How to Scale End-to-End Observability in AWS Environments

Github Actions Welcome New Open-ID Security Features

Open-ID connect tokens are a new security feature that has been added to GitHub Actions.

Nov. 3, 2021, 3:06 p.m.

TL;DR

GitActions welcome two new features: Open-ID tokens and the Reusable workflow. The features are expected to function with the cloud providers and further automation for users.

The presentation was to show another benefit of the OIDC tokens, which is configuring conditions for tokens

Key Facts

1
The Open-ID tokens are to correct hazards experienced with encrypted environment variables.
2
Each cloud provider token guideline has been released.
3
Reusable workflow, a new feature, is currently in the Beta stage.
4
Limitations to the workflow would be fixed before it's released on GA.

Details

A new security feature based on Open-ID has been added to the GitHub Actions. The GitHub Actions, which first premiered in 2018, has noticed close to a 100% increase each year since it became available on general availability in 2019.

GitHub Actions has noticed an increased usage from the 75 million jobs per month documented at the Universe 2020 to over 147 million jobs per month reported at the universe 2021. Also, the amount of actions in the GitHub marketplace has improved, going from 6,200 in 2020 to 10,431 in late October. Cloud vendors benefit from delivering Actions that make it simple to automate their use. A timely investigation disclosed 300 AWS actions and 136 for Azure. Actions for Slack and Teams notifications are also not left out.

Resources that are needed for testing and databases are required by GitHub actions to first undergo authentication against them before they can be accessed or deployed for use. To authenticate these resources, an encrypted environment variable is used. Still, hazards such as outdated credentials needing to be updated and secrets being logged in plain text are hard to avoid.

To solve these hazards, the Open-ID Connect (OIDC) tokens were introduced. The tokens require the user to request a one-time code from the cloud provider. Cloud providers such as Google cloud, HashiCorp Vault, AWS, and Microsoft Azure can provide these tokens. The tokens can be requested by a step or action in the users' workflow. GitHub has provided uses for the tokens and guides specific to each cloud provider.

The product manager at GitHub, Jennifer Schelkopf, also made a presentation highlighting another advantage of the tokens. Her presentation showed that access to the production environment could be withheld for the "deploy to production," and the initial staging job does not require access for configuration. The presentation was to show another benefit of the OIDC tokens, which is configuring conditions for tokens.

The folks at GitHub actions also announced the reusable workflow currently in Beta Testing. The workflow is designed for users to be able to summon a workflow from another workflow. This action would have previously required action with the uses statement, and the reusable workflow feature makes it easier. A reusable workflow has to be called precisely in this way, using a "workflow_call event" that gets inputs containing secrets from the calling workflow. The major advantage is a reduced use of "clipboard inheritance."

Limitations to the workflow include the inability of a reusable workflow to summon another reusable workflow, a term referred to as nesting. Also, the caller workflow does not have access to outputs from the called workflow. This would, however, be fixed before being released on General Availability.