Skip to content

Connections#25336

Open
akristen wants to merge 12 commits into
docker:mainfrom
akristen:o-connections
Open

Connections#25336
akristen wants to merge 12 commits into
docker:mainfrom
akristen:o-connections

Conversation

@akristen

@akristen akristen commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

MVP docs ready for final review for beta release. Outside of scope at this time are troubleshooting docs, which will be added post beta release (agreed upon with PM + team).

@aevesdocker is the PoC while I'm OOO. She will make any changes as needed and merge, if needed.

akristen added 3 commits June 11, 2026 14:22
Introduce a new Enterprise > Security section for Docker OIDC, positioned
between Enforce sign-in and Roles and permissions. Adds overview,
connection management, and rulesets/subject claims pages, including
GitHub Actions workflow setup and Admin Console management guidance.
Also adds a Docker OIDC card to the Security landing page and registers
the feature in summary.yaml for summary-bar metadata.
Correct links and wording, align login-action with repo convention, and
update the Security grid icon.
@akristen akristen requested a review from dotjoshrc June 11, 2026 20:00
@akristen akristen self-assigned this Jun 11, 2026
@netlify

netlify Bot commented Jun 11, 2026

Copy link
Copy Markdown

Deploy Preview for docsdocker ready!

Name Link
🔨 Latest commit 348b4d1
🔍 Latest deploy log https://app.netlify.com/projects/docsdocker/deploys/6a4554abb6957a0008d10b6a
😎 Deploy Preview https://deploy-preview-25336--docsdocker.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@akristen akristen changed the title O connections Connections Jun 11, 2026

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

New Docker OIDC documentation is well-structured and technically clear. One high-severity inconsistency between the prose and the rendered summary-bar subscription badge needs resolution before merge, plus several medium style issues.

Comment thread content/manuals/enterprise/security/docker-oidc/_index.md Outdated
Comment thread content/manuals/enterprise/security/docker-oidc/rulesets-claims.md Outdated
Comment thread content/manuals/enterprise/security/docker-oidc/rulesets-claims.md Outdated
Comment thread content/manuals/enterprise/security/docker-oidc/_index.md Outdated

Each ruleset contains the following fields:

- **Label**: A name for the ruleset.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Bold used for conceptual list labels — may not qualify as UI elements

STYLE.md reserves bold exclusively for UI elements (buttons, menus, field labels). **Label**, **Rules**, **Resources**, and **Scopes** appear in a conceptual definition list. If these are the exact names of labeled fields in the Admin Console form UI, bold is correct. If they're conceptual terms describing what a ruleset contains, bold should be removed and the list rewritten as plain prose bullets.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the exact names of the UI elements

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for confirming! In that case, the bold formatting is correct per STYLE.md. Resolved.

Comment thread content/manuals/enterprise/security/docker-oidc/_index.md Outdated
Comment thread content/manuals/enterprise/security/docker-oidc/create-manage.md Outdated
Comment thread content/manuals/enterprise/security/docker-oidc/create-manage.md Outdated
akristen added 2 commits June 12, 2026 08:40
- Reword involves broad phases to enumerate the actual phases
- Fix per-GitHub Action basis to per-workflow basis
- Fix GitHub Action workflows to GitHub Actions workflows
- Normalize OIDC connections casing throughout create-manage.md
- Change This doc to This page in rulesets-claims.md
- Update GitHub link text to OpenID Connect Reference
- Remove trailing whitespace on two lines
- Remove trailing periods from all What's next bullets
docker-agent

This comment was marked as resolved.

@akristen akristen requested a review from serjkarneichyk June 15, 2026 18:22
@akristen akristen marked this pull request as ready for review June 15, 2026 18:22
docker-agent

This comment was marked as resolved.

@akristen akristen requested review from gmondello and removed request for dotjoshrc June 16, 2026 20:44
docker-agent

This comment was marked as outdated.

@gmondello

gmondello commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@akristen - Can we add to the PR description list of to dos that currently OIDC does not work with dhi.io images? Or have to use dhi.io login. Pending confirmation of engineering testing

Comment thread content/manuals/enterprise/security/oidc-connections/create-manage.md Outdated
Comment thread content/manuals/enterprise/security/oidc-connections/create-manage.md Outdated
Comment thread content/manuals/enterprise/security/oidc-connections/rulesets-claims.md Outdated

@gmondello gmondello left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed and left some minor remarks that should be addressed before merging.

Co-authored-by: Greg Mondello <72952982+gmondello@users.noreply.github.com>
steps:
- name: OIDC connections
id: docker_oidc
uses: docker/oidc-action@v0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dotjoshrc Are we going to be releasing v0 or v1 to public?

