Description
Please describe the enhancement
#4317 includes a spike (incomplete, demo-able code) for authenticating GitHub Actions using a distinct username structure. We've decided that this approach makes sense, but the code in question has a few "TODOs" or "This is gross" items that need cleanup, along with tests. It also needs about 3-4 months of PRs merged and re-testing.
Solution Proposal
Complete the 2-3 TODOs in the draft PR, and add tests for internal/auth/githubactions (new code) and internal/auth/jwt/dynamic (also new code).
Describe alternatives you've considered
Attempt to use Keycloak token exchange:
- GitHub Actions is a different
iss(issuer) than human GitHub OIDC, with differently-shaped identities - GitHub Actions identities are not able to do things like accept Terms & Conditions or follow a webpage to delete their account
Additional context
Adding support to the Minder CLI to automatically pick up and use the GitHub token endpoint will be a subsequent item.
Acceptance Criteria
The GitHub Action at https://github.com/evankanderson/actions-id-token-testing/blob/main/.github/workflows/minder-auth-token-test.yaml should work against any deployed Minder instance.