Unverified Commit 5eb885c2 authored by John DiSanti's avatar John DiSanti Committed by GitHub
Browse files

Update GitHub thumbprints for OIDC in CI (#2813) 

CI uses an `OpenIdConnectProvider` to grant access to certain operations
in the CI AWS account to the GitHub Actions runners. This provider
checks the certificate thumbprints to validate the authenticity of
connect requests. GitHub recently [added a new
thumbprint](https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/),
which was causing CI and the PR bot to intermittently fail since the
OIDC provider wasn't aware of it. This PR corrects the thumbprints to
reestablish consistency in CI.

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._
parent 57459f04

tools/ci-cdk/lib/oidc-provider-stack.ts

+8 −2
Original line number Diff line number Diff line
@@ -17,7 +17,13 @@ import { Construct } from "constructs"; 
///

/// This was done with the initial Idp URL of:

/// https://token.actions.githubusercontent.com/.well-known/openid-configuration

export const GITHUB_CERTIFICATE_THUMBPRINT = "6938FD4D98BAB03FAADB97B34396831E3780AEA1";

///

/// Note: as of June 27, 2023, there are now two possible thumbprints from GitHub:

/// https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

export const GITHUB_CERTIFICATE_THUMBPRINTS = [

    "6938FD4D98BAB03FAADB97B34396831E3780AEA1",

    "1C58A3A8518E8759BF075B76B750D4F2DF264FCD",

];



// There can only be one OIDC provider for a given URL per AWS account,

// so put these in their own stack to be shared with other stacks.
@@ -32,7 +38,7 @@ export class OidcProviderStack extends Stack { 


        this.githubActionsOidcProvider = new OpenIdConnectProvider(this, "oidc-provider", {

            url: "https://token.actions.githubusercontent.com",

            thumbprints: [GITHUB_CERTIFICATE_THUMBPRINT],

            thumbprints: GITHUB_CERTIFICATE_THUMBPRINTS,

            clientIds: ["sts.amazonaws.com"],

        });

    }

tools/ci-cdk/package-lock.json

+1095 −806

File changed.

Preview size limit exceeded, changes collapsed.

tools/ci-cdk/test/oidc-provider-stack.test.ts

+2 −2
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 


import { App } from "aws-cdk-lib";

import { Template } from "aws-cdk-lib/assertions";

import { GITHUB_CERTIFICATE_THUMBPRINT, OidcProviderStack } from "../lib/oidc-provider-stack";

import { GITHUB_CERTIFICATE_THUMBPRINTS, OidcProviderStack } from "../lib/oidc-provider-stack";



test("it should have an OIDC provider", () => {

    const app = new App();
@@ -15,7 +15,7 @@ test("it should have an OIDC provider", () => { 
    // Verify the OIDC provider

    template.hasResourceProperties("Custom::AWSCDKOpenIdConnectProvider", {

        ClientIDList: ["sts.amazonaws.com"],

        ThumbprintList: [GITHUB_CERTIFICATE_THUMBPRINT],

        ThumbprintList: GITHUB_CERTIFICATE_THUMBPRINTS,

        Url: "https://token.actions.githubusercontent.com",

    });

});