-
Notifications
You must be signed in to change notification settings - Fork 9
Document tokenless and OIDC #203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| --- | ||
| slug: /github-oidc | ||
| sidebar_label: GitHub OIDC | ||
| sidebar_position: 11 | ||
| description: Authenticate Argos uploads from GitHub Actions using OpenID Connect (OIDC) instead of a long-lived ARGOS_TOKEN secret. | ||
| --- | ||
|
|
||
| # GitHub OIDC Authentication | ||
|
|
||
| Authenticate the Argos SDK from GitHub Actions using [OpenID Connect (OIDC)](https://docs.github.com/en/actions/reference/security/oidc) instead of storing a long-lived `ARGOS_TOKEN` secret in your repository. | ||
|
|
||
| With OIDC, each workflow run receives a short-lived identity token signed by GitHub. Argos verifies that token against the repository and workflow you have allowed, then issues a temporary upload credential scoped to that build. No secret is ever stored in GitHub. | ||
|
|
||
| ## Why use OIDC | ||
|
|
||
| - **No long-lived secret.** Nothing to rotate, leak, or copy between repositories. | ||
| - **Per-run identity.** Each token is tied to a specific repository, workflow, branch, and run. Compromise of one run cannot be replayed elsewhere. | ||
| - **Least privilege.** The credential Argos issues from the OIDC exchange is scoped to uploading to a single project. | ||
| - **Auditable.** GitHub signs the identity token with claims (repository, ref, workflow, actor) that Argos records on the resulting build. | ||
|
|
||
| ## How it works | ||
|
|
||
| 1. GitHub Actions requests an OIDC identity token from GitHub's OIDC provider for the current job. This requires the `id-token: write` workflow permission. | ||
| 2. The Argos SDK detects that no `ARGOS_TOKEN` is set and fetches the OIDC token from the runner. | ||
| 3. The SDK sends the token to Argos with the upload request. | ||
| 4. Argos verifies the token's signature, issuer, audience, and claims (`repository`, `ref`, `workflow`) against the project's authentication settings. | ||
| 5. If the token is valid and the repository matches the Argos project, the upload is accepted. | ||
|
|
||
| The OIDC token is short-lived (minutes) and never persisted by Argos beyond what is needed to attribute the build. | ||
|
|
||
| ## Enable OIDC in your Argos project | ||
|
|
||
| 1. Open your project in Argos and go to **Project Settings → Authentication**. | ||
| 2. Enable **GitHub OIDC**. | ||
| 3. Save your changes. | ||
|
|
||
| Once OIDC is enabled, builds from the repository linked to the project can authenticate without `ARGOS_TOKEN`. | ||
|
|
||
| ## Configure your GitHub Actions workflow | ||
|
|
||
| Two things are required on the workflow side: | ||
|
|
||
| 1. Grant the workflow permission to mint an OIDC token by adding `id-token: write` to the job's `permissions` block. | ||
| 2. **Remove** `ARGOS_TOKEN` from the job environment. The SDK uses OIDC only when no token is provided — if `ARGOS_TOKEN` is set, it takes precedence. | ||
|
|
||
| ```yaml title=".github/workflows/visual-tests.yml" | ||
| name: Visual tests | ||
|
|
||
| on: | ||
| pull_request: | ||
| merge_group: | ||
|
|
||
| jobs: | ||
| argos: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| # Required to check out the repository and read its metadata | ||
| contents: read | ||
| # Required for Argos to authenticate via OIDC | ||
| id-token: write | ||
| # Lets Argos link the build to its pull request | ||
| pull-requests: read | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-node@v6 | ||
| - run: npm ci | ||
| - run: npm run test:e2e | ||
| # Note: no ARGOS_TOKEN — the SDK uses OIDC automatically | ||
| ``` | ||
|
|
||
| :::warning | ||
|
|
||
| If `ARGOS_TOKEN` is defined (as a repository, environment, or organization secret exposed to the job), the SDK will use it and skip OIDC entirely. Remove it from the job to enable OIDC. | ||
|
|
||
| ::: | ||
|
|
||
| :::note | ||
|
|
||
| `id-token: write` must be set on the job (or at the workflow level). Adding it only to the `permissions` block of another job does not grant it to your Argos job. See [GitHub's documentation on `id-token` permissions](https://docs.github.com/en/actions/reference/security/oidc#adding-permissions-settings). | ||
|
|
||
| ::: | ||
|
|
||
| ## Troubleshooting | ||
|
|
||
| **`Unable to get OIDC token` / 403 from the OIDC endpoint.** The job is missing `id-token: write`. Add it to the `permissions` block. | ||
|
|
||
| **Argos still uses `ARGOS_TOKEN`.** A secret is being injected into the job. Search your workflow, environments, and reusable workflows for `ARGOS_TOKEN` and remove it. You can confirm by printing `echo "${ARGOS_TOKEN:+set}${ARGOS_TOKEN:-unset}"` in a step (the value itself is masked). | ||
|
|
||
| **`Repository does not match the Argos project`.** The repository that ran the workflow is not the one linked to the Argos project. Run the workflow from the linked repository, or update the project's connected repository in Argos. | ||
|
|
||
| **OIDC is not used on forked pull requests.** GitHub does not issue OIDC tokens to workflows triggered from forks for security reasons. For PRs from forks, the Argos SDK automatically falls back to [tokenless authentication](/github-tokenless), which is designed to work in that context. | ||
|
|
||
| ## Prefer OIDC over tokenless authentication | ||
|
|
||
| Argos SDKs also support a [**tokenless**](/github-tokenless) mode that authenticates GitHub Actions runs without an `ARGOS_TOKEN` and without OIDC, by looking up the workflow run on GitHub from its commit and branch. | ||
|
|
||
| **If OIDC is available in your setup, prefer it over tokenless authentication.** OIDC is more secure because every upload is backed by a short-lived token signed by GitHub's OIDC provider, which Argos cryptographically verifies. | ||
|
|
||
| Tokenless authentication remains useful where OIDC cannot be used — most notably for **pull requests from forked repositories**, where GitHub does not issue OIDC tokens. The SDK falls back to tokenless automatically in those cases, so a single workflow can use OIDC for internal PRs and tokenless for fork PRs without any extra configuration. | ||
|
|
||
| To switch from tokenless to OIDC on the runs where it is available: | ||
|
|
||
| 1. Enable **GitHub OIDC** in your Argos project's authentication settings. | ||
| 2. Add `id-token: write` to the workflow permissions. | ||
|
|
||
| No code change is required in your tests — the SDK picks up OIDC automatically when it is available and no token is set. | ||
|
|
||
| ## Further reading | ||
|
|
||
| - [GitHub: About security hardening with OpenID Connect](https://docs.github.com/en/actions/reference/security/oidc) | ||
| - [GitHub: Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token) | ||
| - [Argos GitHub Integration](/github) | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| --- | ||
| slug: /github-tokenless | ||
| sidebar_label: GitHub Tokenless | ||
| sidebar_position: 12 | ||
| description: Authenticate Argos uploads from GitHub Actions without an ARGOS_TOKEN by letting Argos verify the run against GitHub's workflow API. | ||
| --- | ||
|
|
||
| # GitHub Tokenless Authentication | ||
|
|
||
| Tokenless authentication lets the Argos SDK upload builds from GitHub Actions without an `ARGOS_TOKEN` secret and without OIDC. Argos verifies the run by looking it up on GitHub from the commit and branch the SDK reports. | ||
|
|
||
| It is the default fallback the Argos SDK uses when neither `ARGOS_TOKEN` nor [OIDC](/github-oidc) is available — most importantly, on **pull requests from forked repositories**, where GitHub does not issue OIDC tokens. | ||
|
|
||
| :::tip | ||
|
|
||
| If your workflow can use [GitHub OIDC](/github-oidc), prefer it. OIDC is cryptographically signed by GitHub and is the strongest form of CI authentication Argos supports. Tokenless is the right choice when OIDC cannot be used. | ||
|
|
||
| ::: | ||
|
|
||
| ## When tokenless is used | ||
|
|
||
| The SDK picks an authentication method in this order: | ||
|
|
||
| 1. **`ARGOS_TOKEN`** is set → use the token. | ||
| 2. **OIDC is enabled** (`id-token: write` permission granted and Argos project configured for OIDC) → use OIDC. | ||
| 3. **Neither is available** → fall back to tokenless authentication. | ||
|
|
||
| So tokenless kicks in when you have not configured a token *and* the workflow has not been granted `id-token: write` (or OIDC has not been enabled in your Argos project settings). | ||
|
|
||
|
gregberge marked this conversation as resolved.
|
||
| ## How it works | ||
|
|
||
| 1. The Argos SDK detects that no `ARGOS_TOKEN` is set and no OIDC token is available. | ||
| 2. The SDK sends an upload request to Argos with the GitHub-provided context: repository, commit SHA, branch, and workflow run ID. | ||
| 3. Argos calls the GitHub API to look up workflow runs for that repository at that commit and branch. | ||
| 4. If Argos finds a workflow run that is **in progress** and matches the context the SDK reported, it issues a **short-lived token** scoped to that run and to the project. | ||
| 5. The SDK uses that short-lived token to complete the upload. | ||
|
|
||
| The verification rests on a simple invariant: only the actual workflow run on GitHub can produce an upload whose context matches a run GitHub reports as in progress. If the run is not found, is not in progress, or doesn't match the repository linked to the Argos project, the upload is rejected. | ||
|
|
||
| ## Use cases | ||
|
|
||
| - **Forked pull requests.** GitHub blocks OIDC and secrets on workflows triggered from forks. Tokenless authentication still works because it relies on the GitHub API rather than on a token injected into the runner. | ||
| - **Public repositories without configured secrets.** New contributors can open a PR and have visual tests run end-to-end without a maintainer needing to provision a token. | ||
| - **Quick setup.** You can connect a repository to Argos and have uploads work from GitHub Actions without configuring anything in the workflow. | ||
|
|
||
| ## Configure your GitHub Actions workflow | ||
|
|
||
| Tokenless requires no special configuration — just leave `ARGOS_TOKEN` unset and do not grant `id-token: write`: | ||
|
|
||
| ```yaml title=".github/workflows/visual-tests.yml" | ||
| name: Visual tests | ||
|
|
||
| on: | ||
| pull_request: | ||
| merge_group: | ||
|
|
||
| jobs: | ||
| argos: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-node@v6 | ||
| - run: npm ci | ||
| - run: npm run test:e2e | ||
| # No ARGOS_TOKEN — the SDK falls back to tokenless authentication | ||
| ``` | ||
|
|
||
| If you want OIDC for internal PRs *and* tokenless for fork PRs in the same workflow, add `id-token: write` to the job's `permissions` block. The SDK uses OIDC when GitHub issues a token and automatically falls back to tokenless on fork PRs where it doesn't. | ||
|
|
||
| ## Limitations | ||
|
|
||
| - **GitHub Actions only.** Tokenless authentication relies on the GitHub workflow run lookup. It does not work outside GitHub Actions — for other CI providers, use `ARGOS_TOKEN`. | ||
| - **The workflow run must be visible to GitHub.** If the SDK runs in a context where GitHub does not report the run (for example, a self-hosted action that runs outside the standard workflow runner), tokenless cannot verify it. | ||
|
gregberge marked this conversation as resolved.
|
||
| - **Weaker proof than OIDC.** Tokenless verifies that a workflow with the same commit and branch is in progress; OIDC verifies a signed token from GitHub. Prefer OIDC where it is available. | ||
|
|
||
| ## Troubleshooting | ||
|
|
||
| **`No matching workflow run found`.** Argos could not find an in-progress workflow run on GitHub matching the commit and branch the SDK reported. Check that the repository linked to the Argos project matches the one running the workflow, and that the workflow is still in progress when the upload runs. | ||
|
|
||
| **`Repository does not match the Argos project`.** The repository running the workflow is not the one linked to the Argos project. Update the project's connected repository in Argos, or run the workflow from the linked repository. | ||
|
|
||
| **Uploads work but are missing pull request metadata.** Tokenless authenticates the upload but does not by itself link the build to a pull request. Pass `GITHUB_TOKEN` in the job environment so the SDK can resolve the PR — see [Running without `GITHUB_TOKEN`](/run-on-preview-deployment#running-without-github_token). | ||
|
|
||
| ## Further reading | ||
|
|
||
| - [GitHub OIDC authentication](/github-oidc) — the more secure option, preferred where available. | ||
| - [Argos GitHub Integration](/github) | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.