Sample Integration of JFrog OIDC with GitHub Actions

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

This is an example of how to create a basic JFrog Platform OIDC integration between the JFrog Platform and GitHub Actions with a GitHub Actions workflow that uses the JFrog CLI.

When you configure the JFrog Platform OIDC integration, you also need to configure a GitHub Actions workflow in GitHub. For more information about configuring the GitHub Actions workflow, see GitHub Actions Workflow

  1. In the JFrog Platform, create an OIDC integration between GitHub Actions to the JFrog Platform:

    1. Navigate to the Administration tab In the JFrog Platform UI.

    2. Click General Management | Integrations.

      The Integrations page appears.

    3. Configure the OIDC integration.

      configure_oidc_integration.png
    4. Create one or more identity mappings. In the Identity Mappings window, fill in the mapping details.

      identity_mapping.png
    5. Add OIDC configuration code to your GitHub Actions workflow file by generating and copying a snippet.

  2. Set up permissions in GitHub Actions and in your GitHub Actions workflow YAML.

    1. Open your GitHub Actions YAML file which sets up your GitHub Actions workflow.

    2. In the GitHub Actions YAML file, add the permissions setting to request the JSON Web Token (JWT).

      permissions:
        id-token: write # This is required for requesting the JWT   
      
    3. Generate a token in GitHub Actions.

      In the GitHub YAML, to generate a token in GitHub Actions, you can use getIDToken() from the Actions toolkit to request a JWT from GitHub's OIDC provider.

      For more information and alternatives, see Updating Actions for OIDC.

    4. Add a POST request to the JFrog Platform OIDC Token Exchange API. Add the POST request to your GitHub Actions YAML file to the JFrog OpenID endpoint to receive the JWT token.OIDC Token Exchange

      You can use the JFrog CLI snippet you copied from the JFrog OIDC integration configuration to copy configuration information such as the environment URL, provider name, and audience.

      See the following general example.

      curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc"
          -H "Content-Type: application/json"
          -d '{
                "name": "${{ env.OIDC_PROVIDER_NAME }}",
                "issuer_url": "https://token.actions.githubusercontent.com",
                "provider_type": "GitHub",
                "description": "This is a test configuration created for OIDC-Access integration test"
                "projectKey": "projectkey15901"
          }'
      
    5. Use the JWT token in GitHub Actions. The JWT token generated by the OIDC endpoint can be used to establish.

  3. In GitHub, create a new Github repository.

  4. In the GitHub repository you created, create a secret named JF_URL. For more information about setting secrets, see https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables. Set the value of the secret to be the JFrog Platform URL, for example, https://acme.jfrog.io.

  5. To test the workflow, push the workflow.yml file under .github/workflows/ in your Github repository.

  6. The GitHub Action workflow runs following any push to the repository.