Revoke tokens using RFC7009 instead of just deleting them from disk.
Not sure if Google Auth supports RFC 7009, but it would be much better for the cleanup to revoke the token as well as deleting it.
An exfiltrated/exposed token usually has a much longer lifetime than the pipeline. To reduce the window available to a bad actor, it would be great to revoke the token via RFC7009.
There is no way to revoke OAuth2 tokens for service accounts. The https://oauth2.google.com/revoke endpoint will return the following:
{
"error": "invalid_request"
"error_description": "Token is not revocable."
}It's possible to revoke user tokens, but that's a very unlikely use case for GitHub Actions. My recommendation is to keep the token lifetime's as short as possible. You can control the value with the token_lifetime input parameter to the action.
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
| Issue Title | Created Date | Updated Date |
|---|