OIDC provider

[sorenisanerd]

This adds support for a Github Actions compatible OIDC provider.

For more info, see:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

It depends on a few changes in act and act_runner:
https://gitea.com/gitea/act_runner/pulls/272
https://gitea.com/gitea/act/pulls/73

[sorenisanerd]

Still work-in-progress. I have a few more things I want to test before it's ready.

[lunny]

Please send PR to gitea.com/gitea/act first.

[sorenisanerd]

I did. https://gitea.com/gitea/act/pulls/73

[sorenisanerd]

I think this is ready for review, but obviously it's useless without the act and act_runner changes.

[wolfogre]

@sorenisanerd Thank you for your work, I have to say you did a great job, good idea, good code.

However, this featrue has been blocked some trivial things.

• Where to keep the code for parsing permissions? Gitea, the forked act, the upstream act, or using actionlint indead?
• The permissions field is only only for OIDC, but the permissions granted to the GITHUB_TOKEN/GITEA_TOKEN (probably more often), personally, I think the latter should be supported first.
• Is it possible for contributors to send a PR that updates the permissions field and runs a malicious script?

You know, once permissions are involved, we need to be checked more carefully. Please give us some time to discuss and decide.

[sorenisanerd]

Thank you for your kind comments :)

I'm very open to porting this to gitea or actionlinter or wherever. I don't have any strong opinions on it.

I agree it would have made more sense to first use permissions to adjust the capabilities of the GitHub token. I happened to need this oidc-provider functionality, so that's what I focused on. I included methods for merging permissions as well as definitions matching GitHub's defaults so I or someone else could add that later.

Great point about how permissions are affected when permissions apply for pull requests. Is that supposed to be safeguarded by the need to approve workflow runs for new contributors? I honestly don't know what GitHub does.

[sorenisanerd]

I've pushed changes to the act and act_runner PR's on gitea.com. The resulting diffs are very modest. The rest of the functionality has been pulled into Gitea here.

Is this approach more agreeable? I'll add some tests once we're happy with the overall approach.

[sorenisanerd]

I rebased this and reworked it into a set of more reviewable commits. If you like, I can submit them as individual PR's, but each one depends on the previous ones, which makes it a little awkward to manage as separate PR's.

[sorenisanerd]

Nothing new, just rebased and folded ded82c3 (the formatting changes based on the linting errors) into the relevant patches.

[lunny]

Maybe a update on gitea/act side is better.

[sorenisanerd]

As mentioned in the PR description, there's a PR against gitea/act at https://gitea.com/gitea/act/pulls/73 since several months ago.

[lunny]

We need to copy the Permissions struct here because in future that struct maybe changed.

[sorenisanerd]

Excellent point. I'll make that change.

[sorenisanerd]

Wait, does it even matter, since it's stored as JSON? Should I just put interface{} instead of actions_model.Permissions?

[lunny]

We can load the task from database when we need it but not store it in context?

[sorenisanerd]

I honestly don't remember why I did it this way. It's been a while. Let me take another look.

[sorenisanerd]

I took the liberty of renaming my migration to just permissions.go. At this point, I must have had to rename it 5-7 times locally and it's getting kinda annoying. Once this gets closer to being approved, I'll try to pick a number for it.

[sorenisanerd]

I'm also working on a more complete permissions implementation that should probably be merged before this one, so I'm setting this one back to WIP. I expect the permissions patch to be ready some time this week.

[punmechanic]

Hello, are there any updates on this? is there something a contributor can help out with? Would love to see this move along

[NorNorLukas]

I am also very interested om seeing this moving along. Any updates on this?

[scubbo]

Also chiming in support of this - it would be great for Gitea Actions to be able to authenticate to Vault via JWT.

[sorenisanerd]

It was taking too much effort to merge/rebase it while it was waiting for review, so I lost my motivation. I can't make promises about when I'll revive it. If someone else wants to take it over, be my guest.

…

On Mon, Mar 17, 2025 at 9:05 PM Jack Jackson ***@***.***> wrote: Also chiming in support of this - it would be great for Gitea Actions to be able to authenticate to Vault via JWT. — Reply to this email directly, view it on GitHub <#25664 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABHCWU2YHQVOXC7UHOW3C32U6LQHAVCNFSM6AAAAABRF6YIUOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZRGU2TQNRVG4> . You are receiving this because you were mentioned.Message ID: ***@***.***> [image: scubbo]*scubbo* left a comment (go-gitea/gitea#25664) <#25664 (comment)> Also chiming in support of this - it would be great for Gitea Actions to be able to authenticate to Vault via JWT. — Reply to this email directly, view it on GitHub <#25664 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABHCWU2YHQVOXC7UHOW3C32U6LQHAVCNFSM6AAAAABRF6YIUOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZRGU2TQNRVG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[scubbo]

Understandable - thank you for your effort so far!

I haven't made any contributions to the gitea codebase, so I'd mostly just be replicating what you've done and trying my best to understand it as I go - but I'm certainly willing to try!

EDIT: Here's hoping that this will get more traction! I will of course give you full credit if this gets merged. Thanks again, @sorenisanerd!