Fix missing id-token: write on activation/conclusion/safe_outputs jobs for OTLP OIDC audience-only auth#45823
Conversation
…obs for OTLP OIDC auth When observability.otlp.github-app is configured with audience-only (credential-less OIDC mode, no app-id/private-key), three jobs were missing the id-token: write permission needed to call core.getIDToken(audience): - activation job (compiler_activation_permissions.go) - conclusion job (notify_comment.go) - safe_outputs job (compiler_safe_outputs_job.go) Also adds 'audience' as a valid property in the observability.otlp.github-app JSON schema, fixing a related schema validation error that blocked the audience-only config. Adds a regression test (otlp_oidc_permissions_test.go) that compiles a workflow with audience-only OTLP config and asserts all three jobs get id-token: write. Fixes #45755 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
id-token: write on activation/conclusion/safe_outputs jobs for OTLP OIDC audience-only auth
There was a problem hiding this comment.
Pull request overview
Fixes OTLP audience-only OIDC authentication across compiler-generated jobs.
Changes:
- Grants
id-token: writeto activation, conclusion, and safe-output jobs. - Adds
audienceto schema validation. - Adds regression coverage and a patch changeset.
Show a summary per file
| File | Description |
|---|---|
pkg/workflow/otlp_oidc_permissions_test.go |
Tests OIDC steps and permissions. |
pkg/workflow/notify_comment.go |
Grants conclusion-job OIDC permission. |
pkg/workflow/compiler_safe_outputs_job.go |
Grants safe-output-job OIDC permission. |
pkg/workflow/compiler_activation_permissions.go |
Grants activation-job OIDC permission. |
pkg/parser/schemas/main_workflow_schema.json |
Adds the OTLP audience field. |
pkg/parser/schema_test.go |
Verifies audience is accepted. |
.changeset/patch-fix-otlp-oidc-id-token-permissions.md |
Documents the patch release. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 7/7 changed files
- Comments generated: 1
- Review effort level: Medium
| "audience": { | ||
| "type": "string", | ||
| "description": "Optional OIDC audience passed to core.getIDToken(audience) when using credential-less OIDC mode (github-app present without app-id/private-key). Leave omitted to use the default audience." |
|
@copilot please run the
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed in 6d00671. I refreshed the generated schema consumers so |
🤖 PR Triage
Score breakdown: Impact 38 + Urgency 22 + Quality 12 Fixes missing Run §29462479491
|
|
🎉 This pull request is included in a new release. Release: |
When
observability.otlp.github-appis configured withaudienceonly (credential-less OIDC mode — noapp-id/private-key), the compiler injects a "Mint OTLP OIDC token" step into every span-emitting job but only grantedid-token: writetodetectionandevals. Theactivation,conclusion, andsafe_outputsjobs received the mint step without the permission, failing at runtime withUnable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable.Permissions fix
Added the existing guard from
threat_detection_job.goto the three missing builders:compiler_activation_permissions.go—buildActivationBasePermissionsnotify_comment.go— conclusion job, afterComputePermissionsForSafeOutputscompiler_safe_outputs_job.go— safe_outputs job, afterComputePermissionsForSafeOutputsSchema fix
audiencewas already present inOTLPGitHubAppConfigand read from raw frontmatter, but was absent from the JSON schema (additionalProperties: falsecaused a validation error on any workflow using it). Addedaudienceto theobservability.otlp.github-appschema properties and updated the parser test that previously expected it to be rejected.Regression test
otlp_oidc_permissions_test.gocompiles a workflow withaudience-only OTLP config and asserts that each of activation, conclusion, and safe_outputs: (a) containsid: mint-otlp-oidc-tokenin its job section, and (b) declaresid-token: write.