dex #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: dex | |
| on: [push, workflow_dispatch] | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| jobs: | |
| job: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Actions have access to two special environment variables ACTIONS_CACHE_URL and ACTIONS_RUNTIME_TOKEN. | |
| # Inline step scripts in workflows do not see these variables. | |
| - uses: actions/github-script@v6 | |
| id: script | |
| timeout-minutes: 10 | |
| with: | |
| debug: true | |
| script: | | |
| const token = process.env['ACTIONS_RUNTIME_TOKEN'] | |
| const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL'] | |
| core.setOutput('TOKEN', token.trim()) | |
| core.setOutput('IDTOKENURL', runtimeUrl.trim()) | |
| - run: | | |
| # get an token from github | |
| GH_TOKEN_RESPONSE=$(curl \ | |
| "${{steps.script.outputs.IDTOKENURL}}" \ | |
| -H "Authorization: bearer ${{steps.script.outputs.TOKEN}}" \ | |
| -H "Accept: application/json; api-version=2.0" \ | |
| -H "Content-Type: application/json" \ | |
| -d "{}" \ | |
| ) | |
| GH_TOKEN=$(jq -r .value <<< $GH_TOKEN_RESPONSE) | |
| IDTOKEN=$(curl -H "Authorization: bearer ${{steps.script.outputs.TOKEN}}" ${{steps.script.outputs.IDTOKENURL}} -H "Accept: application/json; api-version=2.0" -H "Content-Type: application/json" -d "{}" | jq -r '.value') | |
| echo $IDTOKEN | |
| jwtd() { | |
| if [[ -x $(command -v jq) ]]; then | |
| jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}" | |
| echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')" | |
| fi | |
| } | |
| jwtd $IDTOKEN | |
| echo "idToken=${IDTOKEN}" >> $GITHUB_OUTPUT | |
| echo GH_TOKEN_BASE64=$(echo $IDTOKEN | base64 -w 0) | |
| # exchange it for a dex token | |
| DEX_TOKEN_RESPONSE=$(curl -k \ | |
| https://mke4.pac-catfish.dockerps.io/dex/token \ | |
| --user my-app:my-secret \ | |
| --data-urlencode "connector_id=github-actions" \ | |
| --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ | |
| --data-urlencode "scope=openid groups federated:id" \ | |
| --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:id_token" \ | |
| --data-urlencode "subject_token=$IDTOKEN" \ | |
| --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:id_token") | |
| DEX_TOKEN=$(jq -r .access_token <<< $DEX_TOKEN_RESPONSE) | |
| echo DEX_TOKEN=$DEX_TOKEN | |
| echo DEX_TOKEN_BASE64=$(echo $DEX_TOKEN |base64) | |
| id: tokenid |