Fix GHA to work with a CodeBoarding license

Svilen-Stefanov · Svilen-Stefanov · commit acb6d6699bc4 · 2026-06-17T17:35:59.000+02:00
diff --git a/action.yml b/action.yml
@@ -20,7 +20,7 @@ inputs:
     required: false
     default: 'https://auduihjmm4b735zci7vyabuikq0hppqn.lambda-url.us-east-1.on.aws'  # prod gha_proxy Function URL (licensing-aws LicensingStack-Stateless-prod)
   license_key:
-    description: 'A CodeBoarding license key (e.g. secrets.CODEBOARDING_LICENSE) for unmetered hosted usage via proxy_url. Takes precedence over the free OIDC tier; ignored when llm_api_key is set (BYO key talks to the provider directly).'
+    description: 'A CodeBoarding license key (e.g. secrets.CODEBOARDING_LICENSE) for unmetered hosted usage via proxy_url. Requires "permissions: id-token: write" — the license rides the OIDC bearer (the proxy still verifies the OIDC identity, then the license skips the quota). Takes precedence over the free OIDC tier; ignored when llm_api_key is set (BYO key talks to the provider directly).'
     required: false
     default: ''
   github_token:
@@ -547,9 +547,10 @@ runs:
 
         # ── Hosted modes (license / oidc): provider is always OpenRouter via proxy ──
         # The hosted tiers run on CodeBoarding's OpenRouter account, so the engine
-        # always talks OpenRouter here (the bearer is the license/OIDC token, which
-        # the proxy swaps for the real key). To use a DIFFERENT provider, set
-        # llm_api_key for that provider (that's BYO-key mode, below).
+        # always talks OpenRouter here. The bearer is the OIDC JWT (free) or the OIDC
+        # JWT packed with the license (license mode); the proxy verifies the OIDC,
+        # applies the license, and swaps in the real OpenRouter key. To use a DIFFERENT
+        # provider, set llm_api_key for that provider (that's BYO-key mode, below).
         if [ "$MODE" != "byokey" ]; then
           if [ -z "$PROXY_URL" ]; then
             echo "::error::proxy_url is empty but no llm_api_key was provided. Set llm_api_key, or restore proxy_url."
@@ -565,26 +566,37 @@ runs:
           AGENT_MODEL="${AGENT_MODEL:-google/gemini-3-flash-preview}"
           PARSING_MODEL="${PARSING_MODEL:-google/gemini-3.1-flash-lite-preview}"
 
+          # Both hosted tiers (free + license) authenticate to the proxy with a
+          # GitHub OIDC JWT — it's the unforgeable per-repo identity the proxy meters
+          # and abuse-checks on, so it is mandatory even when a license is present.
+          # The engine (ChatOpenAI) can only set the bearer, not a custom header, so a
+          # license rides the bearer alongside the OIDC token as `<jwt>~cblic~<license>`;
+          # the proxy splits on that separator (KEEP IN SYNC with gha_proxy handler).
+          # ACTIONS_ID_TOKEN_REQUEST_URL/_TOKEN are injected into the runner process env
+          # (NOT the `env` context) only when the job grants `id-token: write`; read them
+          # directly from the shell env.
+          if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
+            echo "::error::No GitHub OIDC token available. Add \`permissions: id-token: write\` to the job (the hosted tier — free and license — needs the OIDC token to identify your repository; an llm_api_key avoids the proxy entirely)."
+            exit 1
+          fi
+          OIDC_RESP="$(curl -sS --max-time 15 \
+            -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=codeboarding-proxy" || true)"
+          OIDC_JWT="$(printf '%s' "$OIDC_RESP" | python3 -c 'import json,sys;print(json.load(sys.stdin).get("value",""))' 2>/dev/null || true)"
+          if [ -z "$OIDC_JWT" ]; then
+            echo "::error::Failed to mint a GitHub OIDC token (is \`permissions: id-token: write\` granted?)."
+            exit 1
+          fi
+          echo "::add-mask::$OIDC_JWT"
+
           if [ "$MODE" = "license" ]; then
-            BEARER="$LICENSE"
-            echo "Using CodeBoarding license via hosted proxy."
+            # Pack the license after the OIDC JWT; the proxy verifies the JWT (identity)
+            # and validates the license (skips the free quota). Mask both halves.
+            echo "::add-mask::$LICENSE"
+            BEARER="${OIDC_JWT}~cblic~${LICENSE}"
+            echo "Using CodeBoarding license via hosted proxy (OIDC-identified)."
           else
-            # Mint a GitHub Actions OIDC JWT (audience must match the proxy's).
-            # ACTIONS_ID_TOKEN_REQUEST_URL/_TOKEN are injected into the runner
-            # process env (NOT the `env` context) only when the job grants
-            # `id-token: write`; read them directly from the shell env.
-            if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
-              echo "::error::No GitHub OIDC token available. Add \`permissions: id-token: write\` to the job (or set an llm_api_key / license_key). The free hosted tier needs the OIDC token to identify your repository."
-              exit 1
-            fi
-            OIDC_RESP="$(curl -sS --max-time 15 \
-              -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
-              "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=codeboarding-proxy" || true)"
-            BEARER="$(printf '%s' "$OIDC_RESP" | python3 -c 'import json,sys;print(json.load(sys.stdin).get("value",""))' 2>/dev/null || true)"
-            if [ -z "$BEARER" ]; then
-              echo "::error::Failed to mint a GitHub OIDC token (is \`permissions: id-token: write\` granted?)."
-              exit 1
-            fi
+            BEARER="$OIDC_JWT"
             echo "Using the free hosted tier via a GitHub OIDC token (metered per repository owner)."
           fi
 
