Using Octelium in GitHub Actions

Your User, especially WORKLOAD User used by non-human entities such as GitHub Action workflows, can access HTTP-based Services (e.g. HTTP/gRPC APIs, Kubernetes clusters) through the client-less BeyondCorp mode via OAuth2 client credentials (read more here) and directly issued access tokens used in bearer authentication (read more here). However, in many cases, you might want to access non-HTTP Services, such as databases, from within your GitHub Action workflows. Octelium enables you to connect to your Cluster and access any arbitrary Service from within your workflows via the official octelium/github-action GitHub Action. Here is an example of GitHub Action workflow:

1name: main
2permissions:
3  contents: read
4on:
5  push:
6    branches:
7      - master
8      - main
9jobs:
10  do-main:
11    runs-on: ubuntu-24.04
12    steps:
13      - name: Check out code
14        uses: actions/checkout@v4
15
16      - name: Octelium
17        uses: octelium/github-action@master
18        with:
19          domain: <DOMAIN>
20          auth-token: ${{ secrets.OCTELIUM_AUTH_TOKEN }}
21
22      - name: Access your Octelium Services
23        run: |
24          curl http://demo-nginx

As you can see, the authentication token (read more about issuing authentication tokens here) is stored in as a GitHub repository secret with the name OCTELIUM_AUTH_TOKEN.

You can also authenticate to your Octelium Cluster in a "secret-less" way using GitHub's own OIDC issued identity token assertions (read more here). To do so, we first need to create an oidcIdentityToken IdentityProvider as follows:

1kind: IdentityProvider
2metadata:
3  name: github-actions
4spec:
5  oidcIdentityToken:
6    issuerURL: https://token.actions.githubusercontent.com

Now your User can set an identifier for the github-actions IdentityProvider as follows:

1kind: User
2metadata:
3  name: github-action-workflows
4spec:
5  type: WORKLOAD
6  authentication:
7    identities:
8    - identityProvider: github-actions
9      identifier: repo:<ORG_NAME>/<REPO_NAME>:ref:refs/heads/<BRANCH_NAME>
10  authorization:
11    policies: ["policy-1", "policy-2"]

Your GitHub Action need to add the permission id-token: write to generate an OIDC identity token. Your action should now look as follows:

1name: main
2permissions:
3  contents: read
4  id-token: write
5on:
6  push:
7    branches:
8      - master
9      - main
10jobs:
11  do-main:
12    runs-on: ubuntu-24.04
13    steps:
14      - name: Check out code
15        uses: actions/checkout@v4
16
17      - name: Octelium
18        uses: octelium/github-action@master
19        with:
20          domain: <DOMAIN>
21          assertion-idp: github-actions
22
23      - name: Access your Octelium Services
24        run: |
25          curl http://demo-nginx