Documentation
¶
Overview ¶
Package actionsoidc fetches OIDC ID tokens from the GitHub/Forgejo Actions token endpoint. Both providers expose the same contract: a job granted the 'id-token: write' permission gets the ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables, and a GET request to that URL with the request token as a bearer credential returns a JSON object with the ID token in its "value" field.
Index ¶
Constants ¶
const ( // EnvRequestURL is the environment variable holding the URL of the // GitHub/Forgejo Actions OIDC token request endpoint. EnvRequestURL = "ACTIONS_ID_TOKEN_REQUEST_URL" // EnvRequestToken is the environment variable holding the bearer token used // to authenticate the request to the endpoint in EnvRequestURL. EnvRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN" )
Variables ¶
This section is empty.
Functions ¶
func FetchToken ¶
FetchToken requests an OIDC ID token for the given audience from the GitHub/Forgejo Actions token endpoint. The endpoint URL and the request bearer token are read from the EnvRequestURL and EnvRequestToken environment variables, which Actions injects into a job that has the 'id-token: write' permission.
It returns the ID token and its expiration time. The expiration is read from the token's 'exp' claim without verifying the signature: the token was issued by the trusted endpoint one HTTP call ago, and the expiry is only used by callers to schedule re-minting.
Types ¶
This section is empty.
Source Files