From cc4d44e986c0e802963237a5e64c7b829b47d189 Mon Sep 17 00:00:00 2001
From: Mario Minardi <mminardi@shaw.ca>
Date: Sun, 18 Jan 2026 22:06:57 -0700
Subject: [PATCH] respond to code review comments

Signed-off-by: Mario Minardi <mminardi@shaw.ca>
---
 actions/actions.sh                            |  3 --
 .../.forgejo/workflows/test.yml               | 42 +++++++++++++++----
 forgejo/build-from-sources                    |  1 -
 forgejo/sources/15.0                          |  2 +-
 4 files changed, 36 insertions(+), 12 deletions(-)
 delete mode 100644 forgejo/build-from-sources

diff --git a/actions/actions.sh b/actions/actions.sh
index e1ef3312..0b200824 100755
--- a/actions/actions.sh
+++ b/actions/actions.sh
@@ -183,9 +183,6 @@ function test_actions() {
 
         if dpkg --compare-versions $version ge 15.0; then
             run actions_verify_example workflow-call-expansion
-        fi
-
-        if dpkg --compare-versions $version ge 15.0; then
             run actions_verify_example id-tokens
         fi
     done
diff --git a/actions/example-id-tokens/.forgejo/workflows/test.yml b/actions/example-id-tokens/.forgejo/workflows/test.yml
index 107891b6..65e0f0b8 100644
--- a/actions/example-id-tokens/.forgejo/workflows/test.yml
+++ b/actions/example-id-tokens/.forgejo/workflows/test.yml
@@ -5,29 +5,57 @@ jobs:
         runs-on: docker
         steps:
             - run: curl -L -o jq https://github.com/jqlang/jq/releases/latest/download/jq-linux-amd64 && chmod a+x ./jq
+            - run: curl -L -o jwt-linux.tar.gz https://github.com/mike-engel/jwt-cli/releases/download/6.2.0/jwt-linux-musl.tar.gz && tar -xvzf ./jwt-linux.tar.gz && chmod a+x ./jwt
             - name: validate token generation works
               run: |
-                  DECODED_JWT_BODY=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | ./jq -r ".value" | ./jq -R 'split(".") | .[1] | @base64d | fromjson')
+                  RAW_JWT=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | ./jq -r ".value")
+                  if [[ -z "RAW_JWT" ]]; then
+                    echo "Error: RAW_JWT should be set"
+                    exit 1
+                  fi
+
+                  DECODED_JWT_BODY=$(echo $RAW_JWT | ./jq -R 'split(".") | .[1] | @base64d | fromjson')
                   if [[ -z "$DECODED_JWT_BODY" ]]; then
                     echo "Error: DECODED_JWT_BODY should be set"
                     exit 1
                   fi
 
-                  WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq '.workflow')
-                  AUD=$(echo $DECODED_JWT_BODY | ./jq '.aud')
-                  EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq '.event_name')
-                  if [[ "$WORKFLOW" != '"test.yml"' ]]; then
+                  ISS=$(echo $DECODED_JWT_BODY | ./jq -r '.iss')
+                  if [[ -z "$ISS" ]]; then
+                    echo "Error: ISS should be set"
+                    exit 1
+                  fi
+
+                  curl "$ISS/.well-known/keys" > jwks.json
+                  JWKS=$(cat ./jwks.json)
+                  if [[ -z "$JWKS" ]]; then
+                    echo "Error: JWKS should be set"
+                    exit 1
+                  fi
+
+                  # Verify that the JWT decodes with the JWKS data
+                  ./jwt decode -S @./jwks.json -A RS256 $RAW_JWT || (echo "Error: failed signature validation" && exit 1)
+
+                  WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq -r '.workflow')
+                  AUD=$(echo $DECODED_JWT_BODY | ./jq -r '.aud')
+                  EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq -r '.event_name')
+                  SUB=$(echo $DECODED_JWT_BODY | ./jq -r -r '.sub')
+                  if [[ "$WORKFLOW" != "test.yml" ]]; then
                     echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
                     exit 1
                   fi
-                  if [[ "$AUD" != '"exampleAudience"' ]]; then
+                  if [[ "$AUD" != "exampleAudience" ]]; then
                     echo "Error: AUD should be exampleAudience but is $AUD"
                     exit 1
                   fi
-                  if [[ "$EVENT_NAME" != '"push"' ]]; then
+                  if [[ "$EVENT_NAME" != "push" ]]; then
                     echo "Error: EVENT_NAME should be push but is $EVENT_NAME"
                     exit 1
                   fi
+                  if [[ "$SUB" != "repo:root/example-id-tokens:ref:refs/head/master" ]]; then
+                    echo "Error: SUB should be repo:root/example-id-tokens:ref:refs/head/master but is $SUB"
+                    exit 1
+                  fi
 
     generation-not-allowed:
         enable-openid-connect: false
diff --git a/forgejo/build-from-sources b/forgejo/build-from-sources
deleted file mode 100644
index fe6b09a7..00000000
--- a/forgejo/build-from-sources
+++ /dev/null
@@ -1 +0,0 @@
-15.0
diff --git a/forgejo/sources/15.0 b/forgejo/sources/15.0
index 1f1a4eae..595283d3 100644
--- a/forgejo/sources/15.0
+++ b/forgejo/sources/15.0
@@ -1 +1 @@
-https://codeberg.org/mpminardi/forgejo mpminardi/workload-identity 15.0.0-dev-165-789e8a2c3e+gitea-1.22.0
+https://codeberg.org/forgejo/forgejo forgejo 15.0.0