-
Notifications
You must be signed in to change notification settings - Fork 8
🚀 [Feature]: OIDC subject claim customization now available for organizations and repositories #563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Copilot
wants to merge
4
commits into
main
Choose a base branch
from
copilot/add-oidc-subject-claim-customization
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+690
−0
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
8d1b1d9
Initial plan
Copilot 5484bfe
Add OIDC subject claim customization support for organizations and re…
Copilot 7f5c856
🩹 [Patch]: Update OIDC subject claim documentation links for consistency
MariusStorhaug 78af530
🩹 [Patch]: Refactor OIDC tests to improve context handling and reposi…
MariusStorhaug File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
55 changes: 55 additions & 0 deletions
55
src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForOrganization.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| function Get-GitHubOidcSubjectClaimForOrganization { | ||
| <# | ||
| .SYNOPSIS | ||
| Get the customization template for an OIDC subject claim for an organization | ||
|
|
||
| .DESCRIPTION | ||
| Gets the customization template for an OpenID Connect (OIDC) subject claim for an organization. | ||
|
|
||
| .EXAMPLE | ||
| ```powershell | ||
| Get-GitHubOidcSubjectClaimForOrganization -Organization 'PSModule' -Context $GitHubContext | ||
| ``` | ||
|
|
||
| Gets the OIDC subject claim customization template for the 'PSModule' organization. | ||
|
|
||
| .NOTES | ||
| [Get the customization template for an OIDC subject claim for an organization] | ||
| (https://docs.github.com/rest/actions/oidc#get-the-customization-template-for-an-oidc-subject-claim-for-an-organization) | ||
| #> | ||
| [OutputType([pscustomobject])] | ||
| [CmdletBinding()] | ||
| param( | ||
| # The organization name. The name is not case sensitive. | ||
| [Parameter(Mandatory)] | ||
| [string] $Organization, | ||
|
|
||
| # The context to run the command in. Used to get the details for the API call. | ||
| # Can be either a string or a GitHubContext object. | ||
| [Parameter(Mandatory)] | ||
| [object] $Context | ||
| ) | ||
|
|
||
| begin { | ||
| $stackPath = Get-PSCallStackPath | ||
| Write-Debug "[$stackPath] - Start" | ||
| Assert-GitHubContext -Context $Context -AuthType IAT, PAT, UAT | ||
| # Required permissions: Administration org (read) or read:org | ||
| } | ||
|
|
||
| process { | ||
| $apiParams = @{ | ||
| Method = 'GET' | ||
| APIEndpoint = "/orgs/$Organization/actions/oidc/customization/sub" | ||
| Context = $Context | ||
| } | ||
|
|
||
| Invoke-GitHubAPI @apiParams | ForEach-Object { | ||
| Write-Output $_.Response | ||
| } | ||
| } | ||
|
|
||
| end { | ||
| Write-Debug "[$stackPath] - End" | ||
| } | ||
| } |
59 changes: 59 additions & 0 deletions
59
src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForRepository.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| function Get-GitHubOidcSubjectClaimForRepository { | ||
| <# | ||
| .SYNOPSIS | ||
| Get the customization template for an OIDC subject claim for a repository | ||
|
|
||
| .DESCRIPTION | ||
| Gets the customization template for an OpenID Connect (OIDC) subject claim for a repository. | ||
|
|
||
| .EXAMPLE | ||
| ```powershell | ||
| Get-GitHubOidcSubjectClaimForRepository -Owner 'PSModule' -Repository 'GitHub' -Context $GitHubContext | ||
| ``` | ||
|
|
||
| Gets the OIDC subject claim customization template for the 'GitHub' repository. | ||
|
|
||
| .NOTES | ||
| [Get the customization template for an OIDC subject claim for a repository] | ||
| (https://docs.github.com/rest/actions/oidc#get-the-customization-template-for-an-oidc-subject-claim-for-a-repository) | ||
| #> | ||
| [OutputType([pscustomobject])] | ||
| [CmdletBinding()] | ||
| param( | ||
| # The account owner of the repository. The name is not case sensitive. | ||
| [Parameter(Mandatory)] | ||
| [string] $Owner, | ||
|
|
||
| # The name of the repository without the .git extension. The name is not case sensitive. | ||
| [Parameter(Mandatory)] | ||
| [string] $Repository, | ||
|
|
||
| # The context to run the command in. Used to get the details for the API call. | ||
| # Can be either a string or a GitHubContext object. | ||
| [Parameter(Mandatory)] | ||
| [object] $Context | ||
| ) | ||
|
|
||
| begin { | ||
| $stackPath = Get-PSCallStackPath | ||
| Write-Debug "[$stackPath] - Start" | ||
