Octelium
Documentation

Using Octelium in GitHub Actions

Your User, especially WORKLOAD User used by non-human entities such as GitHub Action workflows, can access HTTP-based Services (e.g. HTTP/gRPC APIs, Kubernetes clusters) through the clientless BeyondCorp mode via OAuth2 client credentials (read more here) and directly issued access tokens used in bearer authentication (read more here). However, in many cases, you might want to access non-HTTP Services, such as databases, from within your GitHub Action workflows. Octelium enables you to connect to your Cluster and access any arbitrary Service from within your workflows via the official octelium/github-action GitHub Action. Here is an example of GitHub Action workflow:

name: main permissions: contents: read on: push: branches: - master - main jobs: do-main: runs-on: ubuntu-24.04 steps: - name: Check out code uses: actions/checkout@v4 - name: Octelium uses: octelium/github-action@master with: domain: <DOMAIN> auth-token: ${{ secrets.OCTELIUM_AUTH_TOKEN }} - name: Access your Octelium Services run: | curl http://demo-nginx

As you can see, the authentication token (read more about issuing authentication tokens here) is stored in as a GitHub repository secret with the name OCTELIUM_AUTH_TOKEN.

You can also authenticate to your Octelium Cluster in a "secretless" way using GitHub's own OIDC issued identity token assertions (read more here). To do so, we first need to create an oidcIdentityToken IdentityProvider as follows:

kind: IdentityProvider metadata: name: github-actions spec: oidcIdentityToken: issuerURL: https://token.actions.githubusercontent.com

Now your User can set an identifier for the github-actions IdentityProvider as follows:

kind: User metadata: name: github-action-workflows spec: type: WORKLOAD authentication: identities: - identityProvider: github-actions identifier: repo:<ORG_NAME>/<REPO_NAME>:ref:refs/heads/<BRANCH_NAME> authorization: policies: ["policy-1", "policy-2"]

Your GitHub Action need to add the permission id-token: write to generate an OIDC identity token. Your action should now look as follows:

name: main permissions: contents: read id-token: write on: push: branches: - master - main jobs: do-main: runs-on: ubuntu-24.04 steps: - name: Check out code uses: actions/checkout@v4 - name: Octelium uses: octelium/github-action@master with: domain: <DOMAIN> assertion-idp: github-actions - name: Access your Octelium Services run: | curl http://demo-nginx