From 8c8514ca27aa996b0b343b9b72595cbc07f65a05 Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 17 Apr 2025 15:28:45 +0300 Subject: [PATCH 1/6] Update JFrog GitHub OIDC setup docs --- .../configuring-openid-connect-in-jfrog.md | 72 +++++++------------ 1 file changed, 25 insertions(+), 47 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index df5d264bf35c..a34fc5c81710 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -1,4 +1,3 @@ ---- title: Configuring OpenID Connect in JFrog shortTitle: OpenID Connect in JFrog intro: Use OpenID Connect within your workflows to authenticate with JFrog. @@ -19,6 +18,8 @@ OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow. +> **Note:** If you're using the [`jfrog/setup-jfrog-cli`](https://github.com/jfrog/setup-jfrog-cli) GitHub Action (v4.5.7+), OIDC authentication is fully supported out-of-the-box. You only need to configure your provider name and audience — no manual token exchange is necessary. + For an example {% data variables.product.prodname_actions %} workflow, see [Sample {% data variables.product.prodname_actions %} Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/sample-github-actions-integration) in the JFrog documentation. For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see [`build-publish.yml`](https://github.com/jfrog/jfrog-github-oidc-example/blob/main/.github/workflows/build-publish.yml) in the `jfrog-github-oidc-example` repository. @@ -52,59 +53,36 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables ## Updating your {% data variables.product.prodname_actions %} workflow -Once you establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform, you can update your {% data variables.product.prodname_actions %} workflow file. - -In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. - -The following example uses the placeholder `YOUR_PROVIDER_NAME`. +### Example: Authenticating with JFrog using OIDC ```yaml -- name: Fetch Access Token from Artifactory - id: fetch_access_token - env: - ID_TOKEN: ${{ steps.idtoken.outputs.id_token }} - run: | - ACCESS_TOKEN=$(curl \ - -X POST \ - -H "Content-type: application/json" \ - https://example.jfrog.io/access/api/v1/oidc/token \ - -d \ - "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"YOUR_PROVIDER_NAME\"}" | jq .access_token | tr -d '"') - echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT -``` - -The following example shows part of a {% data variables.product.prodname_actions %} workflow file using cURL. - -```yaml -- name: Get ID Token (cURL method) - id: idtoken - run: | - ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') - echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT -``` +permissions: + id-token: write + contents: read -Alternatively, you can set the audience as an environment variable using the `env` context. For more information about the `env` context, see [AUTOTITLE](/actions/learn-github-actions/contexts#env-context). - -{% data reusables.actions.oidc-deployment-protection-rules %} - -```yaml jobs: build: runs-on: ubuntu-latest - env: - OIDC_AUDIENCE: 'YOUR_AUDIENCE' + steps: + - name: Setup JFrog CLI with OIDC + uses: jfrog/setup-jfrog-cli@v4 + with: + oidc-provider-name: 'YOUR_PROVIDER_NAME' + oidc-audience: 'YOUR_AUDIENCE' + + - name: Upload artifact + run: jf rt upload "dist/*.zip" my-repo/ ``` -Then, in your workflow file, retrieve the value of the variables stored in the `env` context. The following example uses the `env` context to retrieve the OIDC audience. +## Security Best Practices -```yaml -- name: Get ID Token (using env context) - uses: {% data reusables.actions.action-github-script %} - id: idtoken - with: - script: | - const coredemo = require('@actions/core'); - let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE); - coredemo.setOutput('id_token', id_token); +- Always use `permissions: id-token: write` in workflows that authenticate with JFrog. +- Limit trust using specific claims like `repository`, `ref`, or `environment`. +- Configure identity mappings in JFrog to restrict which workflows are allowed to authenticate. + +## Further Reading + +- [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) +- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) +- [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token) ``` From 7c0f7328c5c8da12189ddbe5abc2b21ac54c6a39 Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 17 Apr 2025 15:36:14 +0300 Subject: [PATCH 2/6] Remove note section --- .../configuring-openid-connect-in-jfrog.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index a34fc5c81710..51a5598e9633 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -18,8 +18,6 @@ OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow. -> **Note:** If you're using the [`jfrog/setup-jfrog-cli`](https://github.com/jfrog/setup-jfrog-cli) GitHub Action (v4.5.7+), OIDC authentication is fully supported out-of-the-box. You only need to configure your provider name and audience — no manual token exchange is necessary. - For an example {% data variables.product.prodname_actions %} workflow, see [Sample {% data variables.product.prodname_actions %} Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/sample-github-actions-integration) in the JFrog documentation. For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see [`build-publish.yml`](https://github.com/jfrog/jfrog-github-oidc-example/blob/main/.github/workflows/build-publish.yml) in the `jfrog-github-oidc-example` repository. From 9c67e2354fdf76f7b0091968d0859853d75e5b46 Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 17 Apr 2025 15:39:57 +0300 Subject: [PATCH 3/6] Fix diff --- .../configuring-openid-connect-in-jfrog.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 51a5598e9633..d338d526f458 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -1,3 +1,4 @@ +--- title: Configuring OpenID Connect in JFrog shortTitle: OpenID Connect in JFrog intro: Use OpenID Connect within your workflows to authenticate with JFrog. @@ -53,6 +54,8 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables ### Example: Authenticating with JFrog using OIDC +In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. + ```yaml permissions: id-token: write From adb908114dbe92ad67a9cf4c83df195fcef7bf61 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 20 Apr 2025 13:19:00 +0300 Subject: [PATCH 4/6] CR --- .../configuring-openid-connect-in-jfrog.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index d338d526f458..108e344f84ad 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -56,6 +56,9 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. +The following example uses the placeholder `YOUR_PROVIDER_NAME` & `YOUR_AUDIENCE`. + +{% data reusables.actions.oidc-deployment-example %} ```yaml permissions: id-token: write @@ -79,11 +82,12 @@ jobs: - Always use `permissions: id-token: write` in workflows that authenticate with JFrog. - Limit trust using specific claims like `repository`, `ref`, or `environment`. -- Configure identity mappings in JFrog to restrict which workflows are allowed to authenticate. +- Configure identity mappings in JFrog to restrict authentication to specific workflows. ## Further Reading - [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) -- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) +- [JFrog Platform Identify Mappings DOCS](https://jfrog.com/help/r/jfrog-platform-administration-documentation/identity-mappings) - [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token) +- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) ``` From 9246deef5aea97c9a0084d3ae584786137ceb1d9 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 20 Apr 2025 13:54:53 +0300 Subject: [PATCH 5/6] Remove unused variable --- .../configuring-openid-connect-in-jfrog.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 108e344f84ad..a284e29d3535 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -58,7 +58,6 @@ In your {% data variables.product.prodname_actions %} workflow file, ensure you The following example uses the placeholder `YOUR_PROVIDER_NAME` & `YOUR_AUDIENCE`. -{% data reusables.actions.oidc-deployment-example %} ```yaml permissions: id-token: write From 48859cf0e65aebbd2e187cff9414aaa35064f5a0 Mon Sep 17 00:00:00 2001 From: delarea Date: Mon, 21 Apr 2025 09:23:39 +0300 Subject: [PATCH 6/6] Update --- .../configuring-openid-connect-in-jfrog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index a284e29d3535..15433fa8f737 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -56,7 +56,7 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. -The following example uses the placeholder `YOUR_PROVIDER_NAME` & `YOUR_AUDIENCE`. +The following example uses the placeholders YOUR_PROVIDER_NAME and YOUR_AUDIENCE. ```yaml permissions: