fix(signing): explicitly fetch GitHub OIDC token for Sigstore #252
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sigstore-go does not automatically fetch GitHub OIDC tokens from environment variables. This commit adds explicit token fetching logic to resolve signing failures in GitHub Actions. Changes: - Add fetchGitHubOIDCToken() to fetch token from GitHub OIDC endpoint - Update signProvenanceWithSigstore() to use fetched token explicitly - Add comprehensive unit tests for token fetching with error scenarios - Use context-aware HTTP requests with 30s timeout Fixes signing failures where Sigstore expected an explicit IDToken instead of auto-discovering from ACTIONS_ID_TOKEN_REQUEST_* env vars. Co-authored-by: Ona <no-reply@ona.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fixes Sigstore signing failure caused by missing OIDC token provisioning.
Fixes Sigstore signing failure caused by missing OIDC token provisioning.
Problem: The
sigstore-golibrary requires an explicit JWT token inCertificateProviderOptions.IDToken, but Leeway was passing an empty struct, assuming the library would auto-fetch from GitHub Actions environment variables.Solution: Implemented
fetchGitHubOIDCToken()to explicitly retrieve the OIDC token from GitHub Actions using theACTIONS_ID_TOKEN_REQUEST_TOKENandACTIONS_ID_TOKEN_REQUEST_URLenvironment variables withaudience=sigstore.Changes:
fetchGitHubOIDCToken()function to fetch JWT from GitHub OIDC providersignSLSAAttestation()to call token fetching before Fulcio certificate requestRelated Issue(s)
Fixes https://linear.app/ona-team/issue/CLC-1959/create-leeway-signing-command
How to test
go test -v ./pkg/leeway/signing/... -run TestFetchGitHubOIDCTokenDocumentation
No - Internal Leeway implementation fix, no user-facing documentation changes required.