From 8c8514ca27aa996b0b343b9b72595cbc07f65a05 Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 17 Apr 2025 15:28:45 +0300 Subject: [PATCH 01/13] Update JFrog GitHub OIDC setup docs --- .../configuring-openid-connect-in-jfrog.md | 72 +++++++------------ 1 file changed, 25 insertions(+), 47 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index df5d264bf35c..a34fc5c81710 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -1,4 +1,3 @@ ---- title: Configuring OpenID Connect in JFrog shortTitle: OpenID Connect in JFrog intro: Use OpenID Connect within your workflows to authenticate with JFrog. @@ -19,6 +18,8 @@ OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow. +> **Note:** If you're using the [`jfrog/setup-jfrog-cli`](https://github.com/jfrog/setup-jfrog-cli) GitHub Action (v4.5.7+), OIDC authentication is fully supported out-of-the-box. You only need to configure your provider name and audience — no manual token exchange is necessary. + For an example {% data variables.product.prodname_actions %} workflow, see [Sample {% data variables.product.prodname_actions %} Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/sample-github-actions-integration) in the JFrog documentation. For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see [`build-publish.yml`](https://github.com/jfrog/jfrog-github-oidc-example/blob/main/.github/workflows/build-publish.yml) in the `jfrog-github-oidc-example` repository. @@ -52,59 +53,36 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables ## Updating your {% data variables.product.prodname_actions %} workflow -Once you establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform, you can update your {% data variables.product.prodname_actions %} workflow file. - -In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. - -The following example uses the placeholder `YOUR_PROVIDER_NAME`. +### Example: Authenticating with JFrog using OIDC ```yaml -- name: Fetch Access Token from Artifactory - id: fetch_access_token - env: - ID_TOKEN: ${{ steps.idtoken.outputs.id_token }} - run: | - ACCESS_TOKEN=$(curl \ - -X POST \ - -H "Content-type: application/json" \ - https://example.jfrog.io/access/api/v1/oidc/token \ - -d \ - "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"YOUR_PROVIDER_NAME\"}" | jq .access_token | tr -d '"') - echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT -``` - -The following example shows part of a {% data variables.product.prodname_actions %} workflow file using cURL. - -```yaml -- name: Get ID Token (cURL method) - id: idtoken - run: | - ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') - echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT -``` +permissions: + id-token: write + contents: read -Alternatively, you can set the audience as an environment variable using the `env` context. For more information about the `env` context, see [AUTOTITLE](/actions/learn-github-actions/contexts#env-context). - -{% data reusables.actions.oidc-deployment-protection-rules %} - -```yaml jobs: build: runs-on: ubuntu-latest - env: - OIDC_AUDIENCE: 'YOUR_AUDIENCE' + steps: + - name: Setup JFrog CLI with OIDC + uses: jfrog/setup-jfrog-cli@v4 + with: + oidc-provider-name: 'YOUR_PROVIDER_NAME' + oidc-audience: 'YOUR_AUDIENCE' + + - name: Upload artifact + run: jf rt upload "dist/*.zip" my-repo/ ``` -Then, in your workflow file, retrieve the value of the variables stored in the `env` context. The following example uses the `env` context to retrieve the OIDC audience. +## Security Best Practices -```yaml -- name: Get ID Token (using env context) - uses: {% data reusables.actions.action-github-script %} - id: idtoken - with: - script: | - const coredemo = require('@actions/core'); - let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE); - coredemo.setOutput('id_token', id_token); +- Always use `permissions: id-token: write` in workflows that authenticate with JFrog. +- Limit trust using specific claims like `repository`, `ref`, or `environment`. +- Configure identity mappings in JFrog to restrict which workflows are allowed to authenticate. + +## Further Reading + +- [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) +- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) +- [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token) ``` From 7c0f7328c5c8da12189ddbe5abc2b21ac54c6a39 Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 17 Apr 2025 15:36:14 +0300 Subject: [PATCH 02/13] Remove note section --- .../configuring-openid-connect-in-jfrog.