feat: add audience parameter for GitHub OIDC identity token

.github/workflows/e2e.yml

@@ -9,7 +9,7 @@ on:
     - cron: '0 5 * * 0'
 
 env:
-  # The certificate is valid for this host so in order to use "secure" mode we add this to hosts and use for calling central 
+  # The certificate is valid for this host so in order to use "secure" mode we add this to hosts and use for calling central
   ROX_HOST: 'central.stackrox'
   ROX_PORT: 8000
 
@@ -25,15 +25,15 @@ jobs:
       - name: Set up hostname
         run: |
           echo "127.0.0.1 ${ROX_HOST}" | sudo tee -a /etc/hosts >/dev/null
-      
+
       - name: Create k8s Kind Cluster
         uses: helm/kind-action@v1
-      
+
       - uses: actions/checkout@v6
         with:
           repository: stackrox/stackrox
           path: stackrox
-      
+
       - name: Install Stackrox
         env:
           MAIN_IMAGE_TAG: "latest"
@@ -65,6 +65,7 @@ jobs:
           '{
             "config": {
               "type": "GITHUB_ACTIONS",
+              "audience": "central.stackrox.io",
               "tokenExpirationDuration": "5m",
               "mappings": [
                 {
@@ -79,6 +80,7 @@ jobs:
       - name: Run central-login action
         uses: ./
         with:
+          audience: central.stackrox.io
           endpoint: ${{ env.ROX_URL }}
 
       - name: Install roxctl

README.md

@@ -15,15 +15,17 @@ This is as simple as adding the following step to your workflow:
     - name: Central Login
       uses: stackrox/central-login@v1
       with:
+        audience: central.stackrox.io
         endpoint: https://<central-endpoint>:443
 ```
 
 ## Parameters
 
-| Parameter name    | Required?      | Description                                                      |
-|-------------------|----------------|------------------------------------------------------------------|
-| `endpoint`        | **(required)** | API endpoint of the ACS Central instance.                        |
-| `skip-tls-verify` | (optional)     | Skip TLS certificat verification for ACS Central's API endpoint. |
+| Parameter name    | Required?      | Description                                                          |
+|-------------------|----------------|----------------------------------------------------------------------|
+| `audience`        | (optional)     | Custom audience for the GitHub OIDC identity token request. Must match the expected audience configured in the Central machine-to-machine authentication integration. When left empty, the default GitHub audience is used. |
+| `endpoint`        | **(required)** | API endpoint of the ACS Central instance.                            |
+| `skip-tls-verify` | (optional)     | Skip TLS certificat verification for ACS Central's API endpoint.     |
 
 ## Overview
 
@@ -57,6 +59,7 @@ curl \
   {
     "config": {
       "type": "GITHUB_ACTIONS",
+      "audience": "central.stackrox.io",
       "tokenExpirationDuration": "5m", // This can be used to specify the expiration of the exchanged access token.
       "mappings": [ // Mappings configure which token claims to map to which roles within the ACS Central instance.
         {
@@ -87,6 +90,7 @@ add the following step to your workflow:
     - name: Central Login
       uses: stackrox/central-login@v1
       with:
+        audience: central.stackrox.io
         endpoint: https://<central-endpoint>:443
 ```
 
@@ -101,6 +105,7 @@ For verifying everything works correctly, the example below can be used:
     - name: Login to Central
       uses: stackrox/central-login@v1
       with:
+        audience: central.stackrox.io
         endpoint: https://<central-endpoint>:443
 
     - name: Install roxctl from Central

action.yml

@@ -1,6 +1,9 @@
 name: 'central-login'
 description: A GitHub Action to configure login credentials for an ACS Central instance for use in subsequent steps
 inputs:
+  audience:
+    required: false
+    description: 'Custom audience for the GitHub OIDC identity token request'
   endpoint:
     required: true
     description: 'Central API endpoint in the format of https://<host>:<port>'