-
-
Notifications
You must be signed in to change notification settings - Fork 4
GitHub Actions OIDC token fallback #25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
- Fetch fresh GA token with audience=sigstore when available - Fall back to provided token if GA environment unavailable - Minimal change: only reqwest dep + sign.rs GA token logic - No vendoring, no bloat—just 40 lines of code
- Fetch fresh GA token with audience=sigstore when available - Vendor sigstore 0.13.0 with relaxed JWT parsing (flexible audience/exp/nbf) - Fall back to provided token if GA environment unavailable - Prefer fresh GA token over supplied token in CI environments
Important
Review skipped
Draft detected.
Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
✨ Finishing touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
- Post copyable unit tests in a comment
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
First, thanks for the pdf-sign project. I'm attempting to integrate this with a GitHub Action. But had trouble with OIDC. I believe there is an upstream problem with the sigstore bundle but I'm a bit out of my depth. I'm proposing as a draft for review. I had help from copilot and it 'works' on my workflow but needs another set of eyes...