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index a34fc5c81710..51a5598e9633 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -18,8 +18,6 @@ OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow. -> **Note:** If you're using the [`jfrog/setup-jfrog-cli`](https://github.com/jfrog/setup-jfrog-cli) GitHub Action (v4.5.7+), OIDC authentication is fully supported out-of-the-box. You only need to configure your provider name and audience — no manual token exchange is necessary. - For an example {% data variables.product.prodname_actions %} workflow, see [Sample {% data variables.product.prodname_actions %} Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/sample-github-actions-integration) in the JFrog documentation. For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see [`build-publish.yml`](https://github.com/jfrog/jfrog-github-oidc-example/blob/main/.github/workflows/build-publish.yml) in the `jfrog-github-oidc-example` repository. From 9c67e2354fdf76f7b0091968d0859853d75e5b46 Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 17 Apr 2025 15:39:57 +0300 Subject: [PATCH 03/13] Fix diff --- .../configuring-openid-connect-in-jfrog.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 51a5598e9633..d338d526f458 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -1,3 +1,4 @@ +--- title: Configuring OpenID Connect in JFrog shortTitle: OpenID Connect in JFrog intro: Use OpenID Connect within your workflows to authenticate with JFrog. @@ -53,6 +54,8 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables ### Example: Authenticating with JFrog using OIDC +In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. + ```yaml permissions: id-token: write From adb908114dbe92ad67a9cf4c83df195fcef7bf61 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 20 Apr 2025 13:19:00 +0300 Subject: [PATCH 04/13] CR --- .../configuring-openid-connect-in-jfrog.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index d338d526f458..108e344f84ad 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -56,6 +56,9 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. +The following example uses the placeholder `YOUR_PROVIDER_NAME` & `YOUR_AUDIENCE`. + +{% data reusables.actions.oidc-deployment-example %} ```yaml permissions: id-token: write @@ -79,11 +82,12 @@ jobs: - Always use `permissions: id-token: write` in workflows that authenticate with JFrog. - Limit trust using specific claims like `repository`, `ref`, or `environment`. -- Configure identity mappings in JFrog to restrict which workflows are allowed to authenticate. +- Configure identity mappings in JFrog to restrict authentication to specific workflows. ## Further Reading - [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) -- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) +- [JFrog Platform Identify Mappings DOCS](https://jfrog.com/help/r/jfrog-platform-administration-documentation/identity-mappings) - [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token) +- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) ``` From 9246deef5aea97c9a0084d3ae584786137ceb1d9 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 20 Apr 2025 13:54:53 +0300 Subject: [PATCH 05/13] Remove unused variable --- .../configuring-openid-connect-in-jfrog.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 108e344f84ad..a284e29d3535 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -58,7 +58,6 @@ In your {% data variables.product.prodname_actions %} workflow file, ensure you The following example uses the placeholder `YOUR_PROVIDER_NAME` & `YOUR_AUDIENCE`. -{% data reusables.actions.oidc-deployment-example %} ```yaml permissions: id-token: write From 48859cf0e65aebbd2e187cff9414aaa35064f5a0 Mon Sep 17 00:00:00 2001 From: delarea Date: Mon, 21 Apr 2025 09:23:39 +0300 Subject: [PATCH 06/13] Update --- .../configuring-openid-connect-in-jfrog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index a284e29d3535..15433fa8f737 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -56,7 +56,7 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. -The following example uses the placeholder `YOUR_PROVIDER_NAME` & `YOUR_AUDIENCE`. +The following example uses the placeholders YOUR_PROVIDER_NAME and YOUR_AUDIENCE. ```yaml permissions: From a1ca5154b5b6eeaae8ec2049c4876f4bcfe5b7d9 Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 24 Apr 2025 14:29:34 +0300 Subject: [PATCH 07/13] Update --- .../configuring-openid-connect-in-jfrog.md | 32 +++++++++++++------ 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 