Create an example of federating with a google service account

[mattmoor]

... using the chainguard.dev/sdk client!

[mattmoor]

I think that we can use sts.New from here.

Something like:

xchg := sts.New("https://octo-sts.dev", "does-not-matter", sts.WithScope("wolfi-dev/os"), sts.WithIdentity("blah"))
...
ts, err := idtoken.NewTokenSource(ctx, "octo-sts.dev")
token, err := ts.Token()
res, err := xchg.Exchange(ctx, token)

// Use res.Token

@cpanato it'd be great to try this out in the chainguard-devops repos to try and eliminate their need for PATs, but maybe this is blocked on support for org-level stuff 🤔

@rawlingsj you mentioned that lifecycle was using PATs, so maybe that's another place we could pilot this with repo-level grants?

[mattmoor]

I confirmed that we can use chainguard.dev/sdk for this: https://github.com/chainguard-dev/mattmoor-actions/actions/runs/7649456188/job/20843888651#step:7:7

See the code here: https://github.com/chainguard-dev/mattmoor-actions/blob/dd6a460c85933d8eb21e5f8e18cd98c6d2e69a92/main.go#L17-L27

[cpanato]

I will implement that

I need to know how the org one to access any repo will work, I am asking that because the service that takes care of the release notes can be installed for any repo, or we will define per repo as well?

[cpanato]

example: https://github.com/chainguard-dev/chainguard-devops/pull/140

[mattmoor]

@cpanato if you put the policy into .github and don't specify repositories then it'll apply to all repos in the org.

[cpanato]

to close this ticket, do you want a code example in the repo?

[mattmoor]

I think we should have it somewhere public, but I don't have any great ideas for where.

[cpanato]

i would say here, but this is private, maybe in the action repo for the octo-sts

[mattmoor]

We should add token revocation to the sample, e.g. https://github.com/chainguard-dev/octo-sts/pull/92