Skip to content

Releases: testifysec/act

v0.2.82-oidc - OIDC ID Token Support

21 Oct 01:37
@colek42 colek42
v0.2.82-oidc
53118c0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.82-oidc - OIDC ID Token Support Latest
Latest

OIDC ID Token Support for Act

This release adds GitHub Actions OIDC ID token support to enable keyless authentication for supply chain security tools like SIGSTORE and Witness.

What's New

OIDC Token Generation

  • In-Process OIDC Server: Integrated OIDC endpoints into artifacts server
  • 31 GitHub-Compliant Claims: Tokens match GitHub's official OIDC schema exactly
  • RS256 Signing: Industry-standard RSA signatures with JWKS endpoint
  • Custom Audiences: Support for sigstore, vault, AWS, and other OIDC consumers

Features

  • βœ… POST /token - Issue OIDC ID tokens
  • βœ… GET /.well-known/jwks - Serve public keys for token verification
  • βœ… Environment variables: ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN
  • βœ… Automatic token generation with GitHub context
  • βœ… 100% backward compatible - no breaking changes

Use Cases

  • SIGSTORE: Keyless code signing and verification
  • Witness: In-toto attestation framework
  • HashiCorp Vault: Secret management
  • AWS: Federated authentication

Testing

All tests passing:

  • 8 unit tests for OIDC token generation
  • 6 integration tests for HTTP endpoints
  • End-to-end workflow validation

Example Usage

```yaml
name: Sign with SIGSTORE
on: push
jobs:
sign:
permissions:
id-token: write
steps:
- name: Sign artifact
run: |
cosign sign-blob artifact.txt
--oidc-issuer=https://token.actions.githubusercontent.com
--oidc-client-id=sigstore
```

Changes

See PR #1 for full implementation details.

πŸ€– Generated with Claude Code

Assets 15