15433fa8f737..008e4c27bc07 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -35,7 +35,7 @@ For an example {% data variables.product.prodname_actions %} workflow using the For example, you can set `iss` to `https://token.actions.githubusercontent.com`, and the `repository` to something like "octo-org/octo-repo"`. This will ensure only Actions workflows from the specified repository will have access to your JFrog platform. The following is an example Claims JSON when configuring identity mappings. - ```json copy + ```json { "iss": "https://token.actions.githubusercontent.com", "repository": "octo-org/octo-repo" @@ -68,25 +68,39 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup JFrog CLI with OIDC + id: setup-jfrog-cli uses: jfrog/setup-jfrog-cli@v4 with: - oidc-provider-name: 'YOUR_PROVIDER_NAME' - oidc-audience: 'YOUR_AUDIENCE' + JF_URL: ${{ env.JF_URL }} + oidc-provider-name: 'my-github-provider' # Replace with your configured provider name + oidc-audience: 'jfrog-github' # Replace with your configured audience - name: Upload artifact run: jf rt upload "dist/*.zip" my-repo/ + ``` +> **Note** +> When OIDC authentication is used, the `setup-jfrog-cli` action automatically provides short-lived credentials (`oidc-user` and `oidc-token`) as step outputs. These can be used for Docker, Helm, and other integrations that require authentication with JFrog. No additional configuration is needed to enable these outputs. + +```yaml + - name: Login to Artifactory + uses: docker/login-action@v3 + with: + registry: ${{ env.JF_URL }} + username: ${{ steps.setup-jfrog-cli.outputs.oidc-user }} + password: ${{ steps.setup-jfrog-cli.outputs.oidc-token }} +``` ## Security Best Practices -- Always use `permissions: id-token: write` in workflows that authenticate with JFrog. -- Limit trust using specific claims like `repository`, `ref`, or `environment`. -- Configure identity mappings in JFrog to restrict authentication to specific workflows. +- Always set `permissions: id-token: write` in any workflow using OIDC. +- Restrict trust using claims such as `repository`, `ref`, or `environment`. +- Use identity mappings to scope access at a fine-grained level inside the JFrog Platform. ## Further Reading - [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) -- [JFrog Platform Identify Mappings DOCS](https://jfrog.com/help/r/jfrog-platform-administration-documentation/identity-mappings) -- [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token) -- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) +- [Configure Identity Mappings](https://jfrog.com/help/r/jfrog-platform-administration-documentation/identity-mappings) +- [JFrog CLI: `exchange-oidc-token` Command](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token) +- [GitHub Docs: About Security Hardening with OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) ``` From ed8ab47974d2b73c54b554efd48d3a7c2925548b Mon Sep 17 00:00:00 2001 From: delarea Date: Thu, 24 Apr 2025 14:34:37 +0300 Subject: [PATCH 08/13] Update --- .../configuring-openid-connect-in-jfrog.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 008e4c27bc07..76cd8ce3d0c1 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -80,8 +80,8 @@ jobs: ``` -> **Note** -> When OIDC authentication is used, the `setup-jfrog-cli` action automatically provides short-lived credentials (`oidc-user` and `oidc-token`) as step outputs. These can be used for Docker, Helm, and other integrations that require authentication with JFrog. No additional configuration is needed to enable these outputs. +> [!TIP] +> When OIDC authentication is used, the `setup-jfrog-cli` action automatically provides short-lived (`oidc-user` and `oidc-token`) as step outputs. These can be used for Docker, Helm, and other integrations that require authentication with JFrog. No additional configuration is needed to enable these outputs. ```yaml - name: Login to Artifactory From 1d1b453f959066b4a71a8d6fbd292a73544ff9d3 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 27 Apr 2025 16:15:36 +0300 Subject: [PATCH 09/13] Remove unneeded link --- .../configuring-openid-connect-in-jfrog.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 76cd8ce3d0c1..a8bdd355724e 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -101,6 +101,5 @@ jobs: - [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) - [Configure Identity Mappings](https://jfrog.com/help/r/jfrog-platform-administration-documentation/identity-mappings) -- [JFrog CLI: `exchange-oidc-token` Command](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token) - [GitHub Docs: About Security Hardening with OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) ``` From 554c3516bd8be5349c54aad32be0ef26ac69d9f1 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 27 Apr 2025 16:26:54 +0300 Subject: [PATCH 10/13] Update --- .../configuring-openid-connect-in-jfrog.