@akristen akristen requested a review from aevesdocker July 1, 2026 16:48

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

New OIDC connections documentation is well-structured and clear. One medium issue found: the data/summary.yaml entry for OIDC connections is missing availability: Beta, which means the summary bar shortcode won't render the Beta availability indicator at the top of the page (only the sidebar badge will show it). One low-priority style note included.

Comment thread data/summary.yaml

Each ruleset contains the following fields:

- **Label**: A name for the ruleset.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Bold lead-in format (**Term**: Description) — verify these are UI field labels

Docker's style guide reserves bold for UI elements (buttons, menus, field labels). The - **Label**: ..., - **Rules**: ..., - **Resources**: ..., - **Scopes**: ... format is fine if these terms appear as actual field labels in the Admin Console UI. If they're conceptual/documentation terms rather than literal UI labels, the style guide recommends plain text with a colon instead:

- Label: A name for the ruleset.
- Rules: One or more conditions based on OIDC token claims...

No change needed if these are actual UI field names shown in the creation form.

akristen and others added 2 commits July 1, 2026 12:43
The summary.yaml entry was missing the availability field, so the Availability: Beta row wasn't rendering in the summary bar even though the page declares a Beta sidebar badge.

Co-authored-by: Cursor <cursoragent@cursor.com>
Clarify that organization owners and editors can create and manage OIDC connections, folded into the create/manage page intro.

Co-authored-by: Cursor <cursoragent@cursor.com>
@akristen akristen requested a review from gmondello July 1, 2026 17:56

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

New OIDC connections documentation is well-structured and informative. Found a few style guide violations to address before merge.


Each ruleset contains the following fields:

- **Label**: A name for the ruleset.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Bold **Term**: Description list format — discouraged pattern

The ruleset fields (**Label**, **Rules**, **Resources**, **Scopes**) use the **Term**: Description pattern in a bullet list, which Docker's style guide explicitly flags as marketing-style formatting. Bold should be reserved for UI elements users interact with (buttons, menus, field labels to select), not as definition-list term markers.

Suggested rewrite:

Each ruleset contains the following fields:

- Label: A name for the ruleset.
- Rules: One or more conditions based on OIDC token claims, such as the repository name, branch, or workflow path.
  - These are expressed as subject claim strings.
  - See [Subject claims](#subject-claims).
- Resources: The Docker resources a workflow can access when the ruleset matches. See [Resources](#resources).
- Scopes: The permissions granted on those resources, such as read or write access.

password: ${{ steps.docker_oidc.outputs.token }}
```

### Step 3 (optional): Test

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Parentheses in heading — use "Optional." prefix instead

### Step 3 (optional): Test uses parentheses in a heading, which the style guide discourages. For optional steps, the guide specifies using "Optional." as a sentence-level prefix in the step text rather than embedding (optional) in the heading.

Suggested fix:

### Step 3: Test

Optional. After both phases, open the workflow run in GitHub Actions and select **Stage** to test the job.


## Manage OIDC connections

You can view, edit, deactivate, or delete your connections from the **OIDC connection** page.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Inconsistent UI page name — singular vs plural

This sentence uses "OIDC connection" (singular) but the navigation steps immediately below use "OIDC connections" (plural) for the same page. The style guide requires matching UI capitalization exactly. If the Admin Console labels the page "OIDC connections" (plural), update this sentence to match:

You can view, edit, deactivate, or delete your connections from the **OIDC connections** page.


{{< summary-bar feature_name="OIDC connections" >}}

OIDC connections create a trust relationship between Docker and a trusted third-party so you don't have to maintain long-lived credentials. When you create an OIDC connection, Docker exchanges short-lived tokens with another vendor that can grant fine-grained access to your Docker resources.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] "third-party" incorrectly hyphenated as a noun

"Third-party" is hyphenated only as a compound adjective before a noun (e.g., "a third-party vendor"). Here it's used as a noun ("a trusted third-party"), so no hyphen is needed. Note that this same PR correctly writes "trusted third party" (no hyphen) in the NOTE callout in create-manage.md.

Suggested fix: a trusted third party

Organization owners and editors can create new OIDC connections or manage existing ones from the Admin Console in Docker Home. Establishing an OIDC connection occurs in two phases. First, you create the OIDC connection in the Admin Console, then you configure your GitHub Actions workflow YAML file.

> [!NOTE]
> GitHub is the only supported trusted third party at this time.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] "at this time" — non-timeless phrasing

The style guide says to write timelessly and avoid phrases like "currently" or "as of this writing." "At this time" carries the same implication. Dropping it produces a cleaner statement:

> GitHub is the only supported trusted third party.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants