Crate cellos_broker_oidc

Expand description

SecretBroker that resolves GitHub Actions OIDC tokens.

When a CI job runs with permissions: id-token: write, GitHub injects two environment variables:

ACTIONS_ID_TOKEN_REQUEST_URL — endpoint to request a signed OIDC JWT
ACTIONS_ID_TOKEN_REQUEST_TOKEN — bearer token to authenticate the request

§Usage

In spec.authority.secretRefs, list the logical secret alias that the workload will read (for example AWS_WEB_IDENTITY). The requested OIDC audience still comes from spec.identity.audience.

{ "secretRefs": ["AWS_WEB_IDENTITY"] }

The broker calls:

GET {ACTIONS_ID_TOKEN_REQUEST_URL}&audience={key}
Authorization: Bearer {ACTIONS_ID_TOKEN_REQUEST_TOKEN}

and returns the signed JWT as the secret value. The cell workload then uses this JWT to authenticate with AWS STS AssumeRoleWithWebIdentity, GCP Workload Identity Federation, or any other OIDC-aware identity provider.

§Revocation

revoke_for_cell is a no-op. OIDC tokens are short-lived (5 minutes for GitHub) and audience-scoped. Isolation relies on token TTL and the cell model’s teardown semantics.

§Timeout contract (BROKER-OIDC-TIMEOUT)

The reqwest client is built with bounded request and connect timeouts so a hung GitHub Actions ID-token endpoint cannot stall a cell’s secret-resolve phase indefinitely:

Request timeout: DEFAULT_REQUEST_TIMEOUT_MS (override via CELLOS_BROKER_OIDC_TIMEOUT_MS).
Connect timeout: DEFAULT_CONNECT_TIMEOUT_MS (override via CELLOS_BROKER_OIDC_CONNECT_TIMEOUT_MS).

Both env vars accept a positive u64 count of milliseconds; unparseable or zero values fall back to the default. The client is never constructed without explicit timeouts.

§Correlation propagation (Tranche-1 seam-freeze G1)

GitHub Actions injects GITHUB_RUN_ID and related identifiers as ambient env, but this broker scopes itself to the OIDC token request only and does not promote those identifiers into broker-level correlation today. SecretBroker::broker_correlation_id therefore returns None here; the supervisor falls back to the operator-supplied spec.correlation.correlationId (or the externalRunId / externalJobId already present in spec.correlation) for cross-tool correlation. A future revision may surface the OIDC jti claim as the broker correlation ID once consumer tools (taudit, tencrypt) have committed to a urn:cellos:oidc:<jti> shape.

Structs§

GithubActionsOidcBroker: Fetches a GitHub Actions OIDC JWT for the given audience.

Constants§

DEFAULT_CONNECT_TIMEOUT_MS: Default TCP connect timeout (ms) for the underlying reqwest client.
DEFAULT_REQUEST_TIMEOUT_MS: Default total request timeout (ms) applied to every OIDC token request.
ENV_CONNECT_TIMEOUT_MS: Env var to override DEFAULT_CONNECT_TIMEOUT_MS.
ENV_REQUEST_TIMEOUT_MS: Env var to override DEFAULT_REQUEST_TIMEOUT_MS.

Functions§

resolve_timeout_ms: Resolve a timeout in milliseconds from the named env var.