feat(): add support for github provided jwt auth (#257)

* fix: update `privateKeyRaw` condition * fix: add `contents: read` permission * fix: get token via `@actions/core` - Update README - Switch to use `getIDToken` method for Github token retrieval - Bump `@actions/core` to 1.6.0 - Add `jwtGithubAudience` input - Remove unnecessary code * fix: add description for `jwtGithubAudience` * fix: move default value for `jwtGithubAudience` to `action.yml` * docs: fix typo in README & grammar * test: add tests * fix: reset `dist/index.js` * fix: remove default value for `jwtGithubAudience` from `action.yml` * fix: reset `dist/index.js` * fix: reset `dist/index.js`
2026-04-17 17:25:44 +00:00 · 2021-10-08 12:46:21 -04:00 · 2021-10-08 12:46:21 -04:00 · c502100fbe
commit c502100fbe
parent b8c90c7243
7 changed files with 34680 additions and 14979 deletions
--- a/README.md
+++ b/README.md
@ -86,7 +86,28 @@ with:
  githubToken: ${{ secrets.MY_GITHUB_TOKEN }}
  caCertificate: ${{ secrets.VAULTCA }}
 ```
+- **jwt**: (Github OIDC) you must provide a `role` parameter, additionally you can pass `jwtGithubAudience` parameter.
+
+```yaml
+...
+with:
+  url: https://vault.mycompany.com:8200
+  method: jwt
+  role: github-action
+```
+
+**Notice:** For Github provided OIDC token to work, the workflow should have `id-token: write` & `contents: read` specified in the `permissions` section of the workflow
+
+```yaml
+...
+permissions:
+  id-token: write
+  contents: read
+...
+```
+
 - **jwt**: you must provide a `role` & `jwtPrivateKey` parameters, additionally you can pass `jwtKeyPassword` & `jwtTtl` parameters
+
 ```yaml
 ...
 with:
@ -278,6 +299,7 @@ Here are all the inputs available through `with`:
 | `githubToken`       | The Github Token to be used to authenticate with Vault                                                                                               |         |          |
 | `jwtPrivateKey`     | Base64 encoded Private key to sign JWT                                                                                                               |         |          |
 | `jwtKeyPassword`    | Password for key stored in jwtPrivateKey (if needed)                                                                                                 |         |          |
+| `jwtGithubAudience` | Identifies the recipient ("aud" claim) that the JWT is intended for                                                                                   |`sigstore`|          |
 | `jwtTtl`            | Time in seconds, after which token expires                                                                                                           |         | 3600     |
 | `kubernetesTokenPath`         | The path to the service-account secret with the jwt token for kubernetes based authentication                                                                                               |`/var/run/secrets/kubernetes.io/serviceaccount/token`         |          |
 | `authPayload`       | The JSON payload to be sent to Vault when using a custom authentication method.                                                                      |         |          |