Gitea as an OIDC IdP for Actions

[jtackaberry]

Feature Description

Gitea should issue OIDC ID tokens for Actions jobs. By adding one's Gitea instance as an IdP in, for example, AWS IAM, it would allow jobs to assume IAM roles without the need to store AWS credentials as secrets (and the associated burden of regular rotations).

GitHub can do this: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
GitLab too: https://docs.gitlab.com/ee/ci/cloud_services/

GitHub requires jobs to hit an endpoint defined in $ACTIONS_ID_TOKEN_REQUEST_URL to retrieve a token (typically via an action -- for example -- though it can be done with curl as shown in the above URL), while GitLab automatically generates one and injects it into the job's environment. I find GitLab's approach much more convenient, but I suppose Gitea would follow GitHub's approach given it's copying Actions.

The basic plumbing seems to be in place already (notably OIDC Discovery), Gitea would just need to issue ID tokens with the appropriate aud and sub claims.

Screenshots

No response

[techknowlogick]

Hi. Thanks for the ticket :) I am on mobile so I can't find it right now, but there is a WIP PR for this.

[jtackaberry]

Ahh, thanks @techknowlogick, I see #25664. I searched Issues high and low for this but didn't think to check the PRs. :)

I'm delighted to see there's already work being done on this. Feel free to close this if you feel that's appropriate.

[techknowlogick]

@jtackaberry ah, thanks for finding that :) Yeah, that's the one I was thinking of. I'll keep this open to track that PR.

[thomas-maurice]

Hello ! Are there any updates on this feature ? It would be awesome to have a per-job token issued so the jobs could authenticate against things like Hashicorp Vault and other systems to pull secrets and perform actions without having to rely on static auth tokens!