| Assert-GitHubContext -Context $Context -AuthType IAT, PAT, UAT | ||
| # Required permissions: Actions repo (read) or repo | ||
| } | ||
|
|
||
| process { | ||
| $apiParams = @{ | ||
| Method = 'GET' | ||
| APIEndpoint = "/repos/$Owner/$Repository/actions/oidc/customization/sub" | ||
| Context = $Context | ||
| } | ||
|
|
||
| Invoke-GitHubAPI @apiParams | ForEach-Object { | ||
| Write-Output $_.Response | ||
| } | ||
| } | ||
|
|
||
| end { | ||
| Write-Debug "[$stackPath] - End" | ||
| } | ||
| } |
64 changes: 64 additions & 0 deletions
64
src/functions/private/Actions/OIDC/Set-GitHubOidcSubjectClaimForOrganization.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| function Set-GitHubOidcSubjectClaimForOrganization { | ||
| <# | ||
| .SYNOPSIS | ||
| Set the customization template for an OIDC subject claim for an organization | ||
|
|
||
| .DESCRIPTION | ||
| Creates or updates the customization template for an OpenID Connect (OIDC) subject claim for an organization. | ||
|
|
||
| .EXAMPLE | ||
| ```powershell | ||
| Set-GitHubOidcSubjectClaimForOrganization -Organization 'PSModule' -IncludeClaimKeys @('repo', 'context') -Context $GitHubContext | ||
| ``` | ||
|
|
||
| Sets the OIDC subject claim customization template for the 'PSModule' organization. | ||
|
|
||
| .NOTES | ||
| [Set the customization template for an OIDC subject claim for an organization] | ||
| (https://docs.github.com/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-an-organization) | ||
| #> | ||
| [OutputType([void])] | ||
| [CmdletBinding(SupportsShouldProcess)] | ||
| param( | ||
| # The organization name. The name is not case sensitive. | ||
| [Parameter(Mandatory)] | ||
| [string] $Organization, | ||
|
|
||
| # Array of unique strings. Each claim key can only contain alphanumeric characters and underscores. | ||
| [Parameter(Mandatory)] | ||
| [string[]] $IncludeClaimKeys, | ||
|
|
||
| # The context to run the command in. Used to get the details for the API call. | ||
| # Can be either a string or a GitHubContext object. | ||
| [Parameter(Mandatory)] | ||
| [object] $Context | ||
| ) | ||
|
|
||
| begin { | ||
| $stackPath = Get-PSCallStackPath | ||
| Write-Debug "[$stackPath] - Start" | ||
| Assert-GitHubContext -Context $Context -AuthType IAT, PAT, UAT | ||
| # Required permissions: Administration org (write) or write:org | ||
| } | ||
|
|
||
| process { | ||
| $body = @{ | ||
| include_claim_keys = $IncludeClaimKeys | ||
| } | ||
|
|
||
| $apiParams = @{ | ||
| Method = 'PUT' | ||
| APIEndpoint = "/orgs/$Organization/actions/oidc/customization/sub" | ||
| Body = $body | ||
| Context = $Context | ||
| } | ||
|
|
||
| if ($PSCmdlet.ShouldProcess("OIDC subject claim for organization [$Organization]", 'Set')) { | ||
| $null = Invoke-GitHubAPI @apiParams | ||
| } | ||
| } | ||
|
|
||
| end { | ||
| Write-Debug "[$stackPath] - End" | ||
| } | ||
| } |
82 changes: 82 additions & 0 deletions
82
src/functions/private/Actions/OIDC/Set-GitHubOidcSubjectClaimForRepository.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| function Set-GitHubOidcSubjectClaimForRepository { | ||
| <# | ||
| .SYNOPSIS | ||
| Set the customization template for an OIDC subject claim for a repository | ||
|
|
||
| .DESCRIPTION | ||
| Creates or updates the customization template for an OpenID Connect (OIDC) subject claim for a repository. | ||
| When UseDefault is true, the include_claim_keys are ignored by the API. | ||
|
|
||
| .EXAMPLE | ||
| ```powershell | ||
| Set-GitHubOidcSubjectClaimForRepository -Owner 'PSModule' -Repository 'GitHub' -IncludeClaimKeys @('repo', 'context') -Context $GitHubContext | ||
| ``` | ||
|
|
||
| Sets the OIDC subject claim customization template for the 'GitHub' repository. | ||
|
|
||
| .EXAMPLE | ||
| ```powershell | ||
| Set-GitHubOidcSubjectClaimForRepository -Owner 'PSModule' -Repository 'GitHub' -UseDefault -IncludeClaimKeys @('repo') -Context $GitHubContext | ||
| ``` | ||
|
|
||
| Resets the OIDC subject claim customization for the 'GitHub' repository to use the default template. | ||
|
|
||
| .NOTES | ||
| [Set the customization template for an OIDC subject claim for a repository] | ||
| (https://docs.github.com/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository) | ||
| #> | ||
| [OutputType([void])] | ||
| [CmdletBinding(SupportsShouldProcess)] | ||
| param( | ||
| # The account owner of the repository. The name is not case sensitive. | ||
| [Parameter(Mandatory)] | ||
| [string] $Owner, | ||
|
|
