Skip to content

Support non terminal environments with signer's sts providers#3

Merged
miniprow[bot] merged 3 commits into
mainfrom
signer-idp
Jun 11, 2026
Merged

Support non terminal environments with signer's sts providers#3
miniprow[bot] merged 3 commits into
mainfrom
signer-idp

Conversation

@puerco

@puerco puerco commented Jun 11, 2026

Copy link
Copy Markdown
Member

This pull request refactors and enhances the Carabiner authentication flow, with a focus on simplifying the login process and improving support for both CI and interactive environments. The main change is the introduction of a unified Login function that first attempts to use ambient credentials (like OIDC tokens from CI providers) and falls back to a browser-based login only when necessary. This makes the authentication process more robust, especially in automated environments, and reduces duplicated logic. The update also removes legacy GitHub Actions OIDC token retrieval code in favor of a more generic and extensible provider-based approach.

Key changes include:

Authentication Flow Refactor:

  • Introduced a new Login function in pkg/client/credentials/login.go that:

    • Probes for ambient credentials using registered STS providers in a deterministic order and exchanges them for a Carabiner identity token if available.
    • Falls back to an interactive browser login only if no ambient credentials are found and the process is running in a terminal.
    • Provides clear error handling for non-interactive environments without ambient credentials.

  • Removed the custom GitHub Actions OIDC token retriever (pkg/client/github/actions.go), consolidating ambient credential detection and retrieval under the new provider-based approach.

Command-Line Interface Updates:

  • Updated the login command in pkg/cmd/login.go to use the new Login function, removing all inline logic for browser-based authentication and simplifying the command's flow. The help text and documentation were also updated to reflect the new behavior. [1] [2]

Testing Improvements:

  • Added comprehensive unit tests for the new login logic in pkg/client/credentials/login_test.go, covering ambient credential detection, error handling, and fallback scenarios.

Dependency Updates:

  • Updated dependencies in go.mod to support the new authentication providers and flows, including newer versions of carabiner-dev/signer, sigstore, and related libraries.

puerco added 3 commits June 10, 2026 17:05
@puerco
Add credential login API with ambient STS provider support
a064588 
Introduce credentials.Login, the single entry point to obtain a
  Carabiner identity token. It probes the STS providers registered in
  carabiner-dev/signer (GitHub Actions, GitLab CI) for ambient IdP
  credentials and exchanges them at the deadrop server (HeadlessLogin).
  When no ambient credentials exist it falls back to the interactive
  browser flow (BrowserLogin, extracted from the login command), failing
  fast in non-terminal environments instead of waiting for a browser.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@puerco
Wire the login command to the credentials Login API
f605d05 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@puerco
Remove the GitHub Actions token retriever
3df5ae6 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@miniprow miniprow Bot added lgtm Indicates that a PR is ready to be merged (Looks Good To Me) approved Indicates a PR has been approved by an approver from all required OWNERS files labels Jun 11, 2026
@miniprow miniprow Bot merged commit af3a3bb into main Jun 11, 2026
7 checks passed
@miniprow miniprow Bot deleted the signer-idp branch June 11, 2026 01:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files lgtm Indicates that a PR is ready to be merged (Looks Good To Me)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@puerco