You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A passive authentication mechanism would leverage the existing GITHUB_TOKEN to authenticate/authorize existing workflows against chainloop. This would mean:
GH Token should be verified against GH well-known public key
Token claims would contain, at least, the related GH repository reference, and the GH workflow being run. Chainloop would check it against an allowlist of valid repositories for the organization.
The GH workflow would map directly to a Chainloop workflow and contract.
An example of CLI execution would look like:
chainloop att init --github-token $GITHUB_TOKEN
Note that this would replace entirely the need of a CHAINLOOP_API_TOKEN. But it could still leverage ephemeral robot accounts for the attestation itself (see #752)
The text was updated successfully, but these errors were encountered:
A passive authentication mechanism would leverage the existing GITHUB_TOKEN to authenticate/authorize existing workflows against chainloop. This would mean:
An example of CLI execution would look like:
Note that this would replace entirely the need of a CHAINLOOP_API_TOKEN. But it could still leverage ephemeral robot accounts for the attestation itself (see #752)
The text was updated successfully, but these errors were encountered: