diff --git a/pkg/identity/github/principal.go b/pkg/identity/github/principal.go index da9e4442e..5eaa74a2d 100644 --- a/pkg/identity/github/principal.go +++ b/pkg/identity/github/principal.go @@ -18,7 +18,6 @@ import ( "context" "crypto/x509" "errors" - "fmt" "net/url" "github.com/coreos/go-oidc/v3/oidc" @@ -106,7 +105,6 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident WorkflowSha string `json:"workflow_sha"` RunID string `json:"run_id"` RunAttempt string `json:"run_attempt"` - Enterprise string `json:"enterprise"` } if err := token.Claims(&claims); err != nil { return nil, err @@ -161,16 +159,10 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident return nil, errors.New("missing run_attempt claim in ID token") } - baseURL := `https://github.com/` - - if claims.Enterprise != "" { - baseURL = fmt.Sprintf("https://%s.ghe.com/", claims.Enterprise) - } - return &workflowPrincipal{ subject: token.Subject, issuer: token.Issuer, - url: baseURL, + url: `https://github.com/`, sha: claims.Sha, eventName: claims.EventName, repository: claims.Repository, diff --git a/pkg/identity/github/principal_test.go b/pkg/identity/github/principal_test.go index 7368fefb0..3b1d01bec 100644 --- a/pkg/identity/github/principal_test.go +++ b/pkg/identity/github/principal_test.go @@ -84,53 +84,6 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) { }, WantErr: false, }, - `Valid token, custom base url authenticates with correct claims`: { - Claims: map[string]interface{}{ - "aud": "sigstore", - "event_name": "push", - "exp": 0, - "iss": "https://token.actions.githubusercontent.com", - "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - "job_workflow_sha": "example-sha", - "ref": "refs/heads/main", - "repository": "sigstore/fulcio", - "repository_id": "12345", - "repository_owner": "username", - "repository_owner_id": "345", - "repository_visibility": "public", - "run_attempt": "1", - "run_id": "42", - "runner_environment": "cloud-hosted", - "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "sub": "repo:sigstore/fulcio:ref:refs/heads/main", - "workflow": "foo", - "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - "workflow_sha": "example-sha-other", - "enterprise": "test", - }, - ExpectPrincipal: workflowPrincipal{ - issuer: "https://token.actions.githubusercontent.com", - subject: "repo:sigstore/fulcio:ref:refs/heads/main", - url: "https://test.ghe.com/", - jobWorkflowRef: "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - sha: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - eventName: "push", - repository: "sigstore/fulcio", - workflow: "foo", - ref: "refs/heads/main", - jobWorkflowSha: "example-sha", - runnerEnvironment: "cloud-hosted", - repositoryID: "12345", - repositoryOwner: "username", - repositoryOwnerID: "345", - repositoryVisibility: "public", - workflowRef: "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - workflowSha: "example-sha-other", - runID: "42", - runAttempt: "1", - }, - WantErr: false, - }, `Token missing job_workflow_ref claim should be rejected`: { Claims: map[string]interface{}{ "aud": "sigstore",