STACKITGit/end-to-end
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

respond to code review comments

Browse source 
Signed-off-by: Mario Minardi <mminardi@shaw.ca>
This commit is contained in:
Mario Minardi 2026-01-18 22:06:57 -07:00
parent 3c2b39158b
commit cc4d44e986
4 changed files with 36 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

3
actions/actions.sh
View file

@ -183,9 +183,6 @@ function test_actions() {
if dpkg --compare-versions $version ge 15.0; then
run actions_verify_example workflow-call-expansion
fi
if dpkg --compare-versions $version ge 15.0; then
run actions_verify_example id-tokens
fi
done

42
actions/example-id-tokens/.forgejo/workflows/test.yml
View file

@ -5,29 +5,57 @@ jobs:
runs-on: docker
steps:
- run: curl -L -o jq https://github.com/jqlang/jq/releases/latest/download/jq-linux-amd64 && chmod a+x ./jq
- run: curl -L -o jwt-linux.tar.gz https://github.com/mike-engel/jwt-cli/releases/download/6.2.0/jwt-linux-musl.tar.gz && tar -xvzf ./jwt-linux.tar.gz && chmod a+x ./jwt
- name: validate token generation works
run: |
DECODED_JWT_BODY=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | ./jq -r ".value" | ./jq -R 'split(".") | .[1] | @base64d | fromjson')
RAW_JWT=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | ./jq -r ".value")
if [[ -z "RAW_JWT" ]]; then
echo "Error: RAW_JWT should be set"
exit 1
fi
DECODED_JWT_BODY=$(echo $RAW_JWT | ./jq -R 'split(".") | .[1] | @base64d | fromjson')
if [[ -z "$DECODED_JWT_BODY" ]]; then
echo "Error: DECODED_JWT_BODY should be set"
exit 1
fi
WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq '.workflow')
AUD=$(echo $DECODED_JWT_BODY | ./jq '.aud')
EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq '.event_name')
if [[ "$WORKFLOW" != '"test.yml"' ]]; then
ISS=$(echo $DECODED_JWT_BODY | ./jq -r '.iss')
if [[ -z "$ISS" ]]; then
echo "Error: ISS should be set"
exit 1
fi
curl "$ISS/.well-known/keys" > jwks.json
JWKS=$(cat ./jwks.json)
if [[ -z "$JWKS" ]]; then
echo "Error: JWKS should be set"
exit 1
fi
# Verify that the JWT decodes with the JWKS data
./jwt decode -S @./jwks.json -A RS256 $RAW_JWT || (echo "Error: failed signature validation" && exit 1)
WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq -r '.workflow')
AUD=$(echo $DECODED_JWT_BODY | ./jq -r '.aud')
EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq -r '.event_name')
SUB=$(echo $DECODED_JWT_BODY | ./jq -r -r '.sub')
if [[ "$WORKFLOW" != "test.yml" ]]; then
echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
exit 1
fi
if [[ "$AUD" != '"exampleAudience"' ]]; then
if [[ "$AUD" != "exampleAudience" ]]; then
echo "Error: AUD should be exampleAudience but is $AUD"
exit 1
fi
if [[ "$EVENT_NAME" != '"push"' ]]; then
if [[ "$EVENT_NAME" != "push" ]]; then
echo "Error: EVENT_NAME should be push but is $EVENT_NAME"
exit 1
fi
if [[ "$SUB" != "repo:root/example-id-tokens:ref:refs/head/master" ]]; then
echo "Error: SUB should be repo:root/example-id-tokens:ref:refs/head/master but is $SUB"
exit 1
fi
generation-not-allowed:
enable-openid-connect: false

1
forgejo/build-from-sources
View file

@ -1 +0,0 @@
15.0

2
forgejo/sources/15.0
View file

@ -1 +1 @@
https://codeberg.org/mpminardi/forgejo mpminardi/workload-identity 15.0.0-dev-165-789e8a2c3e+gitea-1.22.0
https://codeberg.org/forgejo/forgejo forgejo 15.0.0