Forgejo or Codeberg support

[link2xt]

Forgejo supports OIDC. I was able to get a JWT token on Codeberg with this workflow:

on:
  - push

# https://forgejo.org/docs/latest/user/actions/reference/#enable-openid-connect
#
# This adds ACTIONS_ID_TOKEN_REQUEST_URL that looks like
# <ACTIONS_ID_TOKEN_REQUEST_URL=https://codeberg.org/api/actions/_apis/pipelines/workflows/3705365/idtoken?placeholder=true>
# and
# <ACTIONS_ID_TOKEN_REQUEST_TOKEN>
enable-openid-connect: true

jobs:
  test:
    runs-on: codeberg-tiny-lazy
    steps:
      - run: |
          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleCustomAudience" | jq -r .value

This gets me a JWT token that I can paste into https://it-tools.tech/jwt-parser and see "workflow" is "publish.yml", "repository" is the name of the user and repo, "ref" is "refs/heads/main" etc.

I want to use this similarly to GitHub Actions, but this step fails:

      - name: Install opkssh
        run: |
          curl -sSLf https://github.com/openpubkey/opkssh/releases/download/v0.14.0/opkssh-linux-amd64 -o opkssh
          chmod +x opkssh
          ./opkssh login github

Step prints:

2026/04/29 03:44:41 failed to find client config file to generate a default config, run `opkssh login --create-config` to create a default config file
2026/04/29 03:44:42 Error executing login command: error logging in: error requesting OIDC tokens from OpenID Provider: no matching public key found for kid XXXX
Error: error logging in: error requesting OIDC tokens from OpenID Provider: no matching public key found for kid XXXX
⚙️ [runner]: exitcode '1': failure

GitHub API seems similar: https://docs.github.com/en/actions/reference/security/oidc#methods-for-requesting-the-oidc-token

But maybe some other API is used in opkssh login github, because https://github.com/openpubkey/openpubkey/blob/d5b65c645acf59a8d415ad7acaa16fb5bb88dfc4/README.md mentions custom nonce and with curl I get a token without generating any nonce.

[link2xt]

I am looking at the code now.

There is a function called isGitHubEnvironment that checks for ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN in the environment:

opkssh/commands/login.go

Lines 885 to 888 in 193d798

	func isGitHubEnvironment() bool {
	return os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") != "" &&
	os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN") != ""
	}

Then GitHub provider is added here if these environment variables are present:

opkssh/commands/login.go

Lines 200 to 202 in 193d798

	if isGitHubEnvironment() {
	l.Config.Providers = append(l.Config.Providers, config.GitHubProviderConfig())
	}

And provider has hardcoded issuer https://token.actions.githubusercontent.com:

opkssh/commands/config/providerconfig.go

Lines 115 to 122 in 193d798

	func GitHubProviderConfig() ProviderConfig {
	return ProviderConfig{
	AliasList: []string{"github"},
	Issuer: "https://token.actions.githubusercontent.com",
	// This is required, but is not used for this provider.
	ClientID: "unused",
	}
	}

For Codeberg the issuer is https://codeberg.org/api/actions, this is likely why it fails.

So I need to somehow trigger this code to obtain ID token with ACTIONS_ID_TOKEN_REQUEST_* environment variables:

opkssh/commands/config/providerconfig.go

Lines 248 to 254 in 193d798

	} else if strings.HasPrefix(p.Issuer, "https://token.actions.githubusercontent.com") {
	githubOp, err := providers.NewGithubOpFromEnvironment()
	if err != nil {
	return nil, fmt.Errorf("error creating github op: %w", err)
	}
	provider = githubOp
	} else {

But then use https://codeberg.org/api/actions and not https://token.actions.githubusercontent.com.
Seems usage of ACTIONS_ID_TOKEN_REQUEST_* is hardcoded into GitHub provider:
https://github.com/openpubkey/openpubkey/blob/d5b65c645acf59a8d415ad7acaa16fb5bb88dfc4/providers/github_actions.go#L92

[link2xt]

There is https://codeberg.org/api/actions/.well-known/openid-configuration if this helps.

[EthanHeilman]

@link2xt Thank you for looking into this!

This would probably require a github like provider that both github and codeberg can use. It be a fairly simply change generalize openpubkey github provider to the issuer as a parameter in https://github.com/openpubkey/openpubkey and then no longer hardcoding the provider in opkssh.

Do you want to create a PR for that? If not, I'll put it together but it you'll have to wait a week or two for the feature.

[link2xt]

This would probably require a github like provider that both github and codeberg can use.

If this works for Codeberg, it will likely work for all Forgejo instances with Forgejo Actions, even self-hosted.

Do you want to create a PR for that? If not, I'll put it together but it you'll have to wait a week or two for the feature.

I don't write Go and don't know the details of https://github.com/openpubkey/openpubkey, so if you already know how to implement it, it's likely faster. I will for now look into setting up GithHub Actions with https://github.com/openpubkey/opkssh/blob/main/docs/github-actions.md first when i get to building OPKSSH setup further.

My experiments on Codeberg are at https://codeberg.org/link2xt/openid-testing
Codeberg information about free CI runners is at https://codeberg.org/actions/meta

[Blacks-Army]

Hey,

is there an update regarding this matter?

[EthanHeilman]

@Blacks-Army No updates from me, I haven't gotten a chance to get around to this. If someone wants to implement this I'm happy to review the code, but I won't have the free time to put this together until next week.

[Blacks-Army]

@Blacks-Army No updates from me, I haven't gotten a chance to get around to this. If someone wants to implement this I'm happy to review the code, but I won't have the free time to put this together until next week.

I could try, but since I have no experience with Go, I’d likely use AI to help me.