junobuild · peterpeterparker · Jan 25, 2026 · Jan 25, 2026 · Jan 25, 2026 · Jan 28, 2026
diff --git a/src/declarations/observatory/observatory.did.d.ts b/src/declarations/observatory/observatory.did.d.ts
@@ -106,7 +106,7 @@ export interface OpenIdCertificate {
 	created_at: bigint;
 	version: [] | [bigint];
 }
-export type OpenIdProvider = { Google: null } | { GitHubAuth: null };
+export type OpenIdProvider = { GitHubActions: null } | { Google: null } | { GitHubAuth: null };
 export interface RateConfig {
 	max_tokens: bigint;
 	time_per_token_ns: bigint;

diff --git a/src/declarations/observatory/observatory.factory.certified.did.js b/src/declarations/observatory/observatory.factory.certified.did.js
@@ -21,6 +21,7 @@ export const idlFactory = ({ IDL }) => {
 		failed: IDL.Nat64
 	});
 	const OpenIdProvider = IDL.Variant({
+		GitHubActions: IDL.Null,
 		Google: IDL.Null,
 		GitHubAuth: IDL.Null
 	});

diff --git a/src/declarations/observatory/observatory.factory.did.js b/src/declarations/observatory/observatory.factory.did.js
@@ -21,6 +21,7 @@ export const idlFactory = ({ IDL }) => {
 		failed: IDL.Nat64
 	});
 	const OpenIdProvider = IDL.Variant({
+		GitHubActions: IDL.Null,
 		Google: IDL.Null,
 		GitHubAuth: IDL.Null
 	});

diff --git a/src/declarations/observatory/observatory.factory.did.mjs b/src/declarations/observatory/observatory.factory.did.mjs
@@ -21,6 +21,7 @@ export const idlFactory = ({ IDL }) => {
 		failed: IDL.Nat64
 	});
 	const OpenIdProvider = IDL.Variant({
+		GitHubActions: IDL.Null,
 		Google: IDL.Null,
 		GitHubAuth: IDL.Null
 	});

diff --git a/src/declarations/satellite/satellite.did.d.ts b/src/declarations/satellite/satellite.did.d.ts
@@ -34,6 +34,12 @@ export interface AssetNoContent {
 export interface AssetsUpgradeOptions {
 	clear_existing_assets: [] | [boolean];
 }
+export type AuthenticateControllerArgs = {
+	OpenId: OpenIdAuthenticateControllerArgs;
+};
+export type AuthenticateControllerResultResponse =
+	| { Ok: null }
+	| { Err: AuthenticationControllerError };
 export type AuthenticateResultResponse = { Ok: Authentication } | { Err: AuthenticationError };
 export interface Authentication {
 	doc: Doc;
@@ -56,6 +62,9 @@ export interface AuthenticationConfigOpenId {
 	observatory_id: [] | [Principal];
 	providers: Array<[OpenIdDelegationProvider, OpenIdAuthProviderConfig]>;
 }
+export type AuthenticationControllerError =
+	| { RegisterController: string }
+	| { VerifyOpenIdCredentials: VerifyOpenidAutomationCredentialsError };
 export type AuthenticationError =
 	| {
 			PrepareDelegation: PrepareDelegationError;
@@ -64,6 +73,7 @@ export type AuthenticationError =
 export interface AuthenticationRules {
 	allowed_callers: Array<Principal>;
 }
+export type AutomationScope = { Write: null } | { Submit: null };
 export type CollectionType = { Db: null } | { Storage: null };
 export interface CommitBatch {
 	batch_id: bigint;
@@ -267,6 +277,13 @@ export interface OpenIdAuthProviderDelegationConfig {
 	targets: [] | [Array<Principal>];
 	max_time_to_live: [] | [bigint];
 }
+export interface OpenIdAuthenticateControllerArgs {
+	jwt: string;
+	metadata: Array<[string, string]>;
+	scope: AutomationScope;
+	max_time_to_live: [] | [bigint];
+	controller_id: Principal;
+}
 export type OpenIdDelegationProvider = { GitHub: null } | { Google: null };
 export interface OpenIdGetDelegationArgs {
 	jwt: string;
@@ -438,8 +455,18 @@ export interface UploadChunk {
 export interface UploadChunkResult {
 	chunk_id: bigint;
 }
+export type VerifyOpenidAutomationCredentialsError =
+	| {
+			GetCachedJwks: null;
+	  }
+	| { JwtVerify: JwtVerifyError }
+	| { GetOrFetchJwks: GetOrRefreshJwksError };
 export interface _SERVICE {
 	authenticate: ActorMethod<[AuthenticationArgs], AuthenticateResultResponse>;
+	authenticate_controller: ActorMethod<
+		[AuthenticateControllerArgs],
+		AuthenticateControllerResultResponse
+	>;
 	commit_asset_upload: ActorMethod<[CommitBatch], undefined>;
 	commit_proposal: ActorMethod<[CommitProposal], null>;
 	commit_proposal_asset_upload: ActorMethod<[CommitBatch], undefined>;

