-versions $version ge 15.0; then
            run actions_verify_example workflow-call-expansion
        fi
+
+        if dpkg --compare-versions $version ge 15.0; then
+            run actions_verify_example id-tokens
+        fi
    done
 }
--- a/actions/example-id-tokens/.forgejo/workflows/test.yml
+++ b/actions/example-id-tokens/.forgejo/workflows/test.yml
@ -0,0 +1,45 @@
+on: [push]
+jobs:
+    generation-allowed:
+        enable-openid-connect: true
+        runs-on: docker
+        steps:
+            - run: curl -L -o jq https://github.com/jqlang/jq/releases/latest/download/jq-linux-amd64 && chmod a+x ./jq
+            - name: validate token generation works
+              run: |
+                  DECODED_JWT_BODY=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | ./jq -r ".value" | ./jq -R 'split(".") | .[1] | @base64d | fromjson')
+                  if [[ -z "$DECODED_JWT_BODY" ]]; then
+                    echo "Error: DECODED_JWT_BODY should be set"
+                    exit 1
+                  fi
+
+                  WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq '.workflow')
+                  AUD=$(echo $DECODED_JWT_BODY | ./jq '.aud')
+                  EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq '.event_name')
+                  if [[ "$WORKFLOW" != '"test.yml"' ]]; then
+                    echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
+                    exit 1
+                  fi
+                  if [[ "$AUD" != '"exampleAudience"' ]]; then
+                    echo "Error: AUD should be exampleAudience but is $AUD"
+                    exit 1
+                  fi
+                  if [[ "$EVENT_NAME" != '"push"' ]]; then
+                    echo "Error: EVENT_NAME should be push but is $EVENT_NAME"
+                    exit 1
+                  fi
+
+    generation-not-allowed:
+        enable-openid-connect: false
+        runs-on: docker
+        steps:
+            - name: check variables are unset
+              run: |
+                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then
+                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
+                    exit 1
+                  fi
+                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]]; then
+                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
+                    exit 1
+                  fi