github_actions_oidc_claims/
lib.rs

1#[derive(serde::Serialize, serde::Deserialize, PartialEq, Eq, Clone, Debug)]
2#[serde(rename_all = "kebab-case")]
3pub enum Visibility {
4    Internal,
5    Private,
6    Public,
7    #[serde(untagged)]
8    Other(String),
9}
10
11#[derive(serde::Serialize, serde::Deserialize, PartialEq, Eq, Clone, Debug)]
12#[serde(rename_all = "kebab-case")]
13pub enum RunnerEnvironment {
14    GithubHosted,
15    SelfHosted,
16    #[serde(untagged)]
17    Other(String),
18}
19
20/// Based on
21/// https://web.archive.org/web/20230602040457/https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
22#[derive(serde::Serialize, serde::Deserialize, PartialEq, Clone, Debug)]
23pub struct Claims {
24    // Mandatory(?) standard claims
25    /// Audience
26    /// By default, this is the URL of the repository owner, such as the organization that owns the repository. This is the only claim that can be customized. You can set a custom audience with a toolkit command: core.getIDToken(audience)
27    pub aud: String,
28    /// Issuer
29    /// The issuer of the OIDC token: https://token.actions.githubusercontent.com
30    pub iss: String,
31    /// Subject
32    /// Defines the subject claim that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way.
33    pub sub: String,
34
35    /// Expires at
36    /// Identifies the expiry time of the JWT.
37    pub exp: f64,
38    /// Issued at
39    /// The time when the JWT was issued.
40    pub iat: f64,
41    /// JWT token identifier
42    /// Unique identifier for the OIDC token.
43    pub jti: String,
44    /// Not before
45    /// JWT is not valid for use before this time.
46    pub nbf: f64,
47
48    // GitHub-specific claims
49    /// The personal account that initiated the workflow run.
50    pub actor: String,
51    /// The ID of personal account that initiated the workflow run.
52    pub actor_id: String,
53    /// The target branch of the pull request in a workflow run.
54    pub base_ref: String,
55    /// The name of the environment used by the job. To include the environment claim you must reference an environment.
56    pub environment: Option<String>,
57    /// The name of the event that triggered the workflow run.
58    pub event_name: String,
59    /// The source branch of the pull request in a workflow run.
60    pub head_ref: String,
61    /// For jobs using a reusable workflow, the ref path to the reusable workflow. For more information, see "Using OpenID Connect with reusable workflows."
62    pub job_workflow_ref: Option<String>,
63    /// For jobs using a reusable workflow, the commit SHA for the reusable workflow file.
64    pub job_workflow_sha: Option<String>,
65    /// (Reference) The git ref that triggered the workflow run.
66    /// Called "ref" in the raw claim, but we can't use that because it's a Rust keyword.
67    #[serde(rename = "ref")]
68    pub git_ref: String,
69    /// The type of ref, for example: "branch".
70    pub ref_type: String,
71    /// The visibility of the repository where the workflow is running. Accepts the following values: internal, private, or public.
72    pub repository_visibility: Visibility,
73    /// The repository from where the workflow is running.
74    pub repository: String,
75    /// The ID of the repository from where the workflow is running.
76    pub repository_id: String,
77    /// The name of the organization in which the repository is stored.
78    pub repository_owner: String,
79    /// The ID of the organization in which the repository is stored.
80    pub repository_owner_id: String,
81    /// The ID of the workflow run that triggered the workflow.
82    pub run_id: String,
83    /// The number of times this workflow has been run.
84    pub run_number: String,
85    /// The number of times this workflow run has been retried.
86    pub run_attempt: String,
87    /// The type of runner used by the job. Accepts the following values: github-hosted or self-hosted.
88    pub runner_environment: RunnerEnvironment,
89    /// The name of the workflow.
90    pub workflow: String,
91    /// The ref path to the workflow. For example, octocat/hello-world/.github/workflows/my-workflow.yml@refs/heads/my_branch.
92    pub workflow_ref: String,
93    /// The commit SHA for the workflow file.
94    pub workflow_sha: String,
95}
96
97impl Claims {
98    /// Fill in all the fields of a claim set.
99    /// May be useful for testing, but does not resemble GitHub-issued tokens very closely, and the fields are likely to require further adjustment by the caller.
100    pub fn make_dummy() -> Self {
101        Self {
102            aud: "".into(),
103            iss: "".into(),
104            sub: "".into(),
105            exp: 33247274880f64,
106            iat: 1690366107f64,
107            jti: "".into(),
108            nbf: 1690366107f64,
109            actor: "".into(),
110            actor_id: "".into(),
111            base_ref: "".into(),
112            environment: None,
113            event_name: "".into(),
114            head_ref: "".into(),
115            job_workflow_ref: None,
116            job_workflow_sha: None,
117            git_ref: "refs/heads/main".into(),
118            ref_type: "branch".into(),
119            repository_visibility: Visibility::Public,
120            repository: "".into(),
121            repository_id: "".into(),
122            repository_owner: "".into(),
123            repository_owner_id: "".into(),
124            run_id: "".into(),
125            run_number: "".into(),
126            run_attempt: "1".into(),
127            runner_environment: RunnerEnvironment::GithubHosted,
128            workflow: "".into(),
129            workflow_ref: "".into(),
130            workflow_sha: "".into(),
131        }
132    }
133}