use id token as password

block · Oct 2, 2024 · e4238ba · e4238ba
1 parent bbf355b
commit e4238ba
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 21 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -48,6 +48,9 @@ jobs:
 
   # On Ubuntu we build, test, verify, and deploy: Code Coverage, Test Vectors, and SNAPSHOT artifacts to TBD Artifactory
   build-test-deploy-snapshot-ubuntu:
+    permissions:
+      id-token: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -91,20 +94,13 @@ jobs:
             --batch-mode \
             -DnewVersion=${{ steps.resolve_version.outputs.resolved_version }}
 
-          # Only attempt to publish artifact if we have credentials
-          if [ -n "${{ secrets.ARTIFACTORY_PASSWORD }}" ]; then
-            # Maven deploy lifecycle will build, run tests, verify, sign, and deploy
-            mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts
-          else
-            # Otherwise, Maven verify lifecycle will build, run tests, and verify
-            mvn verify --batch-mode
-          fi
-
+          export ARTIFACTORY_PASSWORD="$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)"
+          # Maven deploy lifecycle will build, run tests, verify, sign, and deploy
+          mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts
         env:
-          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
-          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
           SIGN_KEY_PASS: ${{ secrets.GPG_SECRET_PASSPHRASE }}
           SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }}
+          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
 
       - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@v4

diff --git a/.maven_settings.xml b/.maven_settings.xml
@@ -5,16 +5,6 @@
       <username>tbd-releases</username>
       <password>${env.TBD_RELEASE_GITHUB_PERSONAL_ACCESS_TOKEN}</password>
     </server>
-    <server>
-      <id>block-oss-releases</id>
-      <username>${env.ARTIFACTORY_USERNAME}</username>
-      <password>${env.ARTIFACTORY_PASSWORD}</password>
-    </server>
-    <server>
-      <id>block-oss-snapshots</id>
-      <username>${env.ARTIFACTORY_USERNAME}</username>
-      <password>${env.ARTIFACTORY_PASSWORD}</password>
-    </server>
     <server>
       <id>ossrh-snapshots</id>
       <username>${env.SONATYPE_USERNAME}</username>