Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication leveraging GITHUB_TOKEN #753

Open
jiparis opened this issue May 7, 2024 · 0 comments
Open

Authentication leveraging GITHUB_TOKEN #753

jiparis opened this issue May 7, 2024 · 0 comments
Labels
component/backend component/CLI component/controlplane enhancement New feature or request

Comments

@jiparis
Copy link
Member

jiparis commented May 7, 2024

A passive authentication mechanism would leverage the existing GITHUB_TOKEN to authenticate/authorize existing workflows against chainloop. This would mean:

  • GH Token should be verified against GH well-known public key
  • Token claims would contain, at least, the related GH repository reference, and the GH workflow being run. Chainloop would check it against an allowlist of valid repositories for the organization.
  • The GH workflow would map directly to a Chainloop workflow and contract.

An example of CLI execution would look like:

chainloop att init --github-token $GITHUB_TOKEN

Note that this would replace entirely the need of a CHAINLOOP_API_TOKEN. But it could still leverage ephemeral robot accounts for the attestation itself (see #752)
@jiparis jiparis changed the title Authentication leveraing GITHUB_TOKEN Authentication leveraging GITHUB_TOKEN May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/backend component/CLI component/controlplane enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jiparis