actions/deploy: authentication token may expire before wait timeout

[tronghn]

actions/deploy@v2 added support for using GitHub OIDC tokens to authenticate GitHub workflows for deployment:

deploy/actions/deploy/entrypoint.sh

Lines 44 to 57 in b89805c

	# if no apikey is set, use use the id-token to get a jwt token for the deploy CLI
	if [ -z "$APIKEY" ]; then
	if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ] || [ -z "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
	echo "Missing id-token permissions. This must be set either globally in the workflow, or for the specific job performing the deploy."
	echo "For more info see https://doc.nais.io/build/how-to/build-and-deploy and/or https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs"
	exit 1
	fi
	payload=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=hookd")
	jwt=$(echo "$payload" | jq -r '.value')
	export GITHUB_TOKEN="$jwt"
	fi

These JWTs acquired from GitHub have an expiry of 10 minutes. The expiry cannot be configured, as far as I can tell.

The token expiry takes precedence over the deployclient wait timeout which also defaults to 10 minutes, resulting in confusing error messages for end-users.

Ideally, we should continue fetching new OIDC tokens for as long as the configured deployment timeout is still valid:
https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#updating-your-actions-for-oidc
This assumes that ACTIONS_ID_TOKEN_REQUEST_TOKEN is valid for the entirety of the duration of the action or workflow.

[kimtore]

This functionality could be added to the deploy client, so that it always pulls a new token before opening connections to hookd.