Fix Authentik WIF token endpoint
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m8s
Build Site / Next.js Build (push) Failing after 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 12:33:39 -07:00
parent 5ef4fdef64
commit 8180c3c35a
2 changed files with 33 additions and 1 deletions

View file

@ -7,6 +7,7 @@ pool_id="${BURROW_GOOGLE_WIF_POOL_ID:-burrow-authentik}"
provider_id="${BURROW_GOOGLE_WIF_PROVIDER_ID:-forgejo-runners}" provider_id="${BURROW_GOOGLE_WIF_PROVIDER_ID:-forgejo-runners}"
service_account="${BURROW_GOOGLE_WIF_SERVICE_ACCOUNT:-burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com}" service_account="${BURROW_GOOGLE_WIF_SERVICE_ACCOUNT:-burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com}"
authentik_issuer="${BURROW_AUTHENTIK_WIF_ISSUER:-https://auth.burrow.net/application/o/google-cloud/}" authentik_issuer="${BURROW_AUTHENTIK_WIF_ISSUER:-https://auth.burrow.net/application/o/google-cloud/}"
authentik_token_endpoint="${BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT:-}"
authentik_audience="${BURROW_AUTHENTIK_WIF_AUDIENCE:-google-wif.burrow.net}" authentik_audience="${BURROW_AUTHENTIK_WIF_AUDIENCE:-google-wif.burrow.net}"
authentik_client_id="${BURROW_AUTHENTIK_WIF_CLIENT_ID:-${AUTHENTIK_GOOGLE_WIF_CLIENT_ID:-google-wif.burrow.net}}" authentik_client_id="${BURROW_AUTHENTIK_WIF_CLIENT_ID:-${AUTHENTIK_GOOGLE_WIF_CLIENT_ID:-google-wif.burrow.net}}"
authentik_client_secret="${BURROW_AUTHENTIK_WIF_CLIENT_SECRET:-${AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET:-}}" authentik_client_secret="${BURROW_AUTHENTIK_WIF_CLIENT_SECRET:-${AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET:-}}"
@ -30,6 +31,7 @@ Inputs:
BURROW_GOOGLE_WIF_PROVIDER_ID BURROW_GOOGLE_WIF_PROVIDER_ID
BURROW_GOOGLE_WIF_SERVICE_ACCOUNT BURROW_GOOGLE_WIF_SERVICE_ACCOUNT
BURROW_AUTHENTIK_WIF_ISSUER BURROW_AUTHENTIK_WIF_ISSUER
BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT
BURROW_AUTHENTIK_WIF_AUDIENCE BURROW_AUTHENTIK_WIF_AUDIENCE
BURROW_AUTHENTIK_WIF_TOKEN or BURROW_AUTHENTIK_WIF_TOKEN_FILE BURROW_AUTHENTIK_WIF_TOKEN or BURROW_AUTHENTIK_WIF_TOKEN_FILE
@ -66,6 +68,32 @@ require_command gcloud
require_command curl require_command curl
require_command jq require_command jq
resolve_token_endpoint() {
if [[ -n "$authentik_token_endpoint" ]]; then
printf '%s\n' "$authentik_token_endpoint"
return
fi
local issuer_no_slash="${authentik_issuer%/}"
local discovered=""
if discovered="$(
curl -fsS "${issuer_no_slash}/.well-known/openid-configuration" 2>/dev/null \
| jq -r '.token_endpoint // empty' 2>/dev/null
)" && [[ -n "$discovered" ]]; then
printf '%s\n' "$discovered"
return
fi
case "$issuer_no_slash" in
*/application/o/*)
printf '%s/application/o/token/\n' "${issuer_no_slash%%/application/o/*}"
;;
*)
printf '%s/token/\n' "$issuer_no_slash"
;;
esac
}
mkdir -p "$work_dir" mkdir -p "$work_dir"
chmod 0700 "$work_dir" chmod 0700 "$work_dir"
@ -85,7 +113,7 @@ else
echo "missing Authentik WIF token. Set BURROW_AUTHENTIK_WIF_TOKEN, BURROW_AUTHENTIK_WIF_TOKEN_FILE, or BURROW_AUTHENTIK_WIF_CLIENT_SECRET." >&2 echo "missing Authentik WIF token. Set BURROW_AUTHENTIK_WIF_TOKEN, BURROW_AUTHENTIK_WIF_TOKEN_FILE, or BURROW_AUTHENTIK_WIF_CLIENT_SECRET." >&2
exit 1 exit 1
fi fi
token_endpoint="${authentik_issuer%/}/token/" token_endpoint="$(resolve_token_endpoint)"
curl -fsS \ curl -fsS \
-u "${authentik_client_id}:${authentik_client_secret}" \ -u "${authentik_client_id}:${authentik_client_secret}" \
-d grant_type=client_credentials \ -d grant_type=client_credentials \

View file

@ -81,6 +81,10 @@ The same change also makes the forge itself the release authority: release tags
resolves Nix from those profile paths, and the action builds `.#age` before resolves Nix from those profile paths, and the action builds `.#age` before
falling back to `.#agenix`. The decrypt step must not require Python before falling back to `.#agenix`. The decrypt step must not require Python before
the Nix CI shell is active. the Nix CI shell is active.
- Authentik-backed Google WIF must exchange tokens against Authentik's OAuth
token endpoint, not a provider-slug child path. The helper should prefer an
explicit `BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT`, then OIDC discovery, then the
Authentik `/application/o/token/` fallback derived from the configured issuer.
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.