Use public beacon OIDC tokens for all repo types

landongrindheim · landongrindheim · commit 69c426efc9b4 · 2025-10-20T13:21:48.000-04:00
Signed-off-by: Landon Grindheim &lt;landon.grindheim@gmail.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -166,8 +166,7 @@ jobs:
       - setup-oidc
     runs-on: ubuntu-latest
     name: Smoketest
-    permissions:
-      id-token: write
+    permissions: {}
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/setup-oidc.yml b/.github/workflows/setup-oidc.yml
@@ -31,26 +31,12 @@ jobs:
         with:
           persist-credentials: false
 
-      # For fork PRs, fetch a public OIDC token from the beacon since forks don't get id-token: write
-      - name: Get public OIDC token for fork PRs
+      - name: Get public OIDC token from the beacon
         uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main
-        if: github.event.pull_request.head.repo.fork == true
 
       - name: Configure OIDC environment
         id: configure
-        env:
-          SERVER_URL: ${{ github.server_url }}
-          REPOSITORY: ${{ github.repository }}
-          WORKFLOW_NAME: ${{ inputs.workflow_name }}
-          REF: ${{ github.ref }}
         run: |
-          if [ -f ./oidc-token.txt ]; then
-            # Using beacon token from fork PR
-            TOKEN=$(cat ./oidc-token.txt)
-            printf '%s\n' "identity-token-args=--identity-token ${TOKEN}" >> "$GITHUB_OUTPUT"
-            printf '%s\n' 'cert-identity=https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/beacon.yml@refs/heads/main' >> "$GITHUB_OUTPUT"
-          else
-            # Using native OIDC from GitHub Actions
-            printf '%s\n' 'identity-token-args=' >> "$GITHUB_OUTPUT"
-            printf '%s\n' "cert-identity=${SERVER_URL}/${REPOSITORY}/.github/workflows/${WORKFLOW_NAME}.yml@${REF}" >> "$GITHUB_OUTPUT"
-          fi
+          TOKEN=$(cat ./oidc-token.txt)
+          printf '%s\n' "identity-token-args=--identity-token ${TOKEN}" >> "$GITHUB_OUTPUT"
+          printf '%s\n' 'cert-identity=https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/beacon.yml@refs/heads/main' >> "$GITHUB_OUTPUT"
