Example CI job for GitHub Actions OIDC authenticated notary

pdxjohnny · pdxjohnny · commit 975efb0bbd61 · 2023-09-12T21:00:11.000Z
Token is not available within pull_request context. Related: slsa-framework/slsa-github-generator#131 Related: slsa-framework/slsa-github-generator#358 Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
diff --git a/.github/workflows/notarize.yml b/.github/workflows/notarize.yml
@@ -0,0 +1,84 @@
+name: "SCITT Notary"
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch:
+    inputs:
+      scitt-url:
+        description: 'URL of SCITT instance'
+        type: string
+      payload:
+        description: 'Payload for claim'
+        default: ''
+        type: string
+  workflow_call:
+    inputs:
+      scitt-url:
+        description: 'URL of SCITT instance'
+        type: string
+      payload:
+        description: 'Payload for claim'
+        type: string
+
+jobs:
+  notarize:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    env:
+      SCITT_URL: '${{ inputs.scitt-url || github.event.inputs.scitt-url }}'
+      PAYLOAD: '${{ inputs.payload || github.event.inputs.payload }}'
+    steps:
+      - name: Set defaults if env vars not set (as happens with on.push trigger)
+        run: |
+          if [[ "x${SCITT_URL}" = "x" ]]; then
+            echo "SCITT_URL=http://localhost:8080" >> "${GITHUB_ENV}"
+          fi
+          if [[ "x${PAYLOAD}" = "x" ]]; then
+            echo 'PAYLOAD={"key": "value"}' >> "${GITHUB_ENV}"
+          fi
+      - uses: actions/checkout@v4
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.8
+      - name: Install SCITT API Emulator
+        run: |
+          pip install -U pip setuptools wheel
+          pip install .[oidc]
+      - name: Install github-script dependencies
+        run: |
+          npm install @actions/core
+      - name: Get OIDC token to use as bearer token for auth to SCITT
+        uses: actions/github-script@v6
+        id: github-oidc
+        with:
+          script: |
+            const {SCITT_URL} = process.env;
+            core.setOutput('token', await core.getIDToken(SCITT_URL));
+      - name: Create claim
+        run: |
+          scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload "${PAYLOAD}" --out claim.cose
+      - name: Submit claim
+        env:
+          OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}'
+        run: |
+          # Create the middleware config file
+          cat > oidc-middleware-config.json <<EOF
+          {
+              "issuer": "https://token.actions.githubusercontent.com",
+              "audience": "${SCITT_URL}"
+          }
+          EOF
+          # Start SCITT using the `OIDCAuthMiddleware` and associated config.
+          if [[ "x${SCITT_URL}" = "xhttp://localhost:8080" ]]; then
+            scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
+              --middleware scitt_emulator.oidc:OIDCAuthMiddleware \
+              --middleware-config-path oidc-middleware-config.json &
+          fi
+          # Submit the claim using OIDC token as auth
+          scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor
