Skip to content

ci: source OIDC identity from repository vars#132

Merged
Pigbibi merged 3 commits into
mainfrom
codex/binance-oidc-workflow-vars-20260716
Jul 16, 2026
Merged

ci: source OIDC identity from repository vars#132
Pigbibi merged 3 commits into
mainfrom
codex/binance-oidc-workflow-vars-20260716

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • source GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, and GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT from repository variables
  • fail closed before checkout, authentication, deployment, or other remote steps when any required variable is empty
  • update the existing Runtime and Watchdog workflow contract tests

The three repository variable names were verified as present before this PR. No variable values are included here.

Scope

Workflow wiring and focused contract tests only. No runtime, permissions, triggers, deployment parameters, business logic, or dependency changes.

Validation

  • python3 -m pytest -q tests/test_watchdog_workflow.py (8 passed)
  • bash tests/test_runtime_workflow_shared_config.sh
  • YAML parse plus local empty/configured preflight simulation
  • actionlint .github/workflows/main.yml .github/workflows/watchdog.yml
  • git diff HEAD^ --check

Risk

If any required repository variable becomes empty, both workflows now stop before remote actions instead of using a deployment-specific fallback. The required variable names are currently present.

Co-Authored-By: Codex <noreply@openai.com>
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

🤖 Codex PR Review

Merge allowed: blocking findings were cleared by independent Codex arbitration

⚖️ Codex Review Arbitration

clear: The prior blocker is demonstrably fixed by the cumulative diff. Both .github/workflows/main.yml and .github/workflows/watchdog.yml now fail in a pre-authentication preflight step unless the three repository variables GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, and GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT hash to the single hard-coded EXPECTED_OIDC_IDENTITY_SHA256 value stored in version control. That means changing repository variables alone can no longer silently retarget OIDC or deployment identity; any approved identity change now requires a PR that updates the reviewed workflow constant. The added tests in tests/test_runtime_workflow_shared_config.sh and tests/test_watchdog_workflow.py also treat that fixed digest gate, its ordering before checkout/auth, and its fail-closed behavior as contract evidence. No current finding remains valid, and there is no contract conflict because there are no current blocking findings.


Review by Codex PR Review bot • PR

Pigbibi and others added 2 commits July 16, 2026 08:25
…rkflow-vars-20260716

Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
@Pigbibi Pigbibi merged commit 4acfc5e into main Jul 16, 2026
3 checks passed
@Pigbibi Pigbibi deleted the codex/binance-oidc-workflow-vars-20260716 branch July 16, 2026 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant