feat: OIDC execution tokens for CI workflow authorization (POC)

[shiroyasha]

Summary

• SuperPlane issues signed OIDC execution tokens when semaphore.runWorkflow triggers a pipeline, injected as the SUPERPLANE_OIDC_TOKEN workflow parameter alongside existing SUPERPLANE_* IDs.
• Adds a public POST /api/v1/oidc/verify endpoint that validates the JWT signature and confirms the canvas/node is authorized in the live canvas spec.
• Adds superplane oidc verify CLI command for CI pre-job steps (Semaphore, GitHub Actions, GitLab, etc.) to abort unauthorized production deploys or artifact uploads.

Test plan

• go test ./pkg/oidc/... ./pkg/public/... ./pkg/integrations/semaphore/components/...
• Trigger a Semaphore workflow from a canvas and confirm SUPERPLANE_OIDC_TOKEN is present in workflow parameters
• Run superplane oidc verify --pipeline-file ".semaphore/..." in a Semaphore job pre-step; confirm exit 0 for valid token and non-zero for missing/invalid token
• Verify unauthorized canvas/node or mismatched pipeline file is rejected by the verify API

Made with Cursor

[superplanehq-integration]

👋 Commands for maintainers:

• /sp start - Start an ephemeral machine (takes ~30s)
• /sp stop - Stop a running machine (auto-executed on pr close)

[superplane-gh-integration-9000]

Docs Impact Review

This PR introduces a new superplane oidc verify CLI command and a new OIDC execution-token security feature for Semaphore workflows — both are user-facing and not yet covered in the docs.

Suggested docs updates:

• docs.superplane.com/cli/ — new page or new section on an existing CLI page — Document the superplane oidc verify subcommand, including its three flags (--token / SUPERPLANE_OIDC_TOKEN env var, --url, and --claim key=value repeatable), its exit-code contract, and a usage example. The current CLI docs have no mention of the oidc command group.

• docs.superplane.com/security/ — new dedicated page: "OIDC Execution Tokens" — Explain the concept: SuperPlane signs a short-lived JWT for each Semaphore trigger, what claims are included (org_id, canvas_id, node_id, execution_id, component, project_id, pipeline_file, ref, commit_sha), how the token is delivered (SUPERPLANE_OIDC_TOKEN parameter), and how to verify it in CI using superplane oidc verify. Include guidance on pinning expected claims as hardcoded literals rather than trigger-time parameters, and the commit_sha / ref binding pattern. This is a new security concept that does not fit any existing security page.

• docs.superplane.com/components/semaphore — "Run Workflow" section — The Go Documentation() string was updated in this PR and will auto-regenerate the component reference page, so the injected-parameters table and the oidc verify example will appear there automatically. No manual edit needed to that page itself, but the auto-generated section should cross-link to the new OIDC security page once it exists.

Why: The PR ships a new CLI subcommand (superplane oidc verify) that is the primary user-facing tool for verifying OIDC execution tokens in CI pipelines, and it changes Semaphore's RunWorkflow to unconditionally inject SUPERPLANE_OIDC_TOKEN into every triggered workflow. Neither the CLI docs nor the Security section currently mention OIDC tokens, so users have no documentation for this new security mechanism or how to use the CLI command that accompanies it.

---

Maintainer commands

Command	What it does
/docs-agree	Open a tracking issue in superplanehq/docs and assign it to you.
/docs-reject <reason>	Dismiss this check. A short reason is required (e.g. /docs-reject not user-facing).

Posted automatically by warp-gateway · commit 761864b

[superplane-gh-integration-9000]

Risk: 72/100 (high)

Summary

Introduces RSA-signed OIDC JWT execution tokens injected into Semaphore CI workflow parameters, plus a CLI superplane oidc verify command for in-pipeline attestation checks.

Concerns

• POC label in a security-sensitive token-signing feature suggests it is not production-ready.
• No jti claim in signed JWTs; tokens are replayable within the 1-hour validity window.
• Token delivered as a plain workflow parameter, which may be logged or exposed in Semaphore's UI.
• buildParameters now hard-fails when OIDC is nil — breaking change for existing Semaphore integrations without OIDC_KEYS_PATH.
• Server panics on startup if OIDC_KEYS_PATH is unset; no graceful degradation path for current deployments.
• Actual verification error swallowed in verify.go and replaced with a generic message, complicating incident diagnosis.
• fetchIssuer makes an unauthenticated HTTP request to a caller-controlled URL; potential SSRF in attacker-influenced CI environments.
• No issuer-binding check: the discovered issuer is trusted at face value with no additional constraint against the configured API URL.

Recommended reviewers: bender-rodriguez-unit1, forestileao

[shiroyasha]

app_id

[shiroyasha]

do we need the execution: prefix?

[shiroyasha]

why do we suddenly need .String()?

[shiroyasha]

No need to do this.

[shiroyasha]

Check if this error is leaking some data to users.

[shiroyasha]

Don't break a class into multiple files.

[shiroyasha]

can we use r.oidc provider?

[shiroyasha]

Why, for the love of god would you add v4 if you already have v5?

[shiroyasha]

Can we switch the OIDC to use this too?

[shiroyasha]

Seperate PR of course.