Connections#25336
Conversation
Introduce a new Enterprise > Security section for Docker OIDC, positioned between Enforce sign-in and Roles and permissions. Adds overview, connection management, and rulesets/subject claims pages, including GitHub Actions workflow setup and Admin Console management guidance. Also adds a Docker OIDC card to the Security landing page and registers the feature in summary.yaml for summary-bar metadata.
Correct links and wording, align login-action with repo convention, and update the Security grid icon.
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
New Docker OIDC documentation is well-structured and technically clear. One high-severity inconsistency between the prose and the rendered summary-bar subscription badge needs resolution before merge, plus several medium style issues.
|
|
||
| Each ruleset contains the following fields: | ||
|
|
||
| - **Label**: A name for the ruleset. |
There was a problem hiding this comment.
[MEDIUM] Bold used for conceptual list labels — may not qualify as UI elements
STYLE.md reserves bold exclusively for UI elements (buttons, menus, field labels). **Label**, **Rules**, **Resources**, and **Scopes** appear in a conceptual definition list. If these are the exact names of labeled fields in the Admin Console form UI, bold is correct. If they're conceptual terms describing what a ruleset contains, bold should be removed and the list rewritten as plain prose bullets.
There was a problem hiding this comment.
These are the exact names of the UI elements
There was a problem hiding this comment.
Thank you for confirming! In that case, the bold formatting is correct per STYLE.md. Resolved.
- Reword involves broad phases to enumerate the actual phases - Fix per-GitHub Action basis to per-workflow basis - Fix GitHub Action workflows to GitHub Actions workflows - Normalize OIDC connections casing throughout create-manage.md - Change This doc to This page in rulesets-claims.md - Update GitHub link text to OpenID Connect Reference - Remove trailing whitespace on two lines - Remove trailing periods from all What's next bullets
|
@akristen - Can we add to the PR description list of to dos that currently OIDC does not work with dhi.io images? Or have to use dhi.io login. Pending confirmation of engineering testing |
gmondello
left a comment
There was a problem hiding this comment.
Reviewed and left some minor remarks that should be addressed before merging.
Co-authored-by: Greg Mondello <72952982+gmondello@users.noreply.github.com>
| steps: | ||
| - name: OIDC connections | ||
| id: docker_oidc | ||
| uses: docker/oidc-action@v0 |
There was a problem hiding this comment.
@dotjoshrc Are we going to be releasing v0 or v1 to public?
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
New OIDC connections documentation is well-structured and clear. One medium issue found: the data/summary.yaml entry for OIDC connections is missing availability: Beta, which means the summary bar shortcode won't render the Beta availability indicator at the top of the page (only the sidebar badge will show it). One low-priority style note included.
|
|
||
| Each ruleset contains the following fields: | ||
|
|
||
| - **Label**: A name for the ruleset. |
There was a problem hiding this comment.
[LOW] Bold lead-in format (**Term**: Description) — verify these are UI field labels
Docker's style guide reserves bold for UI elements (buttons, menus, field labels). The - **Label**: ..., - **Rules**: ..., - **Resources**: ..., - **Scopes**: ... format is fine if these terms appear as actual field labels in the Admin Console UI. If they're conceptual/documentation terms rather than literal UI labels, the style guide recommends plain text with a colon instead:
- Label: A name for the ruleset.
- Rules: One or more conditions based on OIDC token claims...No change needed if these are actual UI field names shown in the creation form.
The summary.yaml entry was missing the availability field, so the Availability: Beta row wasn't rendering in the summary bar even though the page declares a Beta sidebar badge. Co-authored-by: Cursor <cursoragent@cursor.com>
Clarify that organization owners and editors can create and manage OIDC connections, folded into the create/manage page intro. Co-authored-by: Cursor <cursoragent@cursor.com>
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
New OIDC connections documentation is well-structured and informative. Found a few style guide violations to address before merge.
|
|
||
| Each ruleset contains the following fields: | ||
|
|
||
| - **Label**: A name for the ruleset. |
There was a problem hiding this comment.
[MEDIUM] Bold **Term**: Description list format — discouraged pattern
The ruleset fields (**Label**, **Rules**, **Resources**, **Scopes**) use the **Term**: Description pattern in a bullet list, which Docker's style guide explicitly flags as marketing-style formatting. Bold should be reserved for UI elements users interact with (buttons, menus, field labels to select), not as definition-list term markers.
Suggested rewrite:
Each ruleset contains the following fields:
- Label: A name for the ruleset.
- Rules: One or more conditions based on OIDC token claims, such as the repository name, branch, or workflow path.
- These are expressed as subject claim strings.
- See [Subject claims](#subject-claims).
- Resources: The Docker resources a workflow can access when the ruleset matches. See [Resources](#resources).
- Scopes: The permissions granted on those resources, such as read or write access.| password: ${{ steps.docker_oidc.outputs.token }} | ||
| ``` | ||
|
|
||
| ### Step 3 (optional): Test |
There was a problem hiding this comment.
[MEDIUM] Parentheses in heading — use "Optional." prefix instead
### Step 3 (optional): Test uses parentheses in a heading, which the style guide discourages. For optional steps, the guide specifies using "Optional." as a sentence-level prefix in the step text rather than embedding (optional) in the heading.
Suggested fix:
### Step 3: Test
Optional. After both phases, open the workflow run in GitHub Actions and select **Stage** to test the job.|
|
||
| ## Manage OIDC connections | ||
|
|
||
| You can view, edit, deactivate, or delete your connections from the **OIDC connection** page. |
There was a problem hiding this comment.
[MEDIUM] Inconsistent UI page name — singular vs plural
This sentence uses "OIDC connection" (singular) but the navigation steps immediately below use "OIDC connections" (plural) for the same page. The style guide requires matching UI capitalization exactly. If the Admin Console labels the page "OIDC connections" (plural), update this sentence to match:
You can view, edit, deactivate, or delete your connections from the **OIDC connections** page.|
|
||
| {{< summary-bar feature_name="OIDC connections" >}} | ||
|
|
||
| OIDC connections create a trust relationship between Docker and a trusted third-party so you don't have to maintain long-lived credentials. When you create an OIDC connection, Docker exchanges short-lived tokens with another vendor that can grant fine-grained access to your Docker resources. |
There was a problem hiding this comment.
[LOW] "third-party" incorrectly hyphenated as a noun
"Third-party" is hyphenated only as a compound adjective before a noun (e.g., "a third-party vendor"). Here it's used as a noun ("a trusted third-party"), so no hyphen is needed. Note that this same PR correctly writes "trusted third party" (no hyphen) in the NOTE callout in create-manage.md.
Suggested fix: a trusted third party
| Organization owners and editors can create new OIDC connections or manage existing ones from the Admin Console in Docker Home. Establishing an OIDC connection occurs in two phases. First, you create the OIDC connection in the Admin Console, then you configure your GitHub Actions workflow YAML file. | ||
|
|
||
| > [!NOTE] | ||
| > GitHub is the only supported trusted third party at this time. |
There was a problem hiding this comment.
[LOW] "at this time" — non-timeless phrasing
The style guide says to write timelessly and avoid phrases like "currently" or "as of this writing." "At this time" carries the same implication. Dropping it produces a cleaner statement:
> GitHub is the only supported trusted third party.
MVP docs ready for final review for beta release. Outside of scope at this time are troubleshooting docs, which will be added post beta release (agreed upon with PM + team).
@aevesdocker is the PoC while I'm OOO. She will make any changes as needed and merge, if needed.