feat: add OIDC workload identity federation support (#10481)

Add support for OIDC workload identity federation. Add ID_TOKEN_SIGNING_ALGORITHM, ID_TOKEN_SIGNING_PRIVATE_KEY_FILE, and ID_TOKEN_EXPIRATION_TIME settings to settings.actions to allow for admin configuration of this functionality. Add OIDC endpoints (/.well-known/openid-configuration and /.well-known/keys) underneath the "/api/actions" route. Add a token generation endpoint (/_apis/pipelines/workflows/{run_id}/idtoken) underneath the "/api/actions" route. Depends on: https://code.forgejo.org/forgejo/runner/pulls/1232 Docs PR: https://codeberg.org/forgejo/docs/pulls/1667 Signed-off-by: Mario Minardi <mminardi@shaw.ca> ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10481 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Mario Minardi <mminardi@shaw.ca> Co-committed-by: Mario Minardi <mminardi@shaw.ca>
2026-05-12 22:10:25 +00:00 · 2026-01-15 03:39:00 +01:00 · 2026-01-15 03:39:00 +01:00 · c84cbd56a1
commit c84cbd56a1
parent f6ca985739
24 changed files with 1478 additions and 313 deletions
--- a/modules/setting/actions.go
+++ b/modules/setting/actions.go
@ -5,8 +5,11 @@ package setting

 import (
 	"fmt"
+	"path/filepath"
 	"strings"
 	"time"
+
+	"forgejo.org/modules/jwtx"
 )

 // Actions settings
@ -25,12 +28,18 @@ var (
 		SkipWorkflowStrings          []string          `ini:"SKIP_WORKFLOW_STRINGS"`
 		LimitDispatchInputs          int64             `ini:"LIMIT_DISPATCH_INPUTS"`
 		ConcurrencyGroupQueueEnabled bool              `ini:"CONCURRENCY_GROUP_QUEUE_ENABLED"`
+		IDTokenSigningAlgorithm      idTokenAlgorithm  `ini:"ID_TOKEN_SIGNING_ALGORITHM"`
+		IDTokenSigningPrivateKeyFile string            `ini:"ID_TOKEN_SIGNING_PRIVATE_KEY_FILE"`
+		IDTokenExpirationTime        int64             `ini:"ID_TOKEN_EXPIRATION_TIME"`
 	}{
 		Enabled:                      true,
 		DefaultActionsURL:            defaultActionsURLForgejo,
 		SkipWorkflowStrings:          []string{"[skip ci]", "[ci skip]", "[no ci]", "[skip actions]", "[actions skip]"},
 		LimitDispatchInputs:          100,
 		ConcurrencyGroupQueueEnabled: true,
+		IDTokenSigningAlgorithm:      "RS256",
+		IDTokenSigningPrivateKeyFile: "actions_id_token/private.pem",
+		IDTokenExpirationTime:        3600,
 	}
 )

@ -67,6 +76,13 @@ func (c logCompression) IsZstd() bool {
 	return c == "" || strings.ToLower(string(c)) == "zstd"
 }

+type idTokenAlgorithm string
+
+func (c idTokenAlgorithm) IsValid() bool {
+	// Empty string implies RS256
+	return jwtx.IsValidAsymmetricAlgorithm(string(c)) || string(c) == ""
+}
+
 func loadActionsFrom(rootCfg ConfigProvider) error {
 	sec := rootCfg.Section("actions")
 	err := sec.MapTo(&Actions)
@ -104,5 +120,13 @@ func loadActionsFrom(rootCfg ConfigProvider) error {
 		return fmt.Errorf("invalid [actions] LOG_COMPRESSION: %q", Actions.LogCompression)
 	}

+	if !Actions.IDTokenSigningAlgorithm.IsValid() {
+		return fmt.Errorf("invalid [actions] ID_TOKEN_SIGNING_ALGORITHM: %q", Actions.IDTokenSigningAlgorithm)
+	}
+
+	if !filepath.IsAbs(Actions.IDTokenSigningPrivateKeyFile) {
+		Actions.IDTokenSigningPrivateKeyFile = filepath.Join(AppDataPath, Actions.IDTokenSigningPrivateKeyFile)
+	}
+
 	return nil
 }
--- a/modules/setting/actions_test.go
+++ b/modules/setting/actions_test.go
@ -7,6 +7,8 @@ import (
 	"path/filepath"
 	"testing"

+	"forgejo.org/modules/test"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@ -155,3 +157,62 @@ DEFAULT_ACTIONS_URL = https://example.com
 		})
 	}
 }
+
+func Test_getIDTokenSettingsForActions(t *testing.T) {
+	defer test.MockVariableValue(&AppDataPath, "/home/app/data")()
+
+	oldActions := Actions
+	oldAppURL := AppURL
+	defer func() {
+		Actions = oldActions
+		AppURL = oldAppURL
+	}()
+
+	iniStr := `
+  [actions]
+  `
+	cfg, err := NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	require.NoError(t, loadActionsFrom(cfg))
+
+	assert.EqualValues(t, "RS256", Actions.IDTokenSigningAlgorithm)
+	assert.Equal(t, "/home/app/data/actions_id_token/private.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.EqualValues(t, 3600, Actions.IDTokenExpirationTime)
+
+	iniStr = `
+  [actions]
+	ID_TOKEN_SIGNING_ALGORITHM = ES256
+  ID_TOKEN_SIGNING_PRIVATE_KEY_FILE = /test/test.pem
+  ID_TOKEN_EXPIRATION_TIME = 120
+	`
+	cfg, err = NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	require.NoError(t, loadActionsFrom(cfg))
+
+	assert.EqualValues(t, "ES256", Actions.IDTokenSigningAlgorithm)
+	assert.Equal(t, "/test/test.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.EqualValues(t, 120, Actions.IDTokenExpirationTime)
+
+	iniStr = `
+  [actions]
+	ID_TOKEN_SIGNING_ALGORITHM = EdDSA
+  ID_TOKEN_SIGNING_PRIVATE_KEY_FILE = ./test/test.pem
+  ID_TOKEN_EXPIRATION_TIME = 123
+	`
+	cfg, err = NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	require.NoError(t, loadActionsFrom(cfg))
+
+	assert.EqualValues(t, "EdDSA", Actions.IDTokenSigningAlgorithm)
+	assert.Equal(t, "/home/app/data/test/test.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.EqualValues(t, 123, Actions.IDTokenExpirationTime)
+
+	iniStr = `
+  [actions]
+	ID_TOKEN_SIGNING_ALGORITHM = HS256
+	`
+	cfg, err = NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	err = loadActionsFrom(cfg)
+	require.Errorf(t, err, "invalid [actions] ID_TOKEN_SIGNING_ALGORITHM %q", Actions.IDTokenSigningAlgorithm)
+}