Skip to content

Implement GitHub Actions OIDC processing #10520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jul 18, 2025
Merged

Implement GitHub Actions OIDC processing #10520

merged 7 commits into from
Jul 18, 2025

Conversation

etvorun
Copy link
Contributor

@etvorun etvorun commented Jul 16, 2025
edited
Loading

✨ Overview

This pull request introduces enhancements to the handling of federated credentials and token validation. The changes are meant to make the code easier to extend and support more identity providers like GitHub Actions

🔐 Token Validation Refactoring

  • Interface Renaming & Extension
    Renamed ITokenValidator to ITokenPolicyValidator and extended it to support matching FederatedCredentialPolicy instances with incoming OIDC tokens.

  • Entra ID Logic Isolation
    Renamed EntraIdTokenValidator to EntraIdTokenPolicyValidator and moved Entra ID-specific policy evaluation logic from FederatedCredentialPolicyEvaluator into this class.

  • GitHub Actions Support
    Introduced GitHubTokenPolicyValidator to handle validation of GitHub Actions OIDC tokens and evaluate trusted publishing policies for GitHub.

  • Evaluator Refactor
    Updated FederatedCredentialPolicyEvaluator to operate with a collection of ITokenPolicyValidator implementations, enabling support for multiple identity providers.

  • API Key Generation Flow
    No changes were made to the API key generation process. Once an OIDC token is matched to a FederatedCredentialPolicy, the key generation logic remains consistent across providers.

🧠 Policy Evaluation Improvements

  • Naming Clarity
    Renamed EvaluatedFederatedCredentialPolicies to OidcTokenEvaluationResult to reduce confusion with FederatedCredentialPolicyResult.

  • Documentation Enhancements
    Added inline comments to both OidcTokenEvaluationResult and FederatedCredentialPolicyResult to clarify their roles and usage.

⚙️ Configuration Updates

  • Audience Configuration
    Added FederatedCredentialConfiguration.NuGetAudience to support audience validation for tokens issued by publishers like GitHub Actions.

Addresses https://github.com/NuGet/Engineering/issues/5887

@etvorun etvorun marked this pull request as ready for review July 16, 2025 20:49
@etvorun etvorun requested a review from a team as a code owner July 16, 2025 20:49
@etvorun etvorun self-assigned this Jul 16, 2025
@etvorun etvorun added this to the Sprint 2025-07 milestone Jul 16, 2025
@etvorun etvorun requested a review from Copilot July 17, 2025 16:25
Copilot
Copilot AI reviewed Jul 17, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request implements GitHub Actions OIDC processing and refactors the federated credential token validation system to support multiple identity providers. The changes introduce a new extensible architecture using the ITokenPolicyValidator interface, allowing the system to handle both Entra ID and GitHub Actions tokens.

Key Changes:

  • Introduced ITokenPolicyValidator interface to support multiple identity providers through a common pattern
  • Added GitHub Actions OIDC token validation and policy evaluation with GitHubTokenPolicyValidator
  • Refactored existing Entra ID validation to use the new interface pattern with EntraIdTokenPolicyValidator

Reviewed Changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
GitHubTokenPolicyValidator.cs New validator for GitHub Actions OIDC tokens with comprehensive policy evaluation
EntraIdTokenPolicyValidator.cs Refactored Entra ID validator to implement new interface pattern
ITokenPolicyValidator.cs New interface defining contract for token validation and policy evaluation
FederatedCredentialPolicyEvaluator.cs Updated to work with multiple validators through the new interface
OidcTokenEvaluationResult.cs New result type replacing EvaluatedFederatedCredentialPolicies
ServicesConstants.cs Added NuGetAudience constant and converted string fields to const

joelverhagen
joelverhagen reviewed Jul 17, 2025
View reviewed changes
joelverhagen
joelverhagen reviewed Jul 17, 2025
View reviewed changes
joelverhagen
joelverhagen reviewed Jul 17, 2025
View reviewed changes
joelverhagen
joelverhagen reviewed Jul 17, 2025
View reviewed changes
joelverhagen
joelverhagen previously approved these changes Jul 18, 2025
View reviewed changes
@etvorun etvorun merged commit 47fa8fe into dev Jul 18, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@joelverhagen joelverhagen joelverhagen approved these changes

@zhhyu zhhyu Awaiting requested review from zhhyu

@Lanaparezanin Lanaparezanin Awaiting requested review from Lanaparezanin

Assignees

@etvorun etvorun

Labels
None yet
Projects
None yet
Milestone
Sprint 2025-07
Development

Successfully merging this pull request may close these issues.
2 participants
@etvorun @joelverhagen