This is a server for Permissionizer, a GitHub OIDC provider that issues tokens for requesting GitHub repositories if allowed by the target repository.
For detailed guidance on how to use the Permissionizer App, please refer to the permissionizer/request-token action documentation.
While the process of issuing tokens is secure and requires explicit policies for the token exchange, to maintain full control over token exchange and deployment, organizations can create a custom Permissionizer App and deploy an instance of the Permissionizer Server. This ensures that no tokens ever leave the organization's internal network.
To completely self-host a Permissionizer Server, follow these steps:
-
Create a GitHub App
Set up a GitHub App with the required permissions and install it into the desired repository or organization. The only required permission is
contents: read, that ensures the server can read the.github/permissionizer.yamlpolicy file in the target repository, all other permissions are optional and depend on which permissions you might need to request for cross-repository automations. -
Configure the Server
Add the GitHub App details to the
config/permissionizer-server.yamlfile or use environment variables (refer toconfig/.envfor supported variables). -
Run the Server
Use the official Docker image
ghcr.io/permissionizer/server:latestto deploy the server. Mount the configuration file or pass the required environment variables. -
Integrate with
permissionizer/request-tokenWhen using the
permissionizer/request-tokenaction, specify the custom server URL in thepermissionizer-serverinput:- id: request-token uses: permissionizer/request-token@v1 with: permissionizer-server: https://permissionizer.mycompany.com target-repository: mycompany/myrepo permissions: | contents: read issues: write
- Create a GitHub App with required permissions and install it into the repository / org
- Add app details into
config/dev/permissionizer-server.yaml(seeconfig/permissionizer-server.yaml) - Start the permissionizer server
go run . - Issue a permissionizer token with a (fake) GitHub OIDC token
curl -d ' { "target_repositories": ["permissionizer/server"], "permissions": { "contents": "read" } }' \ -H "Authorization: Bearer $(go run . --fake-token --repository permissionizer/request-token)" \ http://localhost:8080/v1/token
Note
--fake-token flag allows generating an unsigned JWT token that imitates the token issued by GitHub OIDC.
In order to use it, you must disable all token checks when starting the server permissionizer.unsecure.skip-token-validation: true (Not suited for production use)