From b3299acd69207c9c0802d14988ff83e4337cba17 Mon Sep 17 00:00:00 2001 From: Mario Minardi Date: Thu, 22 Jan 2026 15:22:22 +0000 Subject: [PATCH] feat: add OIDC workload identity federation tests (#1364) Add end-to-end tests for workload identity federation. Depends on https://code.forgejo.org/forgejo/runner/pulls/1232 Depends on https://codeberg.org/forgejo/forgejo/pulls/10481 Signed-off-by: Mario Minardi Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1364 Reviewed-by: Michael Kriese Reviewed-by: Mathieu Fenniak Co-authored-by: Mario Minardi Co-committed-by: Mario Minardi --- actions/actions.sh | 1 + .../.forgejo/workflows/test.yml | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 actions/example-id-tokens/.forgejo/workflows/test.yml diff --git a/actions/actions.sh b/actions/actions.sh index 9ee52ef0..0b200824 100755 --- a/actions/actions.sh +++ b/actions/actions.sh @@ -183,6 +183,7 @@ function test_actions() { if dpkg --compare-versions $version ge 15.0; then run actions_verify_example workflow-call-expansion + run actions_verify_example id-tokens fi done } diff --git a/actions/example-id-tokens/.forgejo/workflows/test.yml b/actions/example-id-tokens/.forgejo/workflows/test.yml new file mode 100644 index 00000000..31c49156 --- /dev/null +++ b/actions/example-id-tokens/.forgejo/workflows/test.yml @@ -0,0 +1,78 @@ +on: [push] + +env: + JWT_CLI_VERSION: 6.2.0 # renovate: datasource=github-releases depName=jwt-cli packageName=mike-engel/jwt-cli + +jobs: + generation-allowed: + enable-openid-connect: true + runs-on: docker + container: + image: data.forgejo.org/oci/ci:1 + steps: + - run: curl -L -o jwt-linux.tar.gz https://github.com/mike-engel/jwt-cli/releases/download/${{ env.JWT_CLI_VERSION }}/jwt-linux-musl.tar.gz && tar -xvzf ./jwt-linux.tar.gz && chmod a+x ./jwt + - name: validate token generation works + run: | + RAW_JWT=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | jq -r ".value") + if [[ -z "RAW_JWT" ]]; then + echo "Error: RAW_JWT should be set" + exit 1 + fi + + DECODED_JWT_BODY=$(echo $RAW_JWT | jq -R 'split(".") | .[1] | @base64d | fromjson') + if [[ -z "$DECODED_JWT_BODY" ]]; then + echo "Error: DECODED_JWT_BODY should be set" + exit 1 + fi + + ISS=$(echo $DECODED_JWT_BODY | jq -r '.iss') + if [[ -z "$ISS" ]]; then + echo "Error: ISS should be set" + exit 1 + fi + + curl "$ISS/.well-known/keys" > jwks.json + JWKS=$(cat ./jwks.json) + if [[ -z "$JWKS" ]]; then + echo "Error: JWKS should be set" + exit 1 + fi + + # Verify that the JWT decodes with the JWKS data + ./jwt decode -S @./jwks.json -A RS256 $RAW_JWT || (echo "Error: failed signature validation" && exit 1) + + WORKFLOW=$(echo $DECODED_JWT_BODY | jq -r '.workflow') + AUD=$(echo $DECODED_JWT_BODY | jq -r '.aud') + EVENT_NAME=$(echo $DECODED_JWT_BODY | jq -r '.event_name') + SUB=$(echo $DECODED_JWT_BODY | jq -r '.sub') + if [[ "$WORKFLOW" != "test.yml" ]]; then + echo "Error: WORKFLOW should be test.yml but is $WORKFLOW" + exit 1 + fi + if [[ "$AUD" != "exampleAudience" ]]; then + echo "Error: AUD should be exampleAudience but is $AUD" + exit 1 + fi + if [[ "$EVENT_NAME" != "push" ]]; then + echo "Error: EVENT_NAME should be push but is $EVENT_NAME" + exit 1 + fi + if [[ "$SUB" != "repo:root/example-id-tokens:ref:refs/heads/main" ]]; then + echo "Error: SUB should be repo:root/example-id-tokens:ref:refs/heads/main but is $SUB" + exit 1 + fi + + generation-not-allowed: + enable-openid-connect: false + runs-on: docker + steps: + - name: check variables are unset + run: | + if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then + echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset" + exit 1 + fi + if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]]; then + echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset" + exit 1 + fi