There is a super useful SOP that show how to generate a OIDC token :stuck_out_tongue_winking_eye:

https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/ipsilon.html

What should I request exactly here for scope? (ie, the -s argument)

What should I request exactly here for scope? (ie, the -s argument)

It needs the new-compose scope which looking at this should be https://pagure.io/odcs/new-compose

What should I request exactly here for scope? (ie, the -s argument)

It needs the new-compose scope which looking at this should be https://pagure.io/odcs/new-compose

Also should this be done on Ipsilon stg ? since this is for odcs stg ? maybe @puiterwijk can help here

Done. Yes, it was/should be in staging. ;)

Let us know if you run into any problems with it!

:last_quarter_moon:

Reopening has it truns out that ODCS requires the following scopes.

https://id.fedoraproject.org/scope/groups
https://pagure.io/odcs/new-compose
https://pagure.io/odcs/renew-compose
https://pagure.io/odcs/delete-compose

Could you create a new token with these scopes and update the secret file {{ private }}/files/osbs/staging/odcs-oidc-token

It should be possible to add mutilple scopes like that

/scripts/generate-oidc-token osbs -e 365 -s https://id.fedoraproject.org/scope/groups -s https://pagure.io/odcs/new-compose -s https://pagure.io/odcs/renew-compose -s https://pagure.io/odcs/delete-compose

CC'ing @otaylor

Done. I've generated new token with required scopes and ran the playbook:

ansible-playbook /srv/web/infra/ansible/playbooks/groups/osbs-cluster.yml -l staging -t osbs-orchestrator-namespace