Skip to content

CSPL-4201 use OIDC in GitHub pipelines #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kubabuczak wants to merge 10 commits into
base: develop
Choose a base branch
from
Open

CSPL-4201 use OIDC in GitHub pipelines #1630

kubabuczak wants to merge 10 commits into from

Conversation

@kubabuczak
Copy link
Collaborator

@kubabuczak kubabuczak commented Nov 28, 2025

CSPL-4201: Migrate GitHub Actions to OIDC Authenticationa

Overview

Replaces static AWS credentials with OIDC authentication across all GitHub Actions workflows, eliminating long-lived credentials.

Key Changes

GitHub Workflows (24 updated)

  • All workflows now use OIDC role assumption instead of static credentials
  • Updated to aws-actions/configure-aws-credentials@v5
  • Added id-token: write permission
  • Separated S3 test credentials (TEST_S3_ACCESS_KEY_ID, TEST_S3_SECRET_ACCESS_KEY)
  • Added job-level timeouts

Test Infrastructure

  • Updated test/testenv/testcaseenv.go to support new credential sources (with fallback)
  • Updated helm test S3 bucket scripts to use environment variables

Security Benefits

  • ✅ No long-lived credentials in GitHub Secrets
  • ✅ Short-lived tokens (1 hour default)
  • ✅ Repository-restricted access
  • ✅ Least privilege model (OIDC role for CI/CD, limited S3 user for tests)

Testing

All workflows tested with OIDC authentication:

ARM Workflows:

Main Workflows:

Required Setup

GitHub Variables:

  • AWS_ROLE_ARN
  • AWS_REGION
  • AWS_ROLE_DURATION_SECONDS
  • TEST_S3_ACCESS_KEY_ID

GitHub Secrets:

  • TEST_S3_SECRET_ACCESS_KEY

Post-Merge

  1. Configure GitHub variables/secrets
  2. Verify workflows execute successfully
  3. Remove old credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) after 1 week

@coveralls
Copy link
Collaborator

coveralls commented Nov 28, 2025
edited
Loading

Pull Request Test Coverage Report for Build 19897319256

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.008%) to 86.363%
Totals Coverage Status
Change from base Build 19895847490: 0.008%
Covered Lines: 10728
Relevant Lines: 12422
💛 - Coveralls

@kubabuczak kubabuczak changed the title CSPL-4201 use OIDC in GitHub pipelinesde CSPL-4201 use OIDC in GitHub pipelines Nov 28, 2025
@kubabuczak
CSPL-4201 Update GitHub Actions workflows to use OIDC tokens instead …
81a5a89 
…of static credentials

- Replaced aws-actions/configure-aws-credentials@v1 with v5 across multiple workflows.
- Updated AWS credential configuration to use role-based access with role-to-assume and role-session-name.
- Added permissions for contents, packages, and pull-requests in several workflows.
@kubabuczak
Update GitHub Actions workflows to include CSPL-4201-pipeline-tests-b…
480eba4 
…ase branch

- Added CSPL-4201-pipeline-tests-base branch to the trigger conditions for multiple workflows including build-test-push, distroless integration tests, helm tests, and various integration tests for Azure and GCP.
@kubabuczak
CSPL-4201 Enhance GitHub Actions workflows with role duration and tim…
d003727 
…eout settings

- Added role-duration-seconds parameter to AWS credential configurations across multiple workflows.
- Increased timeout settings for integration and smoke tests to 420 minutes and 360 minutes respectively in various workflows.
@kubabuczak
CSPL-4201 Update GitHub Actions workflow to add id-token permission
836c030 
- Added 'id-token: write' permission to the build-test-push workflow for enhanced security and access control.
@kubabuczak
CSPL-4201 job timeouts - reduce them on step level and adjust it to o…
594ee3c 
…bserved values

Reduce timeout settings across multiple GitHub Actions workflows for integration and smoke tests from 360/420 minutes to 240 minutes, optimizing resource usage and execution time.
@kubabuczak
Update GitHub Actions workflows to use environment variables for S3 c…
a84be41 
…redentials

- Added environment variables TEST_S3_ACCESS_KEY_ID and TEST_S3_SECRET_ACCESS_KEY to multiple workflows for integration and smoke tests, allowing for optional overrides of AWS credentials.
- Updated test scripts to utilize these environment variables when creating S3 secrets, enhancing flexibility and security in credential management.
@kubabuczak
Update skipLogOutput setting in S3 bucket creation scripts for helm t…
d472b2b 
…ests

- Changed skipLogOutput from true to false in the S3 copy command for multiple helm test YAML files, ensuring that log output is captured during execution for better debugging and monitoring.
@kubabuczak
Fix: pipelines not passing on not-supported Ubuntu version.
7249a86 
Switch to newest LTS version
@kubabuczak
Remove CSPL-4201-pipeline-tests-base branch from multiple GitHub Acti…
bf1129a 
…ons [added for debug]
@kubabuczak kubabuczak force-pushed the CSPL-4201-use-OIDC-in-github-pipelines branch from e6dd841 to bf1129a Compare December 2, 2025 09:42
rlieberman-splunk
rlieberman-splunk reviewed Dec 3, 2025
View reviewed changes
@kubabuczak kubabuczak force-pushed the CSPL-4201-use-OIDC-in-github-pipelines branch from 16523c5 to 85bb593 Compare December 3, 2025 14:27
kasiakoziol
kasiakoziol reviewed Dec 4, 2025
View reviewed changes
.github/workflows/nightly-int-test-workflow.yml
- name: Run Integration test
timeout-minutes: 240
env:
TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }}
Copy link
Collaborator

@kasiakoziol kasiakoziol Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why access key is used from vars, not from secrets?

Copy link
Collaborator Author

@kubabuczak kubabuczak Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because it's not a secret, it's a variable

Copy link
Collaborator

@rlieberman-splunk rlieberman-splunk Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought the same thing originally. The secret access key is setup as a secret. This is just the key id as a variable.

kasiakoziol
kasiakoziol reviewed Dec 4, 2025
View reviewed changes
.github/workflows/arm-Ubuntu-build-test-push-workflow.yml
export PLATFORMS=linux/arm64,linux/amd64
export BASE_IMAGE=ubuntu
export BASE_IMAGE_VERSION=24.10
export BASE_IMAGE_VERSION=24.04
Copy link
Collaborator

@kasiakoziol kasiakoziol Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you decrease it?

Copy link
Collaborator Author

@kubabuczak kubabuczak Dec 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

24.04 is LTS (Long Term Support) release. The next LTS will be 26.04.
24.10 is not supported anymore (non-LTS are supported for 9 months)
more info: https://ubuntu.com/about/release-cycle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rlieberman-splunk rlieberman-splunk rlieberman-splunk approved these changes

@kasiakoziol kasiakoziol kasiakoziol left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kubabuczak @coveralls @rlieberman-splunk @kasiakoziol