diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..1f4cac1 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,11 @@ +.devcontainer/ +.github/ +.git/ +script/ +action.yml +Dockerfile +LICENSE +README.md +tmp/ +.vscode/ +docs/ diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d1c99de..697b191 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,5 +15,12 @@ jobs: steps: - name: git checkout uses: actions/checkout@v4 + + - name: setup go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + cache: true + - name: run oidc-debug.go run: go run cmd/oidc-debug.go -audience "https://github.com/github" diff --git a/.go-version b/.go-version new file mode 100644 index 0000000..2f4320f --- /dev/null +++ b/.go-version @@ -0,0 +1 @@ +1.24.4 diff --git a/Dockerfile b/Dockerfile index f8d0369..430f3dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,8 @@ -FROM alpine:latest -RUN apk add --no-cache go +FROM alpine:3.22.0@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715 + +COPY .go-version .go-version + +RUN apk add --no-cache go=$(cat .go-version)-r0 COPY . . diff --git a/README.md b/README.md index 0d81570..de2f117 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,14 @@ This action requests a JWT and prints the claims included within the JWT receive ## How to use this Action -Here's an example of how to use that action: +Here's an example of how to use this action: ```yaml -on: [pull_request] +name: Test Debugger Action +on: + pull_request: + workflow_dispatch: jobs: oidc_debug_test: @@ -23,3 +26,58 @@ jobs: with: audience: '${{ github.server_url }}/${{ github.repository_owner }}' ``` + +The resulting output in your Actions log will look something like this: + +```json +{ + "actor": "GrantBirki", + "actor_id": "23362539", + "aud": "https://github.com/github", + "base_ref": "main", + "enterprise": "github", + "enterprise_id": "11468", + "event_name": "pull_request", + "exp": 1751581975, + "head_ref": "release-setup", + "iat": 1751560375, + "iss": "https://token.actions.githubusercontent.com", + "job_workflow_ref": "github/actions-oidc-debugger/.github/workflows/action-test.yml@refs/pull/27/merge", + "job_workflow_sha": "7f93a73b8273af5d35fcd70661704c1cadc57054", + "jti": "4a576b35-ff09-41c5-af2c-ca62dd89b76a", + "nbf": 1751560075, + "ref": "refs/pull/27/merge", + "ref_protected": "false", + "ref_type": "branch", + "repository": "github/actions-oidc-debugger", + "repository_id": "487920697", + "repository_owner": "github", + "repository_owner_id": "9919", + "repository_visibility": "public", + "run_attempt": "1", + "run_id": "16055869479", + "run_number": "33", + "runner_environment": "github-hosted", + "sha": "7f93a73b8273af5d35fcd70661704c1cadc57054", + "sub": "repo:github/actions-oidc-debugger:pull_request", + "workflow": "Test Debugger Action", + "workflow_ref": "github/actions-oidc-debugger/.github/workflows/action-test.yml@refs/pull/27/merge", + "workflow_sha": "7f93a73b8273af5d35fcd70661704c1cadc57054" +} +``` + +## Maintainers + +Here is the general flow for developing this Action and releasing a new version: + +### Bootstrapping + +This assumes you have `goenv` installed and the version listed in the `.go-version` file is installed as well. + +```bash +go mod vendor && go mod tidy && go mod verify +``` + +### Releasing + +Please run `script/release` and publish a new release on GitHub from the resulting tag. diff --git a/action.yml b/action.yml index 447267b..2e05c70 100644 --- a/action.yml +++ b/action.yml @@ -1,5 +1,8 @@ name: 'OIDC Debugger' description: 'Print the GitHub Actions OIDC claims.' +branding: + icon: 'activity' + color: 'red' inputs: audience: description: 'The audience to use when requesting the JWT. Your Github server URL and repository owner (e.g. https://github.com/github).' diff --git a/go.mod b/go.mod index d2272be..44a98b0 100644 --- a/go.mod +++ b/go.mod @@ -1,5 +1,5 @@ module github.com/github/actions-oidc-debugger -go 1.18 +go 1.24 require github.com/golang-jwt/jwt/v5 v5.2.2 diff --git a/script/release b/script/release new file mode 100755 index 0000000..6db306c --- /dev/null +++ b/script/release @@ -0,0 +1,32 @@ +#!/bin/bash + +# Usage: +# script/release + +# COLORS +OFF='\033[0m' +RED='\033[0;31m' +GREEN='\033[0;32m' +BLUE='\033[0;34m' + +latest_tag=$(git describe --tags $(git rev-list --tags --max-count=1)) +echo -e "The latest release tag is: ${BLUE}${latest_tag}${OFF}" +read -p 'New Release Tag (vX.X.X format): ' new_tag + +# Updated regex to allow one or more digits in each segment +tag_regex='^v[0-9]+\.[0-9]+\.[0-9]+$' +echo "$new_tag" | grep -E -q $tag_regex + +if [[ $? -ne 0 ]]; then + echo -e "${RED}ERROR${OFF} - Tag: $new_tag is not valid. Please use vX.X.X format." + exit 1 +fi + +git tag -a $new_tag -m "$new_tag Release" + +echo -e "${GREEN}OK${OFF} - Tagged: $new_tag" + +git push --tags + +echo -e "${GREEN}OK${OFF} - Tags pushed to remote!" +echo -e "${GREEN}DONE${OFF}"