Open wata727 opened 1 year ago
This work is dependent on fulcio including these claims from the OIDC token in the certificate, which is ongoing in https://github.com/sigstore/fulcio/pull/945. We can then add flags for the new claims, though we should be able to drop GitHub from the flag name since they’ll be standardized for all CI platforms.
This is unblocked now.
Description
See also https://github.blog/changelog/2023-01-10-github-actions-openid-connect-token-now-supports-more-claims-for-configuring-granular-cloud-access/
Recently, GitHub announced that OpenID Connect token supports more claims.
actor_id
repository_id
repository_owner_id
workflow_ref
workflow_sha
job_workflow_sha
https://token.actions.githubusercontent.com/.well-known/openid-configuration
It may be useful to support these claims like
--certificate-github-workflow-repository
which is already supported. Especially, therepository_id
is more secure as it is not affected by Repojacking, unlike therepository
.What do you think about this? If this makes sense I can work on this. Maybe depending on https://github.com/sigstore/cosign/issues/2691 this may not be necessary.