mirror of
https://github.com/docker/login-action.git
synced 2026-07-18 20:20:03 +08:00
Add Chainguard registry (cgr.dev) login support
Implement native OIDC-based authentication for Chainguard's container registry, following the same pattern as the existing AWS ECR integration. When registry is set to cgr.dev, the action automatically exchanges a GitHub Actions OIDC token with Chainguard's STS endpoint for a short-lived registry credential, removing the need for chainctl or long-lived pull tokens. New inputs: chainguard (auto/true/false), chainguard-identity. Signed-off-by: Augustus Nguyen <theflash28012002@gmail.com>
This commit is contained in:
parent
4a8376e001
commit
4bcfaae325
9 changed files with 11038 additions and 5741 deletions
41
src/chainguard.ts
Normal file
41
src/chainguard.ts
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
import * as core from '@actions/core';
|
||||
import * as http from '@actions/http-client';
|
||||
|
||||
const chainguardRegistryRegex = /^cgr\.dev$/;
|
||||
|
||||
const DEFAULT_ISSUER = 'https://issuer.enforce.dev';
|
||||
const DEFAULT_AUDIENCE = 'cgr.dev';
|
||||
|
||||
export const isChainguard = (registry: string): boolean => {
|
||||
return chainguardRegistryRegex.test(registry);
|
||||
};
|
||||
|
||||
export interface ChainguardTokenResponse {
|
||||
token: string;
|
||||
}
|
||||
|
||||
export const getRegistryToken = async (identity: string, issuerURL?: string): Promise<{username: string; password: string}> => {
|
||||
const issuer = issuerURL || DEFAULT_ISSUER;
|
||||
|
||||
core.info('Requesting GitHub Actions OIDC token...');
|
||||
const oidcToken = await core.getIDToken(DEFAULT_AUDIENCE);
|
||||
|
||||
core.info(`Exchanging OIDC token with Chainguard (${issuer})...`);
|
||||
const client = new http.HttpClient('docker-login-action');
|
||||
const url = `${issuer}/sts/exchange?aud=${encodeURIComponent(DEFAULT_AUDIENCE)}&identity=${encodeURIComponent(identity)}`;
|
||||
const response = await client.getJson<ChainguardTokenResponse>(url, {
|
||||
Authorization: `Bearer ${oidcToken}`
|
||||
});
|
||||
|
||||
if (response.statusCode !== 200 || !response.result?.token) {
|
||||
throw new Error(`Failed to exchange OIDC token with Chainguard (HTTP ${response.statusCode})`);
|
||||
}
|
||||
|
||||
const token = response.result.token;
|
||||
core.setSecret(token);
|
||||
|
||||
return {
|
||||
username: 'user',
|
||||
password: token
|
||||
};
|
||||
};
|
||||
Loading…
Add table
Add a link
Reference in a new issue