My Octo STS playground.
This uses the Octo STS GitHub App and the octo-sts/action GitHub Action to request a token for accessing the rgl-example/github-octo-sts-example repository.
Install the Octo STS GitHub App in your target GitHub Organization.
Modify your GitHub Actions Workflow to use the octo-sts/action to create a token for a target repository, like in the test workflow.
Use the created token to access the target repository.
- The Octo STS GitHub App service is hosted at https://octo-sts.dev.
- It is currently hosted in GCP in the
us-central1region of the USA.- That is defined in the Octo STS infrastructure code.
- It is currently hosted in GCP in the
- The Octo STS GitHub App creates a GitHub Token from a GitHub Actions Workflow OIDC ID Token and a security policy stored in a
.sts.yamlfile inside the target repository, e.g., at rgl-example/github-octo-sts-example/.github/chainguard/playground.sts.yaml.- The security profile can use some of the OIDC ID Token claims, e.g.,
sub(akasubject), which contains the repository name and git ref, something likerepo:rgl/github-octo-sts-playground:ref:refs/heads/main.- You can see a full example of a GitHub Actions Workflow ID Token JWT at https://github.com/rgl/github-actions-validate-jwt.
- The security profile can use some of the OIDC ID Token claims, e.g.,
- The created GitHub Token is an Octo STS GitHub App installation access token.
- The access token can be used to access the GitHub REST/HTTP API, and also the Git HTTP API.
- You can configure the git credentials like the actions/checkout action, in the
.git/configfile, as theAuthorizationHTTP header:[http "https://github.com/"] extraheader = AUTHORIZATION: basic <base64(x-access-token:<GITHUB_TOKEN>)>
- You can configure the git credentials like the actions/checkout action, in the