Default audience to the WIF provider ID (#23)

2021-10-04 12:14:08 -04:00 · 2021-10-04 12:14:08 -04:00 · f3c3e206c9
commit f3c3e206c9
parent 02f3d58995
4 changed files with 22 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -79,9 +79,9 @@ See [Examples](#examples) for more examples.
    ```

 -   `audience`: (Optional) The value for the audience (`aud`) parameter in the
-    generated GitHub Actions OIDC token. At present, the only valid value is
-    `"sigstore"`, but this variable exists in case custom values are permitted
-    in the future. The default value is `"sigstore"`.
+    generated GitHub Actions OIDC token. This value defaults to the value of
+    `workload_identity_provider`, which is also the default value Google Cloud
+    expects for the audience parameter on the token.

 -   `create_credentials_file`: (Optional) If true, the action will securely
     generate a credentials file which can be used for authentication via gcloud
@ -331,23 +331,20 @@ the [gcloud][gcloud] command-line tool.
      --workload-identity-pool="my-pool" \
      --display-name="Demo provider" \
      --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
-      --issuer-uri="https://vstoken.actions.githubusercontent.com" \
-      --allowed-audiences="sigstore"
+      --issuer-uri="https://vstoken.actions.githubusercontent.com"
    ```

-    -   The audience of "sigstore" is currently the only value GitHub allows.
-    -   The attribute mappings map claims in the GitHub Actions JWT to
-        assertions you can make about the request (like the repository or GitHub
-        username of the principal invoking the GitHub Action). These can be used
-        to further restrict the authentication using `--attribute-condition`
-        flags.
+    The attribute mappings map claims in the GitHub Actions JWT to assertions
+    you can make about the request (like the repository or GitHub username of
+    the principal invoking the GitHub Action). These can be used to further
+    restrict the authentication using `--attribute-condition` flags.

-        For example, you can map the attribute repository values (which can be
-        used later to restrict the authentication to specific repositories):
+    For example, you can map the attribute repository values (which can be used
+    later to restrict the authentication to specific repositories):

-        ```sh
-        --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository"
-        ```
+    ```sh
+    --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository"
+    ```

 1.  Allow authentications from the Workload Identity Provider to impersonate the
    Service Account created above:
@ -389,7 +386,7 @@ Here is a sample GitHub Token for reference for attribute mappings:
 {
  "jti": "...",
  "sub": "repo:username/reponame:ref:refs/heads/master",
-  "aud": "sigstore",
+  "aud": "https://iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider",
  "ref": "refs/heads/master",
  "sha": "d11880f4f451ee35192135525dc974c56a3c1b28",
  "repository": "username/reponame",
--- a/action.yml
+++ b/action.yml
@ -34,9 +34,10 @@ inputs:
  audience:
    description: |-
      The value for the audience (aud) parameter in GitHub's generated OIDC
-      token. At present, the only valid value is "sigstore", but this variable
-      exists in case custom values are permitted in the future.
-    default: 'sigstore'
+      token. This value defaults to the value of workload_identity_provider,
+      which is also the default value Google Cloud expects for the audience
+      parameter on the token.
+    default: ''
    required: false
  create_credentials_file:
    description: |-
--- a/dist/index.js
+++ b/dist/index.js
@ -91,6 +91,7 @@ function toCommandProperties(annotationProperties) {
    }
    return {
        title: annotationProperties.title,
+        file: annotationProperties.file,
        line: annotationProperties.startLine,
        endLine: annotationProperties.endLine,
        col: annotationProperties.startColumn,
@ -225,7 +226,7 @@ function run() {
                required: true,
            });
            const serviceAccount = core.getInput('service_account', { required: true });
-            const audience = core.getInput('audience');
+            const audience = core.getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`;
            const createCredentialsFile = core.getBooleanInput('create_credentials_file');
            const activateCredentialsFile = core.getBooleanInput('activate_credentials_file');
            const tokenFormat = core.getInput('token_format');
--- a/src/main.ts
+++ b/src/main.ts
@ -35,7 +35,8 @@ async function run(): Promise<void> {
      required: true,
    });
    const serviceAccount = core.getInput('service_account', { required: true });
-    const audience = core.getInput('audience');
+    const audience =
+      core.getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`;
    const createCredentialsFile = core.getBooleanInput('create_credentials_file');
    const activateCredentialsFile = core.getBooleanInput('activate_credentials_file');
    const tokenFormat = core.getInput('token_format');