#github-actions (2023-06)

Discussions related to GitHub Actions

2023-06-01

2023-06-02

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
07:55:35 PM

GitHub Actions – Just-in-time self-hosted runners GitHub Actions - Just-in-time self-hosted runners

GitHub Actions - Just-in-time self-hosted runners | GitHub Changelogattachment image

GitHub Actions - Just-in-time self-hosted runners

1

2023-06-13

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
03:05:39 PM

GitHub Actions: You can now disable repo level self-hosted runners in an Enterprise and Organization GitHub Actions: You can now disable repo level self-hosted runners in an Enterprise and Organization

GitHub Actions: You can now disable repo level self-hosted runners in an Enterprise and Organization | GitHub Changelogattachment image

GitHub Actions: You can now disable repo level self-hosted runners in an Enterprise and Organization

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
03:45:42 PM

GitHub Actions: All Actions will run on Node16 instead of Node12 by default GitHub Actions: All Actions will run on Node16 instead of Node12 by default

GitHub Actions: All Actions will run on Node16 instead of Node12 by default | GitHub Changelogattachment image

GitHub Actions: All Actions will run on Node16 instead of Node12 by default

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
07:15:38 PM

Fix to improve security around creation of pull requests in public repos Fix to improve security around creation of pull requests in public repos

Fix to improve security around creation of pull requests in public repos | GitHub Changelogattachment image

Fix to improve security around creation of pull requests in public repos

2023-06-15

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
11:45:41 PM

GitHub Actions – Securing OpenID Connect (OIDC) token permissions in reusable workflows For securely enabling OpenID Connect (OIDC) in your reusable workflows, we are now making the permissions more restrictive. If you need to fetch an OIDC token generated within a reusable (called) workflow that is outside your enterprise/organization, then the permissions setting for id-token should now be explicitly set to write at the caller workflow level […]

GitHub Actions - Securing OpenID Connect (OIDC) token permissions in reusable workflows | GitHub Changelogattachment image

For securely enabling OpenID Connect (OIDC) in your reusable workflows, we are now making the permissions more restrictive. If you need to fetch an OIDC token generated within a reusable (called) workflow that is outside your enterprise/organization, then the permissions setting for id-token should now be explicitly set to write at the caller workflow level […]

2023-06-19

Pawel Rein avatar
Pawel Rein
01:53:47 PM

Speaking of GHA and OIDC, does anyone know how can I filter CloudTrail for events coming from OIDC?

Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)
07:20:09 PM

@Dan Miller (Cloud Posse)

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)
07:27:51 PM

The easiest way seems to be to filter for the role that is assumed

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)
07:27:58 PM

https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/

Use IAM roles to connect GitHub Actions to actions in AWS | Amazon Web Servicesattachment image

May 22, 2023: We updated the post to reflect case sensitivity in the IDP entered: https://token.actions.githubusercontent.com. The IDP created in this post should be entered in lowercase through the post. Have you ever wanted to initiate change in an Amazon Web Services (AWS) account after you update a GitHub repository, or deploy updates in an […]

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)
07:28:21 PM


Audit the role’s use with Amazon CloudTrail logs.

Pawel Rein avatar
Pawel Rein
06:51:39 AM

@Dan Miller (Cloud Posse) thanks, I can’t see a way to filter by role at least in the simple “event history”. I guess I have to export events somewhere else to filter by role

2023-06-21

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
05:15:43 PM

GitHub-hosted larger runners for Actions are generally available GitHub-hosted larger runners for Actions are generally available

GitHub-hosted larger runners for Actions are generally available | GitHub Changelogattachment image

GitHub-hosted larger runners for Actions are generally available

2023-06-22

Pawel Rein avatar
Pawel Rein
10:37:42 AM

Hi, does anyone know any way to detect stale / hung job and kill it? Something that implements idle timeout as opposed to regular “dumb” timeout

Pawel Rein avatar
Pawel Rein
10:34:08 AM

for the record, I created a wrapper action that does that if anyone needs one

2023-06-27

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
08:35:32 PM

GitHub Actions – Update on OIDC integration with AWS We have received customers reporting errors with Actions’ OIDC integration with AWS. This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate. There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers […]

GitHub Actions – Update on OIDC integration with AWS | GitHub Changelogattachment image

We have received customers reporting errors with Actions’ OIDC integration with AWS. This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate. There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers […]

Pawel Rein avatar
Pawel Rein
06:52:57 AM

I have both thumbnails configured yet it’s failing. Anyone knows other possible reasons?

GitHub Actions – Update on OIDC integration with AWS | GitHub Changelogattachment image

We have received customers reporting errors with Actions’ OIDC integration with AWS. This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate. There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers […]

Pawel Rein avatar
Pawel Rein
07:47:10 AM

for anyone looking. they forgot to list one thumbprint, at least in the version I was looking at here is a oneliner that finds the one you need to add https://github.com/aws-actions/configure-aws-credentials/issues/357#issuecomment-1183591299 which together with the 2 they listed gives

6938fd4d98bab03faadb97b34396831e3780aea1
f879abce0008e4eb126e0097e46620f5aaae26ad
1c58a3a8518e8759bf075b76b750d4f2df264fcd
Comment on #357 OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

If you’re looking for a one-liner to find the latest thumbprint, here’s one I came up with based on the IAM docs:

openssl s_client \
        -servername token.actions.githubusercontent.com \
        -showcerts \
        -connect token.actions.githubusercontent.com:443 2>/dev/null < /dev/null | \
    openssl x509 -fingerprint -noout | \
    grep Fingerprint | \
    tr -d ':' | \
    tr '[:upper:]' '[:lower:]' | \
    cut -f2 -d=
1

2023-06-28

2023-06-30

actions Archives | The GitHub Blog avatar
actions Archives | The GitHub Blog
02:45:36 PM

GitHub Actions – Actions Runner General availability GitHub Actions - Actions Runner General availability

GitHub Actions - Actions Runner General availability | GitHub Changelogattachment image

GitHub Actions - Actions Runner General availability

    keyboard_arrow_up