Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Update JFrog GitHub OIDC setup docs #37596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 31 commits into
base: main
Choose a base branch
Loading
from
Open

Update JFrog GitHub OIDC setup docs #37596

Changes from 1 commit
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
8c8514c
Update JFrog GitHub OIDC setup docs
EyalDelarea Apr 17, 2025
8aca661
Merge branch 'main' into update_jfrog_docs
EyalDelarea Apr 17, 2025
7c0f732
Remove note section
EyalDelarea Apr 17, 2025
b6e661d
Merge branch 'update_jfrog_docs' of https://github.com/EyalDelarea/do…
EyalDelarea Apr 17, 2025
d295d1a
Merge branch 'main' of https://github.com/github/docs into update_jfr…
EyalDelarea Apr 17, 2025
9c67e23
Fix diff
EyalDelarea Apr 17, 2025
adb9081
CR
EyalDelarea Apr 20, 2025
5152bae
Merge branch 'main' of https://github.com/github/docs into update_jfr…
EyalDelarea Apr 20, 2025
9246dee
Remove unused variable
EyalDelarea Apr 20, 2025
48859cf
Update
EyalDelarea Apr 21, 2025
a1ca515
Update
EyalDelarea Apr 24, 2025
ed8ab47
Update
EyalDelarea Apr 24, 2025
1d1b453
Remove unneeded link
EyalDelarea Apr 27, 2025
25123d1
Merge branch 'main' of https://github.com/github/docs into update_jfr…
EyalDelarea Apr 27, 2025
554c351
Update
EyalDelarea Apr 27, 2025
c219ce1
Merge branch 'main' of https://github.com/github/docs into update_jfr…
EyalDelarea May 4, 2025
33afa50
Remove the security section
EyalDelarea May 4, 2025
2162642
Update
EyalDelarea May 4, 2025
14c5fee
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 5, 2025
9554cc2
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 12, 2025
6ff7f79
CR
EyalDelarea May 12, 2025
b855d02
Merge branch 'update_jfrog_docs' of https://github.com/EyalDelarea/do…
EyalDelarea May 12, 2025
3126895
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 12, 2025
970249b
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 13, 2025
e3cba36
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 13, 2025
01a424a
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 14, 2025
43a087d
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 18, 2025
fe5153a
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 22, 2025
b2d7317
Merge branch 'main' into update_jfrog_docs
subatoi May 28, 2025
285c775
Merge branch 'main' into update_jfrog_docs
subatoi May 28, 2025
0398058
Merge branch 'main' into update_jfrog_docs
EyalDelarea May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Update JFrog GitHub OIDC setup docs
  • Loading branch information
@EyalDelarea
EyalDelarea committed Apr 17, 2025
commit 8c8514ca27aa996b0b343b9b72595cbc07f65a05
72 changes: 25 additions & 47 deletions 72 ...ions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
---
title: Configuring OpenID Connect in JFrog
shortTitle: OpenID Connect in JFrog
intro: Use OpenID Connect within your workflows to authenticate with JFrog.
Expand All @@ -19,6 +18,8 @@ OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %}

This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow.

> **Note:** If you're using the [`jfrog/setup-jfrog-cli`](https://github.com/jfrog/setup-jfrog-cli) GitHub Action (v4.5.7+), OIDC authentication is fully supported out-of-the-box. You only need to configure your provider name and audience — no manual token exchange is necessary.

For an example {% data variables.product.prodname_actions %} workflow, see [Sample {% data variables.product.prodname_actions %} Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/sample-github-actions-integration) in the JFrog documentation.

For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see [`build-publish.yml`](https://github.com/jfrog/jfrog-github-oidc-example/blob/main/.github/workflows/build-publish.yml) in the `jfrog-github-oidc-example` repository.
Expand Down Expand Up @@ -52,59 +53,36 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables

## Updating your {% data variables.product.prodname_actions %} workflow

Once you establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform, you can update your {% data variables.product.prodname_actions %} workflow file.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this information not accurate any more? It seems to add a nice bridge between the H2 and the H3

In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform.

The following example uses the placeholder `YOUR_PROVIDER_NAME`.
### Example: Authenticating with JFrog using OIDC
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Example: Authenticating with JFrog using OIDC
### Authenticating with JFrog using OIDC

```yaml
- name: Fetch Access Token from Artifactory
id: fetch_access_token
env:
ID_TOKEN: ${{ steps.idtoken.outputs.id_token }}
run: |
ACCESS_TOKEN=$(curl \
-X POST \
-H "Content-type: application/json" \
https://example.jfrog.io/access/api/v1/oidc/token \
-d \
"{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"YOUR_PROVIDER_NAME\"}" | jq .access_token | tr -d '"')
echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT
```

The following example shows part of a {% data variables.product.prodname_actions %} workflow file using cURL.

```yaml
- name: Get ID Token (cURL method)
id: idtoken
run: |
ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT
```
permissions:
id-token: write
contents: read

Alternatively, you can set the audience as an environment variable using the `env` context. For more information about the `env` context, see [AUTOTITLE](/actions/learn-github-actions/contexts#env-context).

{% data reusables.actions.oidc-deployment-protection-rules %}

```yaml
jobs:
build:
runs-on: ubuntu-latest
env:
OIDC_AUDIENCE: 'YOUR_AUDIENCE'
steps:
- name: Setup JFrog CLI with OIDC
uses: jfrog/setup-jfrog-cli@v4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Setup JFrog CLI with OIDC
- name: Set up JFrog CLI with OIDC

with:
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
oidc-provider-name: 'YOUR_PROVIDER_NAME'
oidc-audience: 'YOUR_AUDIENCE'

- name: Upload artifact
run: jf rt upload "dist/*.zip" my-repo/
```

Then, in your workflow file, retrieve the value of the variables stored in the `env` context. The following example uses the `env` context to retrieve the OIDC audience.
## Security Best Practices

```yaml
- name: Get ID Token (using env context)
uses: {% data reusables.actions.action-github-script %}
id: idtoken
with:
script: |
const coredemo = require('@actions/core');
let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE);
coredemo.setOutput('id_token', id_token);
- Always use `permissions: id-token: write` in workflows that authenticate with JFrog.
- Limit trust using specific claims like `repository`, `ref`, or `environment`.
- Configure identity mappings in JFrog to restrict which workflows are allowed to authenticate.

EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
## Further Reading

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Further Reading
## Further reading

- [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration)
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration)
- [OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) in the JFrog documentation

- [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token)
```
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.