feat(test): create token on the fly #374
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new GitHub Action that fetches ephemeral GitHub tokens from Vault using OIDC authentication. The action generates a unique role name based on the workflow reference and retrieves tokens dynamically.
- Adds a new composite action for token retrieval from Vault
- Creates documentation and test workflow for the new action
- Updates the no-test workflow to exclude the new action from testing
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| elastic/token/action.yml | Main action implementation for token retrieval from Vault |
| elastic/token/README.md | Documentation and usage examples for the new action |
| .github/workflows/test-fetch-token.yml | Test workflow to validate the token action |
| .github/workflows/no-test.yml | Excludes elastic/token from no-test workflow |
tests docs
v1v
force-pushed
the
feature/support-oidc-vault
branch
from
ea32f85 to
fc48e08
Compare
| skip-token-revoke: | ||
| description: 'Revoke the Vault token on exit' | ||
| default: false |
There was a problem hiding this comment.
The 'skip-token-revoke' input is defined but never used in the action steps. Either implement the token revocation logic or remove this unused input parameter.
| skip-token-revoke: | |
| description: 'Revoke the Vault token on exit' | |
| default: false |
v1v
changed the title
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
elastic/token/action.yml
Outdated
| echo "Workflow ref: $GITHUB_WORKFLOW_REF" | ||
|
|
||
| # Generate role name using SHA-256 hash of workflow_ref | ||
| WORKFLOW_HASH=$(echo -n "$GITHUB_WORKFLOW_REF" | sha256sum | cut -c1-12) |
There was a problem hiding this comment.
Using only the first 12 characters of a SHA-256 hash creates a risk of collisions. Consider using a longer hash (e.g., 16-20 characters) or the full hash to ensure uniqueness across different workflows.
| WORKFLOW_HASH=$(echo -n "$GITHUB_WORKFLOW_REF" | sha256sum | cut -c1-12) | |
| WORKFLOW_HASH=$(echo -n "$GITHUB_WORKFLOW_REF" | sha256sum | cut -c1-20) |
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: ./elastic/github-token |
There was a problem hiding this comment.
The action path './elastic/token' is incorrect. It should be './elastic/github-token' to match the actual directory structure of the action being tested.
| - uses: ./elastic/github-token | |
| - uses: ./elastic/github-token |
1 participant
No description provided.