Add GiHub OIDC test

.github/workflows/on-push.yml

@@ -37,9 +37,12 @@ jobs:
       run: git ls-files -z | xargs -0 -- codespell
   test:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     strategy:
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        # python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python-version: ["3.12"]
     steps:
     - uses: actions/checkout@v3
     - name: Set up Python ${{ matrix.python-version }}
@@ -62,6 +65,8 @@ jobs:
         sudo chmod o+rw /dev/kvm || :
     # - name: Run tests
     #   run: pytest -s
+    - name: Run GitHub OIDC test
+      run: ./github-actions-test/run.sh
   release:
     runs-on: ubuntu-latest
     steps:

github-actions-test/export-description.toml

@@ -0,0 +1,5 @@
+port = 2192
+
+[[parts]]
+compatible = [ "test" ]
+tcp.test = { host = "127.0.0.1", port = 1234 }

github-actions-test/hub.toml

@@ -0,0 +1,12 @@
+log_level = "debug"
+
+[auth]
+issuer = "http://localhost:8080/realms/master"
+client_id = "not-my-board"
+
+[[auth.permissions]]
+claims.actor_id = "8659229"  # holesch
+claims.repository = "holesch/not-my-board"
+claims.workflow = "on-push"
+claims.iss = "https://token.actions.githubusercontent.com"
+roles = ["importer"]

github-actions-test/run.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+PS4=">>> "
+set -x
+
+script_dir="${0%/*}"
+
+NOT_MY_BOARD_HUB_CONFIG="$script_dir/hub.toml" not-my-board hub &
+hub_pid="$!"
+sleep 1
+
+not-my-board export http://localhost:2092 "$script_dir/export-description.toml" &
+
+sudo true
+sudo `which not-my-board` agent --token-cmd "curl -sH 'Authorization: bearer  $ACTIONS_ID_TOKEN_REQUEST_TOKEN' '$ACTIONS_ID_TOKEN_REQUEST_URL&audience=not-my-board' | jq -r '.value'" http://localhost:2092 &
+sleep 1
+
+sudo `which not-my-board` attach "$script_dir/test.toml"
+sleep 1
+sudo `which not-my-board` status
+
+kill "$hub_pid"

github-actions-test/test.toml

@@ -0,0 +1,3 @@
+[parts.test]
+compatible = [ "test" ]
+tcp.test = { local_port = 1236 }