forked from scitt-community/scitt-api-emulator
-
Notifications
You must be signed in to change notification settings - Fork 0
80 lines (78 loc) · 2.64 KB
/
notarize_reusable.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: "SCITT Notary"
on:
push:
branches:
- main
paths-ignore:
- '**.md'
pull_request:
paths-ignore:
- '**.md'
workflow_dispatch:
inputs:
scitt-url:
description: 'URL of SCITT instance'
type: string
payload:
description: 'Payload for claim'
default: ''
type: string
workflow_call:
inputs:
scitt-url:
description: 'URL of SCITT instance'
type: string
payload:
description: 'Payload for claim'
type: string
jobs:
notarize:
runs-on: ubuntu-latest
permissions:
id-token: write
env:
SCITT_URL: '${{ inputs.scitt-url || github.event.inputs.scitt-url || "http://localhost:8080" }}'
PAYLOAD: '${{ inputs.payload || github.event.inputs.payload || "{\"key\": \"value\"}" }}'
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.8
uses: actions/setup-python@v4
with:
python-version: 3.8
- name: Install SCITT API Emulator
run: |
pip install -U pip setuptools wheel
pip install .[oidc]
- name: Install github-script dependencies
run: |
npm install @actions/core
- name: Get OIDC token to use as bearer token for auth to SCITT
uses: actions/github-script@v6
id: github-oidc
with:
script: |
const {SCITT_URL} = process.env;
const coredemo = require('@actions/core');
coredemo.setOutput('token', await coredemo.getIDToken(SCITT_URL));
- name: Create claim
run: |
scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload "${PAYLOAD}" --out claim.cose
- name: Submit claim
env:
OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}'
run: |
# Create the middleware config file
cat > oidc-middleware-config.json <<EOF
{
"issuer": "https://token.actions.githubusercontent.com",
"audience": "${SCITT_URL}"
}
EOF
# Start SCITT using the `OIDCAuthMiddleware` and associated config.
if [[ "x${SCITT_URL}" != "http://localhost:8080" ]]; then
scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
--middleware scitt_emulator.oidc:OIDCAuthMiddleware \
--middleware-config-path oidc-middleware-config.json &
fi
# Submit the claim using OIDC token as auth
scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor