Open mattmoor opened 5 months ago
I think that we can use sts.New
from here.
Something like:
xchg := sts.New("https://octo-sts.dev", "does-not-matter", sts.WithScope("wolfi-dev/os"), sts.WithIdentity("blah"))
...
ts, err := idtoken.NewTokenSource(ctx, "octo-sts.dev")
token, err := ts.Token()
res, err := xchg.Exchange(ctx, token)
// Use res.Token
@cpanato it'd be great to try this out in the chainguard-devops
repos to try and eliminate their need for PATs, but maybe this is blocked on support for org-level stuff 🤔
@rawlingsj you mentioned that lifecycle was using PATs, so maybe that's another place we could pilot this with repo-level grants?
I confirmed that we can use chainguard.dev/sdk
for this:
https://github.com/chainguard-dev/mattmoor-actions/actions/runs/7649456188/job/20843888651#step:7:7
See the code here: https://github.com/chainguard-dev/mattmoor-actions/blob/dd6a460c85933d8eb21e5f8e18cd98c6d2e69a92/main.go#L17-L27
I will implement that
I need to know how the org one to access any repo will work, I am asking that because the service that takes care of the release notes can be installed for any repo, or we will define per repo as well?
@cpanato if you put the policy into .github
and don't specify repositories
then it'll apply to all repos in the org.
to close this ticket, do you want a code example in the repo?
I think we should have it somewhere public, but I don't have any great ideas for where.
i would say here, but this is private, maybe in the action repo for the octo-sts
We should add token revocation to the sample, e.g. https://github.com/chainguard-dev/octo-sts/pull/92
... using the
chainguard.dev/sdk
client!