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index a8bdd355724e..5fe769f58783 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -35,7 +35,7 @@ For an example {% data variables.product.prodname_actions %} workflow using the For example, you can set `iss` to `https://token.actions.githubusercontent.com`, and the `repository` to something like "octo-org/octo-repo"`. This will ensure only Actions workflows from the specified repository will have access to your JFrog platform. The following is an example Claims JSON when configuring identity mappings. - ```json + ```json copy { "iss": "https://token.actions.githubusercontent.com", "repository": "octo-org/octo-repo" @@ -72,8 +72,8 @@ jobs: uses: jfrog/setup-jfrog-cli@v4 with: JF_URL: ${{ env.JF_URL }} - oidc-provider-name: 'my-github-provider' # Replace with your configured provider name - oidc-audience: 'jfrog-github' # Replace with your configured audience + oidc-provider-name: 'YOUR_PROVIDER_NAME' + oidc-audience: 'YOUR_AUDIENCE' - name: Upload artifact run: jf rt upload "dist/*.zip" my-repo/ @@ -81,10 +81,13 @@ jobs: ``` > [!TIP] -> When OIDC authentication is used, the `setup-jfrog-cli` action automatically provides short-lived (`oidc-user` and `oidc-token`) as step outputs. These can be used for Docker, Helm, and other integrations that require authentication with JFrog. No additional configuration is needed to enable these outputs. +> When OIDC authentication is used, the `setup-jfrog-cli` action automatically provides `oidc-user` and `oidc-token` as step outputs. +> These can be used for other integrations that require authentication with JFrog. +> To reference these outputs, ensure the step has an explicit `id` defined (e.g., `id: setup-jfrog-cli`). +### Example: Using OIDC Credentials in Other Steps ```yaml - - name: Login to Artifactory + - name: Login to Artifactory Docker Registry uses: docker/login-action@v3 with: registry: ${{ env.JF_URL }} From 33afa502b2b5726dcd08adb89b81ebaf96017fe8 Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 13:28:11 +0300 Subject: [PATCH 11/13] Remove the security section --- .../configuring-openid-connect-in-jfrog.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 5fe769f58783..ba25c06ac1db 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -94,11 +94,6 @@ jobs: username: ${{ steps.setup-jfrog-cli.outputs.oidc-user }} password: ${{ steps.setup-jfrog-cli.outputs.oidc-token }} ``` -## Security Best Practices - -- Always set `permissions: id-token: write` in any workflow using OIDC. -- Restrict trust using claims such as `repository`, `ref`, or `environment`. -- Use identity mappings to scope access at a fine-grained level inside the JFrog Platform. ## Further Reading From 2162642b41b74ba20e7a1ac8f3716486382eadff Mon Sep 17 00:00:00 2001 From: delarea Date: Sun, 4 May 2025 13:29:15 +0300 Subject: [PATCH 12/13] Update --- .../configuring-openid-connect-in-jfrog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index ba25c06ac1db..4863f7a86ece 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -73,7 +73,7 @@ jobs: with: JF_URL: ${{ env.JF_URL }} oidc-provider-name: 'YOUR_PROVIDER_NAME' - oidc-audience: 'YOUR_AUDIENCE' + oidc-audience: 'YOUR_AUDIENCE' # This is optional - name: Upload artifact run: jf rt upload "dist/*.zip" my-repo/ From 6ff7f79af87ff333761f786ff806d1d7e6a18cb5 Mon Sep 17 00:00:00 2001 From: delarea Date: Mon, 12 May 2025 15:05:51 +0300 Subject: [PATCH 13/13] CR --- .../configuring-openid-connect-in-jfrog.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 4863f7a86ece..03549468baf2 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -56,7 +56,7 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform. -The following example uses the placeholders YOUR_PROVIDER_NAME and YOUR_AUDIENCE. +The following example uses the placeholders `YOUR_PROVIDER_NAME` and `YOUR_AUDIENCE`. ```yaml permissions: @@ -69,7 +69,7 @@ jobs: steps: - name: Setup JFrog CLI with OIDC id: setup-jfrog-cli - uses: jfrog/setup-jfrog-cli@v4 + uses: jfrog/setup-jfrog-cli@29fa5190a4123350e81e2a2e8d803b2a27fed15e with: JF_URL: ${{ env.JF_URL }} oidc-provider-name: 'YOUR_PROVIDER_NAME'