Using the CLI with a public repository

Authentication between the Launchable CLI and Launchable API typically requires an API key. However, API keys cannot be used for open-source projects in public repositories since anyone can retrieve an API key by opening a pull request.

To solve this problem for open-source projects, Launchable offers another authentication mechanism called tokenless authentication. Instead of using a static token, tokenless authentication uses a CI/CD service provider's public API to verify if tests are actually running in CI. With this feature, OSS contributors can analyze and optimize test execution without a static Launchable API token.

Setting up tokenless authentication

Prerequisites

If your project is open source and you want to use Launchable,

• Your open-source project needs to be hosted in a public GitHub repository

• Your open-source project needs to use GitHub Actions for CI

Preparation

1. Sign up and create your Organization and Workspace

2. Contact us to enable tokenless authentication for your project. We need to know your Launchable organization, Launchable workspace, and GitHub repository URL

3. Update your GitHub Actions YAML

4. Start using Launchable in your open-source project

GitHub Actions YAML configuration

After we've enabled tokenless authentication for your project, you must set three environment variables in your CI pipeline:

• LAUNCHABLE_ORGANIZATION: Launchable organization name

• LAUNCHABLE_WORKSPACE: Launchable workspace name

• EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: Set this to 1

Then, add/update the permissions section of your GitHub Actions YAML file.

Tokenless authentication relies on OpenID Connect (OIDC) tokens. To use an OIDC token in GitHub Actions, you need to configure permissions to retrieve it. As described in the GitHub Help Article, id-token: write permission needs to be added.

This permission can be added per job or to the entire workflow:

1name: Verify Launchable tokenless authentication
2
3on:
4  pull_request:
5    paths:
6      - gradle/**
7
8env:
9  LAUNCHABLE_ORGANIZATION: "examples"
10  LAUNCHABLE_WORKSPACE: "gradle"
11  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
12
13permissions:
14  id-token: write
15  contents: read
16
17jobs:
18  build:
19    runs-on: ubuntu-latest
20
21    steps:
22      - uses: actions/checkout@v2
23        with:
24          fetch-depth: 0
25      - uses: actions/setup-python@v2
26      - name: Set up JDK 1.8
27        uses: actions/setup-java@v1
28        with:
29          java-version: 1.8
30
31      - name: Launchable
32        run: |
33          pip3 install --user launchable~=1.0
34          export PATH=~/.local/bin:$PATH
35          launchable verify
36        working-directory: ./gradle

About OpenID Connect (OIDC)

OIDC implementation overview

GitHub now provides a short-lived signed token for each GitHub Actions run (About security hardening with OpenID Connect). This token is signed by GitHub's private key, and we can verify its validity via its public key. This makes the token a security credential that major Cloud providers such as AWS, Azure, and Google Cloud can use as an authentication token. Launchable implemented the same mechanism as these Cloud providers, so we can accept it as a credential.

Frequently Asked Questions

What is included in the OIDC token?

GitHub provides a detailed explanation and example of the OIDC token. See Understanding the OIDC token.

How does Launchable verify the OIDC token?

When you apply for tokenless authentication, we associate your GitHub repository with your Launchable workspace in our internal database.

When you run the CLI, the Launchable API server verifies the OIDC token and checks that the repository claim in it matches the stored association.

Can I see how the CLI handles the OIDC token?

Sure! Check out these commits in the public CLI repository:

1. https://github.com/launchableinc/cli/commit/945597f3fffeb49cd5968ba29054de78505aab61

2. https://github.com/launchableinc/cli/commit/68b06c01607b43bed33b2f774f424f7a8c220af6