Deployment distributions for octo-sts/app - a Security Token Service that lets workloads exchange OIDC tokens for short-lived GitHub access tokens, eliminating long-lived PATs.
The upstream octo-sts/app works on its own - this repository adds:
- Web-based GitHub App installer - Create your GitHub App via a guided web flow that auto-configures permissions and saves credentials to your chosen backend
- Multiple credential storage backends - Store GitHub App private keys in local files, environment variables, or AWS SSM Parameter Store
- AWS Lambda distribution - Terraform module for serverless deployment on AWS
- Docker distribution - Docker Compose setup for local development with ngrok
Docker Compose setup for local testing and proof-of-concept deployments. Includes automated GitHub App installer and ngrok integration.
Documentation: distros/docker/README.md
Serverless deployment using API Gateway v2 and Lambda functions with Terraform.
Documentation: distros/aws-lambda/README.md
Use octo-sts/app directly - it has native Cloud Run support.
- Architecture Overview - System design, request flows, security model, and API specification
- Component Breakdown - Detailed analysis of binaries, packages, and dependencies
.
├── cmd/ # Lambda entrypoints and HTTP wrappers
├── distros/ # Deployment distributions
│ ├── aws-lambda/ # AWS Lambda + API Gateway (Terraform)
│ └── docker/ # Docker Compose for local development
└── internal/ # Shared packages (app, sts, configstore)
- octo-sts/app - Upstream project
- Trust Policies - Setup guide and security recommendations
- Original Blog Post - Background on octo-sts
This repository is an independent community project and is not affiliated with, endorsed by, or associated with Chainguard or the maintainers of octo-sts/app. All trademarks belong to their respective owners.
This repository is licensed under the MIT License. See LICENSE for details.
The upstream octo-sts/app project uses the Apache 2.0 License. See octo-sts/app LICENSE.