feat: add ci-tools-discover octo-sts trust policy#2
Open
ClayMav wants to merge 1 commit into
Open
Conversation
The discover job in ci-tools' sync-templates workflow needs an org-scoped token to list wherobots repos and check each for the `.ci-tools.yml` marker file. octo-sts identities map 1:1 to policy filenames, so the existing sync-templates policy (per-repo write) can't double for this read-only discovery role. Same subject + job_workflow_ref pin as sync-templates.sts.yaml. Permissions reduced to metadata:read + contents:read.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a second octo-sts trust policy alongside
sync-templates.sts.yamlto support the discovery job thatwherobots/ci-tools's sync-templates workflow is gaining (see wherobots/ci-tools#137).The discover job needs an org-installation token (
scope: wherobots) so it can list org repos and check each for a.ci-tools.ymlmarker file. octo-sts identities map 1:1 to policy filenames, so the existing per-repo write policy can't double for this read-only role — and reusing it would over-privilege the discover token (a leaked discover token could open PRs anywhere).Policy shape
subject+job_workflow_refpin assync-templates.sts.yaml— only the ci-tools sync-templates workflow on main can mint.metadata: read+contents: readonly. No write.ci-tools-discover.Test plan
octo-sts/action@v1.0.3withscope: wherobots+identity: ci-tools-discoverreturns a valid token. Action logs will show the OIDC exchange.Related