||
| # The name of the repository without the .git extension. The name is not case sensitive. | ||
| [Parameter(Mandatory)] | ||
| [string] $Repository, | ||
|
|
||
| # Whether to use the default subject claim template. | ||
| # When true, the include_claim_keys are ignored by the API. | ||
| [Parameter(Mandatory)] | ||
| [bool] $UseDefault, | ||
|
|
||
| # Array of unique strings. Each claim key can only contain alphanumeric characters and underscores. | ||
| [Parameter(Mandatory)] | ||
| [string[]] $IncludeClaimKeys, | ||
|
|
||
| # The context to run the command in. Used to get the details for the API call. | ||
| # Can be either a string or a GitHubContext object. | ||
| [Parameter(Mandatory)] | ||
| [object] $Context | ||
| ) | ||
|
|
||
| begin { | ||
| $stackPath = Get-PSCallStackPath | ||
| Write-Debug "[$stackPath] - Start" | ||
| Assert-GitHubContext -Context $Context -AuthType IAT, PAT, UAT | ||
| # Required permissions: Actions repo (write) or repo | ||
| } | ||
|
|
||
| process { | ||
| $body = @{ | ||
| use_default = $UseDefault | ||
| include_claim_keys = $IncludeClaimKeys | ||
| } | ||
|
|
||
| $apiParams = @{ | ||
| Method = 'PUT' | ||
| APIEndpoint = "/repos/$Owner/$Repository/actions/oidc/customization/sub" | ||
| Body = $body | ||
| Context = $Context | ||
| } | ||
|
|
||
| if ($PSCmdlet.ShouldProcess("OIDC subject claim for repository [$Owner/$Repository]", 'Set')) { | ||
| $null = Invoke-GitHubAPI @apiParams | ||
| } | ||
| } | ||
|
|
||
| end { | ||
| Write-Debug "[$stackPath] - End" | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| function Get-GitHubOidcClaim { | ||
| <# | ||
| .SYNOPSIS | ||
| Get the supported OIDC claim keys for a GitHub instance | ||
|
|
||
| .DESCRIPTION | ||
| Retrieves the list of supported OpenID Connect (OIDC) claim keys from the OIDC discovery endpoint | ||
| of a GitHub instance. This endpoint is public and requires no authentication. | ||
|
|
||
| The claim keys returned can be used with Set-GitHubOidcSubjectClaim to customize the OIDC | ||
| subject claim template for organizations and repositories. | ||
|
|
||
| .EXAMPLE | ||
| ```powershell | ||
| Get-GitHubOidcClaim | ||
| ``` | ||
|
|
||
| Gets the supported OIDC claim keys for github.com. | ||
|
|
||
| .EXAMPLE | ||
| ```powershell | ||
| Get-GitHubOidcClaim -Context $GitHubContext | ||
| ``` | ||
|
|
||
| Gets the supported OIDC claim keys for the GitHub instance associated with the given context. | ||
|
|
||
| .NOTES | ||
| [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) | ||
|
|
||
| .LINK | ||
| https://psmodule.io/GitHub/Functions/Actions/OIDC/Get-GitHubOidcClaim | ||
| #> | ||
| [OutputType([string[]])] | ||
| [CmdletBinding()] | ||
| param( | ||
| # The context to run the command in. Used to determine the GitHub instance hostname. | ||
| # When not provided, defaults to github.com. | ||
| [Parameter()] | ||
| [object] $Context | ||
| ) | ||
|
|
||
| begin { | ||
| $stackPath = Get-PSCallStackPath | ||
| Write-Debug "[$stackPath] - Start" | ||
| } | ||
|
|
||
| process { | ||
| $hostName = 'github.com' | ||
| if ($Context) { | ||
| if ($Context -is [string]) { | ||
| $resolved = Get-GitHubContext -Context $Context -ErrorAction SilentlyContinue | ||
| if ($resolved) { | ||
| $hostName = $resolved.HostName | ||
| } | ||
| } elseif ($Context.HostName) { | ||
| $hostName = $Context.HostName | ||
| } | ||
| } | ||
|
|
||
| $issuerHost = if ($hostName -eq 'github.com') { | ||
| 'token.actions.githubusercontent.com' | ||
| } else { | ||
| "token.actions.$hostName" | ||
| } | ||
|
|
||
| $discoveryUri = "https://$issuerHost/.well-known/openid-configuration" | ||
| Write-Debug "[$stackPath] - Discovery URI: [$discoveryUri]" | ||
|
|
||
| $response = Invoke-RestMethod -Uri $discoveryUri -Method Get | ||
| $response.claims_supported | ||
| } | ||
|
|
||
| end { | ||
| Write-Debug "[$stackPath] - End" | ||
| } | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Get-GitHubOidcClaim silently falls back to github.com when a string -Context is provided but no matching saved context is found (Get-GitHubContext is called with -ErrorAction SilentlyContinue). This can return claim keys for the wrong host without any error, which is especially problematic for GHE instances. Consider resolving context via Resolve-GitHubContext (it already handles string/null contexts and errors consistently), or explicitly throwing when the named context cannot be resolved instead of defaulting to github.com.