Skip to content

Update JFrog GitHub OIDC setup docs #37596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Update JFrog GitHub OIDC setup docs #37596

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
8c8514c
Update JFrog GitHub OIDC setup docs
EyalDelarea Apr 17, 2025
8aca661
Merge branch 'main' into update_jfrog_docs
EyalDelarea Apr 17, 2025
7c0f732
Remove note section
EyalDelarea Apr 17, 2025
b6e661d
Merge branch 'update_jfrog_docs' of https://github.com/EyalDelarea/do…
EyalDelarea Apr 17, 2025
d295d1a
Merge branch 'main' of https://github.com/github/docs into update_jfr…
EyalDelarea Apr 17, 2025
9c67e23
Fix diff
EyalDelarea Apr 17, 2025
adb9081
CR
EyalDelarea Apr 20, 2025
5152bae
Merge branch 'main' of https://github.com/github/docs into update_jfr…
EyalDelarea Apr 20, 2025
9246dee
Remove unused variable
EyalDelarea Apr 20, 2025
48859cf
Update
EyalDelarea Apr 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 25 additions & 43 deletions ...ions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,59 +52,41 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables

## Updating your {% data variables.product.prodname_actions %} workflow

Once you establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform, you can update your {% data variables.product.prodname_actions %} workflow file.
### Example: Authenticating with JFrog using OIDC

In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform.

The following example uses the placeholder `YOUR_PROVIDER_NAME`.
The following example uses the placeholders YOUR_PROVIDER_NAME and YOUR_AUDIENCE.

```yaml
- name: Fetch Access Token from Artifactory
id: fetch_access_token
env:
ID_TOKEN: ${{ steps.idtoken.outputs.id_token }}
run: |
ACCESS_TOKEN=$(curl \
-X POST \
-H "Content-type: application/json" \
https://example.jfrog.io/access/api/v1/oidc/token \
-d \
"{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"YOUR_PROVIDER_NAME\"}" | jq .access_token | tr -d '"')
echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT
```

The following example shows part of a {% data variables.product.prodname_actions %} workflow file using cURL.

```yaml
- name: Get ID Token (cURL method)
id: idtoken
run: |
ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT
```

Alternatively, you can set the audience as an environment variable using the `env` context. For more information about the `env` context, see [AUTOTITLE](/actions/learn-github-actions/contexts#env-context).

{% data reusables.actions.oidc-deployment-protection-rules %}
permissions:
id-token: write
contents: read

```yaml
jobs:
build:
runs-on: ubuntu-latest
env:
OIDC_AUDIENCE: 'YOUR_AUDIENCE'
steps:
- name: Setup JFrog CLI with OIDC
uses: jfrog/setup-jfrog-cli@v4
with:
oidc-provider-name: 'YOUR_PROVIDER_NAME'
oidc-audience: 'YOUR_AUDIENCE'

- name: Upload artifact
run: jf rt upload "dist/*.zip" my-repo/
```

Then, in your workflow file, retrieve the value of the variables stored in the `env` context. The following example uses the `env` context to retrieve the OIDC audience.
## Security Best Practices

```yaml
- name: Get ID Token (using env context)
uses: {% data reusables.actions.action-github-script %}
id: idtoken
with:
script: |
const coredemo = require('@actions/core');
let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE);
coredemo.setOutput('id_token', id_token);
- Always use `permissions: id-token: write` in workflows that authenticate with JFrog.
- Limit trust using specific claims like `repository`, `ref`, or `environment`.
- Configure identity mappings in JFrog to restrict authentication to specific workflows.

## Further Reading

- [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration)
- [JFrog Platform Identify Mappings DOCS](https://jfrog.com/help/r/jfrog-platform-administration-documentation/identity-mappings)
- [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token)
- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
```
Loading