25342198270

Committed 04 May 2026 08:36PM UTC coverage: 60.442% (+2.1%) from 58.3%

Build # 25342198270

Build Type

Pull #6253

github

Committed by

web-flow

Commit Message

Merge 537c7f40e into 1347d06af

Pull Request Pull Request #6253: Update roadmap for 2026 (and possibly beyond)

Coverage Stats

20396 of 33745 relevant lines covered (60.44%)

38.95 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.0

/internal/auth/githubactions/githubactions.go

// SPDX-FileCopyrightText: Copyright 2025 The Minder Authors
// SPDX-License-Identifier: Apache-2.0

// Package githubactions provides an implementation of the GitHub IdentityProvider.
package githubactions

import (
        "context"
        "errors"
        "net/url"
        "strings"

        "github.com/lestrrat-go/jwx/v2/jwt"

        "github.com/mindersec/minder/internal/auth"
)

// GitHubActions is an implementation of the auth.IdentityProvider interface.
type GitHubActions struct {
}

var _ auth.IdentityProvider = (*GitHubActions)(nil)
var _ auth.Resolver = (*GitHubActions)(nil)

var ghIssuerUrl = url.URL{
        Scheme: "https",
        Host:   "token.actions.githubusercontent.com",
}

// String implements auth.IdentityProvider.
func (*GitHubActions) String() string {
        return "githubactions"
}

// URL implements auth.IdentityProvider.
func (*GitHubActions) URL() url.URL {
        return ghIssuerUrl
}

// Resolve implements auth.IdentityProvider.
func (gha *GitHubActions) Resolve(_ context.Context, id string) (*auth.Identity, error) {
        // GitHub Actions subjects look like:
        // repo:evankanderson/actions-id-token-testing:ref:refs/heads/main
        // however, OpenFGA does not allow the "#" or ":" characters in the subject:
        // https://github.com/openfga/openfga/blob/main/pkg/tuple/tuple.go#L34
        return &auth.Identity{
                UserID:    strings.ReplaceAll(id, ":", "+"),
                HumanName: strings.ReplaceAll(id, "+", ":"),
                Provider:  gha,
        }, nil
}

// ResolveFederated implements auth.IdentityProvider.
func (*GitHubActions) ResolveFederated(_ context.Context, _, _ string) (*auth.Identity, error) {
        return nil, auth.ErrNotFound
}

// Validate implements auth.IdentityProvider.
func (gha *GitHubActions) Validate(_ context.Context, token jwt.Token) (*auth.Identity, error) {
        expectedUrl := gha.URL()
        if token.Issuer() != expectedUrl.String() {
                return nil, errors.New("token issuer is not the expected issuer")
        }
        return &auth.Identity{
                UserID:    strings.ReplaceAll(token.Subject(), ":", "+"),
                HumanName: token.Subject(),
                Provider:  gha,
        }, nil
}

1	// SPDX-FileCopyrightText: Copyright 2025 The Minder Authors
2	// SPDX-License-Identifier: Apache-2.0
3
4	// Package githubactions provides an implementation of the GitHub IdentityProvider.
5	package githubactions
6
7	import (
8	"context"
9	"errors"
10	"net/url"
11	"strings"
12
13	"github.com/lestrrat-go/jwx/v2/jwt"
14
15	"github.com/mindersec/minder/internal/auth"
16	)
17
18	// GitHubActions is an implementation of the auth.IdentityProvider interface.
19	type GitHubActions struct {
20	}
21
22	var _ auth.IdentityProvider = (*GitHubActions)(nil)
23	var _ auth.Resolver = (*GitHubActions)(nil)
24
25	var ghIssuerUrl = url.URL{
26	Scheme: "https",
27	Host: "token.actions.githubusercontent.com",
28	}
29
30	// String implements auth.IdentityProvider.
31	func (*GitHubActions) String() string {	37✔
32	return "githubactions"	37✔
33	}	37✔
34
35	// URL implements auth.IdentityProvider.
36	func (*GitHubActions) URL() url.URL {	2✔
37	return ghIssuerUrl	2✔
38	}	2✔
39
40	// Resolve implements auth.IdentityProvider.
41	func (gha GitHubActions) Resolve(_ context.Context, id string) (auth.Identity, error) {	2✔
42	// GitHub Actions subjects look like:	2✔
43	// repo:evankanderson/actions-id-token-testing:ref:refs/heads/main	2✔
44	// however, OpenFGA does not allow the "#" or ":" characters in the subject:	2✔
45	// https://github.com/openfga/openfga/blob/main/pkg/tuple/tuple.go#L34	2✔
46	return &auth.Identity{	2✔
47	UserID: strings.ReplaceAll(id, ":", "+"),	2✔
48	HumanName: strings.ReplaceAll(id, "+", ":"),	2✔
49	Provider: gha,	2✔
50	}, nil	2✔
51	}	2✔
52
53	// ResolveFederated implements auth.IdentityProvider.
54	func (GitHubActions) ResolveFederated(_ context.Context, _, _ string) (auth.Identity, error) {	×
55	return nil, auth.ErrNotFound	×
56	}	×
57
58	// Validate implements auth.IdentityProvider.
59	func (gha GitHubActions) Validate(_ context.Context, token jwt.Token) (auth.Identity, error) {	2✔
60	expectedUrl := gha.URL()	2✔
61	if token.Issuer() != expectedUrl.String() {	3✔
62	return nil, errors.New("token issuer is not the expected issuer")	1✔
63	}	1✔
64	return &auth.Identity{	1✔
65	UserID: strings.ReplaceAll(token.Subject(), ":", "+"),	1✔
66	HumanName: token.Subject(),	1✔
67	Provider: gha,	1✔
68	}, nil	1✔
69	}

mindersec / minder / 25342198270

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous