-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathget-github-token-via-octo-sts.sh
More file actions
executable file
·101 lines (79 loc) · 2.98 KB
/
get-github-token-via-octo-sts.sh
File metadata and controls
executable file
·101 lines (79 loc) · 2.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/bin/bash
# Exchange GitLab CI OIDC Token for GitHub Token via Datadog Octo-STS
# This script uses GitLab's OIDC provider to obtain a short-lived GitHub token
# without requiring any stored secrets in the GitLab project.
set -euo pipefail
# Configuration
OCTO_STS_DOMAIN="${OCTO_STS_DOMAIN:-octo-sts.chainguard.dev}"
OCTO_STS_AUDIENCE="${OCTO_STS_AUDIENCE:-dd-octo-sts}"
OCTO_STS_SCOPE="${OCTO_STS_SCOPE:-DataDog/java-profiler}"
OCTO_STS_POLICY="${OCTO_STS_POLICY:-gist-update}"
# Colors for output
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color
function log_info() {
echo -e "${GREEN}[INFO]${NC} $*" >&2
}
function log_warn() {
echo -e "${YELLOW}[WARN]${NC} $*" >&2
}
function log_error() {
echo -e "${RED}[ERROR]${NC} $*" >&2
}
# Validate GitLab CI environment
if [ -z "${CI:-}" ]; then
log_error "This script must run in GitLab CI environment"
log_error "CI environment variable not set"
exit 1
fi
# Check for GitLab OIDC token
if [ -z "${CI_JOB_JWT_V2:-}" ]; then
log_error "GitLab OIDC token (CI_JOB_JWT_V2) not available"
log_error "Ensure the CI job has 'id_tokens:' configured"
exit 1
fi
log_info "Exchanging GitLab OIDC token for GitHub token via Octo-STS..."
log_info "Scope: ${OCTO_STS_SCOPE}"
log_info "Policy: ${OCTO_STS_POLICY}"
# Build Octo-STS exchange URL
EXCHANGE_URL="https://${OCTO_STS_DOMAIN}/sts/exchange?scope=${OCTO_STS_SCOPE}&identity=${OCTO_STS_POLICY}"
log_info "Exchange URL: ${EXCHANGE_URL}"
# Exchange OIDC token for GitHub token
response=$(curl -s -w "\n%{http_code}" \
-X POST \
-H "Authorization: Bearer ${CI_JOB_JWT_V2}" \
-H "Accept: application/json" \
"${EXCHANGE_URL}")
# Split response into body and status code
http_code=$(echo "${response}" | tail -n1)
body=$(echo "${response}" | sed '$d')
log_info "HTTP status: ${http_code}"
log_info "Response body: ${body}"
# Check HTTP status code
if [ "${http_code}" -ne 200 ]; then
log_error "Octo-STS token exchange failed (HTTP ${http_code})"
log_error "Response: ${body}"
if [ "${http_code}" -eq 401 ]; then
log_error "Authentication failed - OIDC token was rejected"
log_error "Possible causes:"
log_error " 1. Trust policy not configured for this repository"
log_error " 2. Trust policy doesn't match GitLab CI claims"
log_error " 3. Octo-STS configuration issue"
elif [ "${http_code}" -eq 404 ]; then
log_error "Trust policy not found"
log_error "Expected location: https://github.com/${OCTO_STS_SCOPE}/.github/chainguard/${OCTO_STS_POLICY}.sts.yaml"
fi
exit 1
fi
# Extract token from response (expecting JSON: {"token": "ghs_..."})
github_token=$(echo "${body}" | grep -o '"token":"[^"]*"' | cut -d'"' -f4)
if [ -z "${github_token}" ]; then
log_error "Failed to extract GitHub token from response"
log_error "Response: ${body}"
exit 1
fi
log_info "✅ Successfully obtained GitHub token (expires in 1 hour)"
# Output token to stdout (caller can capture with TOKEN=$(./get-github-token-via-octo-sts.sh))
echo "${github_token}"