Updating tokenless authentication to use GitHub OIDC
How to migrate to the new authentication method for public repos using Launchable.
Tokenless authentication is Launchable's specialized authentication method for public repositories that use GitHub Actions for CI.
To make this method more scalable and secure, we are updating it to use OpenID Connect (OIDC). This change requires action on your part.
OIDC implementation overview
GitHub now provides a short-lived signed token for each GitHub Actions run (About security hardening with OpenID Connect). This token is signed by GitHub's private key, and we can verify its validity via its public key. This makes the token a security credential that major Cloud providers such as AWS, Azure, and Google Cloud can use as an authentication token. Launchable implemented the same mechanism as these Cloud providers, so now we can accept it as a credential.
The new implementation of tokenless authentication provides the same benefit as the previous one: no API key is needed.
However, on top of that, the new implementation provides more security as it uses a verifiable short-lived token. It also helps Launchable scale and remain stable. Because the previous implementation involved calling GitHub APIs, the authentication process occasionally hit its API limit, resulting in request failures. With the new implementation, we no longer need to hit the GitHub API, which this makes the service more stable.
To migrate to the new implementation, follow these steps:
The new OIDC based authentication is supported from CLI v1.52.0. If you typically install the latest CLI using
pip3 install --upgrade, you will get the necessary version automatically. Otherwise you need to upgrade to the latest version.
permissionssection of your GitHub Actions YAML file. (See #github-actions-permissions below).
Add a new
EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTHenvironment variable. Set this to
1to enable the new auth implementation.
GITHUB_PR_HEAD_SHAenvironment variable. It is no longer needed.
LAUNCHABLE_WORKSPACEenvironment variables that were already set.
Environment variables summary
|API implementation (original)||OIDC implementation (new)|
GitHub Actions Permissions
In order to use OIDC token in GitHub Actions, you need to configure permissions to retrieve that. As described in the GitHub Help Article,
id-token: write permission needs to be added.
This permission can be added per-job or to the entire workflow.
name: Verify Launchable tokenless authenticationon:pull_request:paths:- gradle/**env:LAUNCHABLE_ORGANIZATION: "examples"LAUNCHABLE_WORKSPACE: "gradle"EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1permissions:id-token: writecontents: readjobs:build:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v2with:fetch-depth: 0- uses: actions/setup-python@v2- name: Set up JDK 1.8uses: actions/setup-java@v1with:java-version: 1.8- name: Launchablerun: |pip3 install --user launchable~=1.0export PATH=~/.local/bin:$PATHlaunchable verifyworking-directory: ./gradle
Frequently Asked Questions
What is included in the OIDC token?
GitHub provides a detailed explanation and example of the OIDC token. See Understanding the OIDC token.
How does Launchable verify the OIDC token?
When you apply for tokenless authentication, we associate your GitHub repository with your Launchable workspace in our internal database.
When you run the CLI, the Launchable API server verifies the OIDC token and checks that the
repository claim in it matches the stored association.
Can I see how the CLI handles the OIDC token?
Sure! Check out these commits in the public CLI repository: