feat: added github oidc token as a header (#471)

eloymg · web-flow · commit 6426ecdc24bc · 2024-10-16T11:57:49.000Z
* added github oidc token as a header

* added instance to audience
diff --git a/actions/get-vault-secrets/action.yaml b/actions/get-vault-secrets/action.yaml
@@ -62,6 +62,14 @@ runs:
         COMMON_SECRETS: ${{ inputs.common_secrets }}
         REPO: ${{ github.repository }}
 
+    - id: get-github-jwt-token
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        script: |
+          const jwt = await core.getIDToken("vault-github-actions-grafana-${{ inputs.vault_instance }}");
+          core.setSecret(jwt);
+          core.setOutput("github-jwt",jwt);
+
       # Get the secrets
     - name: Import Secrets
       id: import-secrets
@@ -74,5 +82,6 @@ runs:
         jwtGithubAudience: "https://vault-github-actions.grafana-${{ inputs.vault_instance }}.net"
         extraHeaders: |
           Proxy-Authorization: Bearer ${{ steps.vault-iap-auth.outputs.id_token }}
+          Proxy-Authorization-Token: Bearer ${{ steps.get-github-jwt-token.outputs.github-jwt }}
         secrets: |
           ${{ steps.translate-secrets.outputs.secrets }}
