Documentation
¶
Overview ¶
Package oidc reads GitHub Actions OIDC token claims (repository, environment, ref) for runtime context detection. It is a stdlib-only leaf package (no Atmos imports) so low-level packages like pkg/store can use it without creating an import cycle through pkg/schema.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidRequestURL indicates ACTIONS_ID_TOKEN_REQUEST_URL is malformed or unsafe. ErrInvalidRequestURL = errors.New("invalid ACTIONS_ID_TOKEN_REQUEST_URL") // ErrTokenRequest indicates the OIDC token endpoint request failed. ErrTokenRequest = errors.New("failed to request GitHub OIDC token") // ErrTokenDecode indicates the OIDC JWT could not be decoded into claims. ErrTokenDecode = errors.New("failed to decode GitHub OIDC token") )
Functions ¶
This section is empty.
Types ¶
type Claims ¶
type Claims struct {
Repository string `json:"repository"`
Environment string `json:"environment"`
Ref string `json:"ref"`
Subject string `json:"sub"`
}
Claims holds the subset of GitHub Actions OIDC token claims used for runtime context checks.
func RequestClaims ¶
RequestClaims mints (or reads) the GitHub Actions OIDC token and returns its claims.
The available return is false (with a nil error) when the token is unobtainable because the process is not a GitHub Actions runner, or the job lacks `id-token: write` permission — callers treat that as "unknown context", not a failure. A non-nil error means the token was obtainable but the request or decoding failed.
Source Files