Better docs about ambient credential detection

[favonia]

Problem

The current OIDC device flow prints out a URL to complete OIDC and then waits for the OIDC token. However, this is not compatible with how GitHub Actions logging is buffered, as the printed URL may not be visible until the 300-second timeout if the Actions log is opened too early or too late.

Proposed Solution

I wonder if we can split the flow into two commands. One command would print out the URL, while the other command would wait for the token. This approach has the added benefit of easily allowing the printed URL to be redirected to other devices, via a notification service, so that the user doesn't have to actively wait for the GitHub Actions to reach the Cosign step. The method for communicating the necessary information to continue the OIDC protocol (if any) needs some thinking, but it could be an environment variable, a command-line argument, or a file, and GitHub Actions can handle any of these. I'd prefer to leave the details of how to implement this information-passing part to those who are more familiar with the OIDC protocol.

[znewman01]

We could consider doing something like that, but can you describe the use case?

In general, the idea of having a different party signing an artifact from the one executing the command to produce it makes me nervous. Is there a reason the ambient credential detection (which pulls your GITHUB_TOKEN from the environment and signs as the build job, not as you) doesn't work here?

[favonia]

Is there a reason the ambient credential detection (which pulls your GITHUB_TOKEN from the environment and signs as the build job, not as you) doesn't work here?

Thank you for mentioning the feature that I was (truly) looking for. Unfortunately, it didn't work as expected right away, and I assumed that I had to use a more complicated method. Specifically, I used sigstore/[email protected] and entered the following command and it required a browser:

cosign sign --recursive --yes "favonia/cloudflare-ddns@sha256"

Although I don't anticipate that you'll have the time to troubleshoot my YAML files, could you possibly point me to relevant documentation that I could review in my free time? The one at https://docs.sigstore.dev/cosign/keyless/ has a detailed explanation for Google Compute Engine but not GitHub Actions, in case I needed to provide some arguments. I appreciate your help.

I suppose this issue should be renamed to "Ambient Detection Doesn't Work" in my case, though maybe there are other uses of the split OIDC device flow for the platforms Cosign does not support out of box.

[haydentherapper]

Here's a demo GHA that does work - https://github.com/haydentherapper/hello-ko/blob/main/.github/workflows/build.yaml#L25

[favonia]

@haydentherapper Aha! I was missing id-token: write. Thank you!

@znewman01 What should I (we) do about this issue? It is now useless to me, but the idea might still be useful for others.

Thank you all for your help.

[haydentherapper]

If we're lacking documentation for the ambient credential detection, let's reword this issue to update docs!

[znewman01]

We could use a better doc explaining this, so I'll edit the issue title. Thanks for filing!