Skip to content

doc(oidc): policy example does not work when environments are in use #28291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

doc(oidc): policy example does not work when environments are in use #28291

wants to merge 1 commit into from

Conversation

@therealvio
Copy link

@therealvio therealvio commented Sep 17, 2023
edited by cmwilson21
Loading

The documentation depicting how to limit scope of access in the trust policy works for most cases. However when a deployment environment is used by a branch, the policy will not work. This is described in the linked documentation here:

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims

You can test your Github actions runs to verify what claim you need using this action: https://github.com/github/actions-oidc-debugger

Why:

Closes: #28292

What's being changed (if available, include any code snippets, screenshots, or gifs):

Check off the following:

  • I have reviewed my changes in staging, available via the View deployment link in this PR's timeline.

    • For content changes, you will also see an automatically generated comment with links directly to pages you've modified. The comment won't appear if your PR only edits files in the data directory.

  • For content changes, I have completed the self-review checklist.

@welcome
Copy link

welcome bot commented Sep 17, 2023

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Sep 17, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Sep 17, 2023

👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are:
.devcontainer/**
.github/actions-scripts/**
.github/workflows/**
.github/CODEOWNERS
assets/fonts/**
data/graphql/**
Dockerfile*
src/**
lib/redirects/**
package*.json
scripts/**
content/actions/deployment/security-hardening-your-deployments/**

You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:

@github-actions
Copy link
Contributor

github-actions bot commented Sep 17, 2023
edited
Loading

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source Preview Production What Changed
actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md fpt
ghec
ghes@ 3.10 3.9 3.8 3.7 3.6
fpt
ghec
ghes@ 3.10 3.9 3.8 3.7 3.6

fpt: Free, Pro, Team
ghec: GitHub Enterprise Cloud
ghes: GitHub Enterprise Server
ghae: GitHub AE

@therealvio therealvio mentioned this pull request Sep 17, 2023
Closed
1 task
@therealvio
doc(oidc): policy example does not work when environments are in use
d4bdd84 
The documentation depicting how to limit scope of access in the trust policy works for *most* cases. However when a deployment environment is used by a job, the policy will not work. This is described in the linked documentation here:

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims

You can test your Github actions runs to verify what claim you need using this action: https://github.com/github/actions-oidc-debugger
@github-actions
Copy link
Contributor

github-actions bot commented Sep 17, 2023

👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are:
.devcontainer/**
.github/actions-scripts/**
.github/workflows/**
.github/CODEOWNERS
assets/fonts/**
data/graphql/**
Dockerfile*
src/**
lib/redirects/**
package*.json
scripts/**
content/actions/deployment/security-hardening-your-deployments/**

You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:

@cmwilson21
Copy link
Contributor

cmwilson21 commented Sep 18, 2023

@therealvio Thanks for submitting a PR! I edited your post slightly to link it to your issue 👍

We generally don't accept contributions to these files, as you stated, but would you mind marking this PR as "Ready"? I can mention it to the team and we can decide if we need to make this change internally or not.

Thank you for your interest in improving GitHub Docs! 💖

@therealvio therealvio marked this pull request as ready for review September 19, 2023 00:21
@therealvio
Copy link
Author

therealvio commented Sep 19, 2023

Thank you!

@cmwilson21 I have promoted the PR from draft :)

@cmwilson21 cmwilson21 added content This issue or pull request belongs to the Docs Content team actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Sep 19, 2023
@jc-clark
Copy link
Contributor

jc-clark commented Sep 19, 2023

✨Thank you for contributing with this @therealvio!

It does seem like it would be helpful to link to "Filtering for a specific branch" in this AWS example as you're suggesting.

Since these are restricted files, I'll go ahead open up an internal issue and we will be able to make the fix from there.

@jc-clark jc-clark closed this Sep 19, 2023
@therealvio
Copy link
Author

therealvio commented Sep 20, 2023

Love to see it, thanks @jc-clark!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team waiting for review Issue/PR is waiting for a writer's review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trust policy example in Setting up OIDC for AWS should reference docs on OIDC subjects in claims

3 participants

@therealvio @cmwilson21 @jc-clark