Skip to content

fix(signing): explicitly fetch GitHub OIDC token for Sigstore#252

Merged
leodido merged 2 commits intomainfrom
fix/fetch-signing-token
Oct 24, 2025
Merged

fix(signing): explicitly fetch GitHub OIDC token for Sigstore#252
leodido merged 2 commits intomainfrom
fix/fetch-signing-token

Conversation

@leodido
Copy link
Contributor

@leodido leodido commented Oct 10, 2025

Description

Fixes Sigstore signing failure caused by missing OIDC token provisioning.

Fixes Sigstore signing failure caused by missing OIDC token provisioning.

Problem: The sigstore-go library requires an explicit JWT token in CertificateProviderOptions.IDToken, but Leeway was passing an empty struct, assuming the library would auto-fetch from GitHub Actions environment variables.

Solution: Implemented fetchGitHubOIDCToken() to explicitly retrieve the OIDC token from GitHub Actions using the ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL environment variables with audience=sigstore.

Changes:

  • Added fetchGitHubOIDCToken() function to fetch JWT from GitHub OIDC provider
  • Updated signSLSAAttestation() to call token fetching before Fulcio certificate request
  • Added comprehensive unit tests with mock HTTP server
  • Added error handling for token fetch failures

Related Issue(s)

Fixes https://linear.app/ona-team/issue/CLC-1959/create-leeway-signing-command

How to test

go test -v ./pkg/leeway/signing/... -run TestFetchGitHubOIDCToken

Documentation

No - Internal Leeway implementation fix, no user-facing documentation changes required.

@leodido leodido self-assigned this Oct 10, 2025
geropl
geropl approved these changes Oct 22, 2025
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM ✔️

@leodido leodido force-pushed the ci/support-relese-candidates branch from 55bbfe5 to 4413edf Compare October 24, 2025 14:46
@leodido leodido changed the base branch from ci/support-relese-candidates to main October 24, 2025 15:04
@leodido @ona-agent
fix(signing): explicitly fetch GitHub OIDC token for Sigstore
758f31d 
Sigstore-go does not automatically fetch GitHub OIDC tokens from
environment variables. This commit adds explicit token fetching logic
to resolve signing failures in GitHub Actions.

Changes:
- Add fetchGitHubOIDCToken() to fetch token from GitHub OIDC endpoint
- Update signProvenanceWithSigstore() to use fetched token explicitly
- Add comprehensive unit tests for token fetching with error scenarios
- Use context-aware HTTP requests with 30s timeout

Fixes signing failures where Sigstore expected an explicit IDToken
instead of auto-discovering from ACTIONS_ID_TOKEN_REQUEST_* env vars.

Co-authored-by: Ona <no-reply@ona.com>
@leodido leodido force-pushed the fix/fetch-signing-token branch from 8978c5e to 758f31d Compare October 24, 2025 19:00
@leodido @ona-agent
fix(lint): remove unused function and fix unchecked error returns
73245f6 
- Remove unused getEnvOrDefault function
- Add blank identifier assignments for unchecked error returns in test file

Co-authored-by: Ona <no-reply@ona.com>
@leodido leodido force-pushed the fix/fetch-signing-token branch from 94d0caa to 73245f6 Compare October 24, 2025 20:06
@leodido leodido merged commit aae072b into main Oct 24, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geropl geropl geropl approved these changes

@aledbf aledbf Awaiting requested review from aledbf

@csweichel csweichel Awaiting requested review from csweichel

@corneliusludmann corneliusludmann Awaiting requested review from corneliusludmann

Assignees

@leodido leodido

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leodido @geropl