Using the CLI with a public repository
Authentication between the Launchable CLI and Launchable API typically requires an API key. However, API keys cannot be used for open-source projects in public repositories since anyone can retrieve an API key by opening a pull request.
To solve this problem for open-source projects, Launchable offers another authentication mechanism called tokenless authentication. Instead of using a static token, tokenless authentication uses a CI/CD service provider's public API to verify if tests are actually running in CI. With this feature, OSS contributors can analyze and optimize test execution without a static Launchable API token.
These instructions changed in November 2022 with the introduction of OpenID Connect for authentication.
If you implemented tokenless authentication before November 2022, please follow Updating tokenless authentication to use GitHub OIDC.
Setting up tokenless authentication
Prerequisites
If your project is open source and you want to use Launchable,
Your open-source project needs to be hosted in a public GitHub repository
Your open-source project needs to use GitHub Actions for CI
Preparation
Sign up and create your Organization and Workspace
Contact us to enable tokenless authentication for your project. We need to know your Launchable organization, Launchable workspace, and GitHub repository URL
Update your GitHub Actions YAML
Start using Launchable in your open-source project
GitHub Actions YAML configuration
After we've enabled tokenless authentication for your project, you must set three environment variables in your CI pipeline:
LAUNCHABLE_ORGANIZATION
: Launchable organization nameLAUNCHABLE_WORKSPACE
: Launchable workspace nameEXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH
: Set this to 1
Then, add/update the permissions
section of your GitHub Actions YAML file.
Tokenless authentication relies on OpenID Connect (OIDC) tokens. To use an OIDC token in GitHub Actions, you need to configure permissions to retrieve it. As described in the GitHub Help Article, id-token: write
permission needs to be added.
This permission can be added per job or to the entire workflow:
1name: Verify Launchable tokenless authentication
2
3on:
4 pull_request:
5 paths:
6 - gradle/**
7
8env:
9 LAUNCHABLE_ORGANIZATION: "examples"
10 LAUNCHABLE_WORKSPACE: "gradle"
11 EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
12
13permissions:
14 id-token: write
15 contents: read
16
17jobs:
18 build:
19 runs-on: ubuntu-latest
20
21 steps:
22 - uses: actions/checkout@v2
23 with:
24 fetch-depth: 0
25 - uses: actions/setup-python@v2
26 - name: Set up JDK 1.8
27 uses: actions/setup-java@v1
28 with:
29 java-version: 1.8
30
31 - name: Launchable
32 run: |
33 pip3 install --user launchable~=1.0
34 export PATH=~/.local/bin:$PATH
35 launchable verify
36 working-directory: ./gradle
About OpenID Connect (OIDC)
In November 2022 we added support for OpenID Connect for authentication.
If you implemented tokenless authentication before November 2022, please follow Updating tokenless authentication to use GitHub OIDC.
OIDC implementation overview
GitHub now provides a short-lived signed token for each GitHub Actions run (About security hardening with OpenID Connect). This token is signed by GitHub's private key, and we can verify its validity via its public key. This makes the token a security credential that major Cloud providers such as AWS, Azure, and Google Cloud can use as an authentication token. Launchable implemented the same mechanism as these Cloud providers, so we can accept it as a credential.
Frequently Asked Questions
What is included in the OIDC token?
GitHub provides a detailed explanation and example of the OIDC token. See Understanding the OIDC token.
How does Launchable verify the OIDC token?
When you apply for tokenless authentication, we associate your GitHub repository with your Launchable workspace in our internal database.
When you run the CLI, the Launchable API server verifies the OIDC token and checks that the repository claim in it matches the stored association.
Can I see how the CLI handles the OIDC token?
Sure! Check out these commits in the public CLI repository: