OIDC auth middleware with GitHub Actions example workflow #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "SCITT Notary" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**.md' | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| workflow_dispatch: | |
| inputs: | |
| scitt-url: | |
| description: 'URL of SCITT instance' | |
| type: string | |
| payload: | |
| description: 'Payload for claim' | |
| default: '' | |
| type: string | |
| workflow_call: | |
| inputs: | |
| scitt-url: | |
| description: 'URL of SCITT instance' | |
| type: string | |
| payload: | |
| description: 'Payload for claim' | |
| type: string | |
| jobs: | |
| notarize: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| env: | |
| SCITT_URL: '${{ inputs.scitt-url || github.event.inputs.scitt-url }}' | |
| PAYLOAD: '${{ inputs.payload || github.event.inputs.payload }}' | |
| steps: | |
| - name: Set defaults if env vars not set (as happens with on.push trigger) | |
| run: | | |
| if [[ "x${SCITT_URL}" = "x" ]]; then | |
| echo "SCITT_URL=http://localhost:8080" >> "${GITHUB_ENV}" | |
| fi | |
| if [[ "x${PAYLOAD}" = "x" ]]; then | |
| echo 'PAYLOAD={"key": "value"}' >> "${GITHUB_ENV}" | |
| fi | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.8 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.8 | |
| - name: Install SCITT API Emulator | |
| run: | | |
| pip install -U pip setuptools wheel | |
| pip install .[oidc] | |
| - name: Install github-script dependencies | |
| run: | | |
| npm install @actions/core | |
| - name: Get OIDC token to use as bearer token for auth to SCITT | |
| uses: actions/github-script@v6 | |
| id: github-oidc | |
| with: | |
| script: | | |
| const {SCITT_URL} = process.env; | |
| const coredemo = require('@actions/core'); | |
| coredemo.setOutput('token', await coredemo.getIDToken(SCITT_URL)); | |
| - name: Create claim | |
| run: | | |
| scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload "${PAYLOAD}" --out claim.cose | |
| - name: Submit claim | |
| env: | |
| OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}' | |
| run: | | |
| # Create the middleware config file | |
| cat > oidc-middleware-config.json <<EOF | |
| { | |
| "issuer": "https://token.actions.githubusercontent.com", | |
| "audience": "${SCITT_URL}" | |
| } | |
| EOF | |
| # Start SCITT using the `OIDCAuthMiddleware` and associated config. | |
| if [[ "x${SCITT_URL}" != "http://localhost:8080" ]]; then | |
| scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \ | |
| --middleware scitt_emulator.oidc:OIDCAuthMiddleware \ | |
| --middleware-config-path oidc-middleware-config.json & | |
| fi | |
| # Submit the claim using OIDC token as auth | |
| scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor |