Setting up GitHub Actions to Establish Trust with the JFrog Platform

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

After setting up the OIDC Integration in the JFrog Platform you must set up GitHub Actions and the GitHub Actions workflow to establish trust.

When you configure the JFrog Platform OIDC integration, you need to configure a GitHub Actions workflow in GitHub. For more information about configuring the GitHub Actions workflow, see GitHub Actions Workflow

  1. In the GitHub Actions Workflow YAML file, add the permissions setting to request the JSON Web Token (JWT).

    permissions:
      id-token: write # This is required for requesting the JWT   
    
  2. Generate a token in GitHub Actions.

    In the GitHub YAML, to generate a token in GitHub Actions, you can use getIDToken() from the Actions toolkit to request a JWT from GitHub's OIDC provider.

    getIDToken()
    

    For more information and alternatives, see Updating Actions for OIDC.

  3. Add a POST request to the JFrog Platform OIDC Token Exchange API. Add the POST request to your GitHub Actions YAML file to the JFrog OpenID endpoint to receive the JWT token.OIDC Token Exchange

    curl -X POST -H "Content-type: application/json" 
         https://example.jfrog.io/access/api/v1/oidc/token -d \
         '{“grant_type”: “urn:ietf:params:oauth:grant-type:token-exchange”, \
          “subject_token_type”:”urn:ietf:params:oauth:token-type:id_token”, \
          “subject_token”: <ID_TOKEN>, \
          "provider_name": "github-oidc"}'
    
  4. Use the JWT token in GitHub Actions. The JWT token generated by the OIDC endpoint can be used like an API key.