fix: Update token.actions.githubusercontent.com thumbprint
#355
Conversation
GrahamCampbell
changed the title
token.actions.githubusercontent.com thumbprinttoken.actions.githubusercontent.com thumbprint
✅ Pull request refreshed |
|
Nice I just ran into this issue myself :) |
|
I get a different thumbprint |
|
I am unable to replicate that thumbprint. I did test the one I added in this PR, and it is working. |
|
I'm still getting the original thumbprint?! |
|
It probably is cached. It may take a few hours for the rotation to propagate everywhere, I guess? |
|
My build jobs were consistently failing against us-east-1 and us-east-2 with the old hash, and consistently passing with the new hash. |
|
@GrahamCampbell How did you work out the Thumbprint? |
|
It's the sha-1 hash of the cert.
|
|
@GrahamCampbell Cool thanks! |
Co-authored-by: Richard Clarke <[email protected]>
|
Thanks for the feedback, everyone. I have updated the thumbprint. |
|
Any updates from maintainers on getting this merged? My pipelines are broken atm. |
|
The fix is on your AWS account, not this repo.
This PR is just to update documentation
|
|
Ope, my bad. Tyty @mkamioner |
|
FWIW, here's a snippet to retrieve the thumbprint: HOST_NAME="token.actions.githubusercontent.com";
openssl s_client -servername "$HOST_NAME" -showcerts -verify 1 -connect "$HOST_NAME:443" </dev/null 2>/dev/null | \
awk '/-----BEGIN CERTIFICATE-----/ { rec = ""; flag = 1 }; { rec = rec $0 ORS; if (/-----END CERTIFICATE-----/) { out = rec; flag = 0 } } END { print out }' | \
openssl x509 -fingerprint -sha1 -noout -in /dev/stdin | \
cut -d '=' -f 2 | tr -d ':' | tr '[:upper:]' '[:lower:]' |
|
Maybe we should merge ? :) |
|
LGTM |
The recommendation to hard code this in cloudformation doesn't seem very good. This is going to break every few months when github rotates their cert. Are there any AWS best practices around this. Just updating it in cloudformation and re-deploying isn't going to cut it if your cloudformation file is itself deployed via github actions...
EDIT: GitHub have confirmed the new hash, validating this change - https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/.