derive default OIDC issuer from current tenant

Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-04-16 14:48:06 +08:00 · 2024-08-16 10:04:14 -07:00
parent 279e891118
commit fa6cc53297
5 changed files with 41 additions and 23 deletions
--- a/packages/attest/src/oidc.ts
+++ b/packages/attest/src/oidc.ts
@@ -4,6 +4,11 @@ import * as jose from 'jose'

 const OIDC_AUDIENCE = 'nobody'

+const VALID_SERVER_URLS = [
+  'https://github.com',
+  new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
+] as const
+
 const REQUIRED_CLAIMS = [
  'iss',
  'ref',
@@ -25,7 +30,8 @@ type OIDCConfig = {
  jwks_uri: string
 }

-export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
+export const getIDTokenClaims = async (issuer?: string): Promise<ClaimSet> => {
+  issuer = issuer || getIssuer()
  try {
    const token = await getIDToken(OIDC_AUDIENCE)
    const claims = await decodeOIDCToken(token, issuer)
@@ -82,3 +88,21 @@ function assertClaimSet(claims: jose.JWTPayload): asserts claims is ClaimSet {
    throw new Error(`Missing claims: ${missingClaims.join(', ')}`)
  }
 }
+
+// Derive the current OIDC issuer based on the server URL
+function getIssuer(): string {
+  const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
+
+  // Ensure the server URL is a valid GitHub server URL
+  if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
+    throw new Error(`Invalid server URL: ${serverURL}`)
+  }
+
+  let host = new URL(serverURL).hostname
+
+  if (host === 'github.com') {
+    host = 'githubusercontent.com'
+  }
+
+  return `https://token.actions.${host}`
+}