Open
Description
Hi 👋 Thank you so much for this tool, it's amazing! I'm a huge fan of workload identity and have a few projects around it, so thank you so much for attempting something that GitHub should have implemented itself a long time ago, this is truly amazing!
My first stab playing with this tool was using it for GHCR, unfortunately it doesn't work for me. Was anybody successful using this for GHCR?
I created a repo just for testing this with GHCR, see the links to my experiments below.
Basically I tested both read and write for the packages permission and it doesn't work (it does work with the automatic temporary secrets.GITHUB_TOKEN from GitHub Actions, though, as I showed in my commit/actions history).
- My commit history: https://github.com/matheuscscp/test-octo-sts/commits/main/
- My actions history: https://github.com/matheuscscp/test-octo-sts/actions
- My trust policy: https://github.com/matheuscscp/test-octo-sts/blob/main/.github/chainguard/oci-artifact.sts.yaml
issuer: https://token.actions.githubusercontent.com
subject: repo:matheuscscp/test-octo-sts:ref:refs/heads/main
permissions:
packages: write- My GitHub Actions workflow (latest version): https://github.com/matheuscscp/test-octo-sts/blob/main/.github/workflows/test.yml
name: Test Octo STS
on:
push:
branches: [main]
jobs:
push:
runs-on: ubuntu-latest
permissions:
contents: read
# packages: write # for pushing
id-token: write # for octo sts and signing
steps:
- uses: actions/checkout@v4
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
id: octo-sts
with:
scope: ${{ github.repository }}
identity: oci-artifact # uses the trust policy at .github/chainguard/oci-artifact.sts.yaml
- uses: controlplaneio-fluxcd/distribution/actions/setup@main
- uses: sigstore/cosign-installer@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
password: ${{ steps.octo-sts.outputs.token }}
- uses: controlplaneio-fluxcd/distribution/actions/push@main
id: push
with:
repository: ghcr.io/${{ github.repository }}
- if: steps.push.outputs.pushed == 'true'
run: cosign sign --yes $DIGEST_URL
env:
DIGEST_URL: ${{ steps.push.outputs.digest-url }}
pull:
needs: push
runs-on: ubuntu-latest
permissions:
packages: read # test tmp automatic token
id-token: write # for octo sts
steps:
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
id: octo-sts
with:
scope: ${{ github.repository }}
identity: oci-artifact # uses the trust policy at .github/chainguard/oci-artifact.sts.yaml
- uses: controlplaneio-fluxcd/distribution/actions/setup@main
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
# password: ${{ steps.octo-sts.outputs.token }}
password: ${{ secrets.GITHUB_TOKEN }}
- run: ls
- run: flux pull artifact oci://ghcr.io/matheuscscp/test-octo-sts:latest --output ./
- run: ls