[log] oidc: add debug logging to provider.go#4246
Merged
Conversation
Add logOIDC debug logging calls to improve traceability for OIDC token lifecycle operations: - NewProvider: log provider creation with requestURL and token presence - fetchToken: log HTTP response status and body length after each request - extractJWTExpiry: log JWT parsing entry with part/payload counts, and log the parsed exp claim and resolved expiry timestamp on success The extractJWTExpiry function previously had no debug visibility; these additions make it easier to diagnose JWT parsing failures and token expiry edge cases during development and troubleshooting. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds additional debug logging to the OIDC provider implementation to improve traceability around provider initialization, token HTTP responses, and JWT expiry parsing.
Changes:
- Log provider construction inputs (request URL + whether a token is present).
- Log token HTTP response metadata (status code and response body length).
- Log JWT expiry parsing entry/exit (payload sizing and parsed expiry time).
Show a summary per file
| File | Description |
|---|---|
| internal/oidc/provider.go | Adds new logOIDC.Printf calls around provider initialization, token fetch response handling, and JWT expiry extraction to aid debugging. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
| // These values come from the ACTIONS_ID_TOKEN_REQUEST_URL and | ||
| // ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables respectively. | ||
| func NewProvider(requestURL, requestToken string) *Provider { | ||
| logOIDC.Printf("Creating OIDC provider: requestURL=%s, hasToken=%v", requestURL, requestToken != "") |
There was a problem hiding this comment.
Logging the raw requestURL can leak potentially sensitive environment-provided data (e.g., internal hostnames or query parameters) and is inconsistent with the repo’s guidance to sanitize/truncate env values before logging. Consider logging only that the URL is set (and maybe its host/path), or pass it through sanitize.SanitizeString/sanitize.TruncateSecret before printing.
Suggested change
| logOIDC.Printf("Creating OIDC provider: requestURL=%s, hasToken=%v", requestURL, requestToken != "") | |
| requestURLLogValue := "set=false" | |
| if requestURL != "" { | |
| requestURLLogValue = "set=true" | |
| if parsedURL, err := url.Parse(requestURL); err == nil { | |
| requestURLLogValue = fmt.Sprintf( | |
| "set=true, scheme=%s, host=%s, path=%s", | |
| parsedURL.Scheme, | |
| parsedURL.Host, | |
| parsedURL.Path, | |
| ) | |
| } | |
| } | |
| logOIDC.Printf("Creating OIDC provider: requestURL={%s}, hasToken=%v", requestURLLogValue, requestToken != "") |
This was referenced Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
logOIDCdebug logging calls tointernal/oidc/provider.goto improve traceability for OIDC token lifecycle operations.Changes
File modified:
internal/oidc/provider.go(4 new log calls)NewProviderlogOIDC.Printf("Creating OIDC provider: requestURL=%s, hasToken=%v", ...)fetchTokenlogOIDC.Printf("OIDC token HTTP response: status=%d, bodyLen=%d", ...)extractJWTExpirylogOIDC.Printf("Parsing JWT expiry: partCount=%d, payloadLen=%d", ...)extractJWTExpirylogOIDC.Printf("JWT expiry parsed: exp=%d, expiresAt=%s", ...)The
extractJWTExpiryfunction previously had zero debug visibility — these additions make it much easier to diagnose JWT parsing failures and token expiry edge cases.Existing logger reused
The file already declares
var logOIDC = logger.New("oidc:provider")— no new logger was added.Enable with:
DEBUG=oidc:* ./awmg --config config.tomlValidation
go build ./...✅go vet ./...✅go test ./internal/oidc/...✅ (all 10 tests pass)go test ./internal/...✅ (one pre-existing unrelated failure ininternal/config)Warning
The following domain was blocked by the firewall during workflow execution:
invalidhostthatdoesnotexist12345.comTo allow these domains, add them to the
network.allowedlist in your workflow frontmatter:See Network Configuration for more information.