change to use rst to auto-generate toc

Author: mozillazg

README.md

@@ -0,0 +1,98 @@
+alibabacloud-oidc-auth
+-----------------------
+
+GitHub Action for authenticating to Alibaba Cloud with `GitHub Actions OIDC tokens`_.
+
+.. contents::
+
+
+Inputs
+======
+
+* ``role-arn-to-assume``: (Required) The arn of Ram role.
+* ``oidc-provider-arn``: (Required) The arn of OIDC IdP.
+* ``export-environment-variables``: (Optional) Export common environment variables. The default value is: ``false``
+* ``set-outputs``: (Optional) Setting action outputs. The default value is: ``false``
+* ``audience``: (Optional) The audience (aud) parameter in GitHub's generated OIDC
+  token. The default value is: ``actions.github.com``
+* ``role-duration-seconds``: (Optional) The validity period of the STS token. The default value is: ``3600``
+* ``role-session-name``: (Optional) The custom name of the role session. The default value is: ``github-actions-<orgName>-<repoName>``
+* ``region``: (Optional) The region id of STS endpoint. The default value is: ``ap-southeast-1``
+
+Outputs
+========
+
+Only available when ``set-outputs`` is ``true``.
+
+* ``access-key-id``: (Optional) The AccessKey ID.
+* ``access-key-secret``: (Optional) The AccessKey secret.
+* ``security-token``: (Optional) The STS token.
+
+
+Example Usage
+==============
+
+.. code-block:: yaml
+
+    jobs:
+      job-id:
+        # ...
+        permissions:
+          id-token: write # This is required for requesting the JWT
+        steps:
+          - name: get credentials
+            id: get-credentials
+            uses: 'mozillazg/alibabacloud-oidc-auth@v1'
+            with:
+              role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
+              oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
+              export-environment-variables: 'true'
+          - run: |
+              aliyun sts GetCallerIdentity
+
+
+Or
+
+.. code-block:: yaml
+
+    jobs:
+      job-id:
+        # ...
+        permissions:
+          id-token: write # This is required for requesting the JWT
+        steps:
+          - name: get credentials
+            id: get-credentials
+            uses: 'mozillazg/alibabacloud-oidc-auth@v1'
+            with:
+              role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
+              oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
+              set-outputs: 'true'
+          - run: |
+              ossutil64 --access-key-id ${{ steps.get-credentials.outputs.access-key-id }} \
+                --access-key-secret ${{ steps.get-credentials.outputs.access-key-secret }} \
+                --sts-token ${{ steps.get-credentials.outputs.security-token }} --mode StsToken \
+                --endpoint oss-ap-southeast-1.aliyuncs.com \
+                stat oss://test-bucket
+
+
+RAM Configuration
+==================
+
+1. Configure an `OIDC IdP`_ for the auth method:
+    * **IdP URL**: ``https://token.actions.githubusercontent.com``
+    * **Client ID**: ``actions.github.com``
+
+2. Configure a `RAM role for an OIDC IdP`_ to assume:
+    * **oidc:aud**: ``actions.github.com``
+    * **oidc:sub**: match on `GitHub subject claims`_.
+
+      * match branch: ``repo:<orgName/repoName>:ref:refs/heads/<branchName>``
+      * match tag: ``repo:<orgName/repoName>:ref:refs/tags/<tagName>``
+
+
+.. _GitHub Actions OIDC tokens : https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+.. _OIDC IdP: https://www.alibabacloud.com/help/en/resource-access-management/latest/manage-an-oidc-idp?spm=a2c63.p38356.0.0.3d076b9do9jEJr#section-hqp-6mi-g84
+.. _RAM role for an OIDC IdP: https://www.alibabacloud.com/help/en/resource-access-management/latest/create-a-ram-role-for-a-trusted-idp#section-mra-74d-14w
+.. _GitHub subject claims: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims
+