Add GiHub OIDC test

.github/workflows/on-push.yml

@@ -37,9 +37,11 @@ jobs:
       run: git ls-files -z | xargs -0 -- codespell
   test:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     strategy:
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python-version: ["3.12"]
     steps:
     - uses: actions/checkout@v3
     - name: Set up Python ${{ matrix.python-version }}
@@ -57,6 +59,8 @@ jobs:
           tinyproxy \
           ;
         pip install .[test]
+    - name: Run GitHub OIDC test
+      run: ./github-actions-test/run.sh
     - name: Allow kvm usage
       run: |
         sudo chmod o+rw /dev/kvm || :

github-actions-test/export-description.toml

@@ -0,0 +1,5 @@
+port = 2192
+
+[[parts]]
+compatible = [ "test" ]
+tcp.test = { host = "127.0.0.1", port = 1234 }

github-actions-test/hub.toml

@@ -0,0 +1,12 @@
+log_level = "debug"
+
+[auth]
+issuer = "http://localhost:8080/realms/master"
+client_id = "not-my-board"
+
+[[auth.permissions]]
+claims.actor_id = "8659229"  # holesch
+claims.repository = "holesch/not-my-board"
+claims.workflow = "on-push"
+claims.iss = "https://token.actions.githubusercontent.com"
+roles = ["importer", "exporter"]

github-actions-test/run.sh

@@ -0,0 +1,23 @@
+#!/bin/sh -e
+PS4=">>> "
+set -x
+
+script_dir="${0%/*}"
+
+NOT_MY_BOARD_HUB_CONFIG="$script_dir/hub.toml" not-my-board hub &
+hub_pid="$!"
+sleep 1
+
+token_cmd="curl -sH 'Authorization: bearer  $ACTIONS_ID_TOKEN_REQUEST_TOKEN' '$ACTIONS_ID_TOKEN_REQUEST_URL&audience=\$client_id' | jq -r '.value'"
+
+not-my-board export --token-cmd "$token_cmd" http://localhost:2092 "$script_dir/export-description.toml" &
+
+sudo `which not-my-board` agent --token-cmd "$token_cmd" http://localhost:2092 &
+sleep 1
+
+sudo `which not-my-board` attach "$script_dir/test.toml"
+sleep 1
+sudo `which not-my-board` status
+sleep 720
+
+kill "$hub_pid"

github-actions-test/test.toml

@@ -0,0 +1,3 @@
+[parts.test]
+compatible = [ "test" ]
+tcp.test = { local_port = 1236 }