diff --git a/src/declarations/satellite/satellite.factory.certified.did.js b/src/declarations/satellite/satellite.factory.certified.did.js
@@ -75,6 +75,33 @@ export const idlFactory = ({ IDL }) => {
 		Ok: Authentication,
 		Err: AuthenticationError
 	});
+	const AutomationScope = IDL.Variant({
+		Write: IDL.Null,
+		Submit: IDL.Null
+	});
+	const OpenIdAuthenticateControllerArgs = IDL.Record({
+		jwt: IDL.Text,
+		metadata: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
+		scope: AutomationScope,
+		max_time_to_live: IDL.Opt(IDL.Nat64),
+		controller_id: IDL.Principal
+	});
+	const AuthenticateControllerArgs = IDL.Variant({
+		OpenId: OpenIdAuthenticateControllerArgs
+	});
+	const VerifyOpenidAutomationCredentialsError = IDL.Variant({
+		GetCachedJwks: IDL.Null,
+		JwtVerify: JwtVerifyError,
+		GetOrFetchJwks: GetOrRefreshJwksError
+	});
+	const AuthenticationControllerError = IDL.Variant({
+		RegisterController: IDL.Text,
+		VerifyOpenIdCredentials: VerifyOpenidAutomationCredentialsError
+	});
+	const AuthenticateControllerResultResponse = IDL.Variant({
+		Ok: IDL.Null,
+		Err: AuthenticationControllerError
+	});
 	const CommitBatch = IDL.Record({
 		batch_id: IDL.Nat,
 		headers: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
@@ -446,6 +473,11 @@ export const idlFactory = ({ IDL }) => {
 
 	return IDL.Service({
 		authenticate: IDL.Func([AuthenticationArgs], [AuthenticateResultResponse], []),
+		authenticate_controller: IDL.Func(
+			[AuthenticateControllerArgs],
+			[AuthenticateControllerResultResponse],
+			[]
+		),
 		commit_asset_upload: IDL.Func([CommitBatch], [], []),
 		commit_proposal: IDL.Func([CommitProposal], [IDL.Null], []),
 		commit_proposal_asset_upload: IDL.Func([CommitBatch], [], []),

diff --git a/src/declarations/satellite/satellite.factory.did.js b/src/declarations/satellite/satellite.factory.did.js
@@ -75,6 +75,33 @@ export const idlFactory = ({ IDL }) => {
 		Ok: Authentication,
 		Err: AuthenticationError
 	});
+	const AutomationScope = IDL.Variant({
+		Write: IDL.Null,
+		Submit: IDL.Null
+	});
+	const OpenIdAuthenticateControllerArgs = IDL.Record({
+		jwt: IDL.Text,
+		metadata: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
+		scope: AutomationScope,
+		max_time_to_live: IDL.Opt(IDL.Nat64),
+		controller_id: IDL.Principal
+	});
+	const AuthenticateControllerArgs = IDL.Variant({
+		OpenId: OpenIdAuthenticateControllerArgs
+	});
+	const VerifyOpenidAutomationCredentialsError = IDL.Variant({
+		GetCachedJwks: IDL.Null,
+		JwtVerify: JwtVerifyError,
+		GetOrFetchJwks: GetOrRefreshJwksError
+	});
+	const AuthenticationControllerError = IDL.Variant({
+		RegisterController: IDL.Text,
+		VerifyOpenIdCredentials: VerifyOpenidAutomationCredentialsError
+	});
+	const AuthenticateControllerResultResponse = IDL.Variant({
+		Ok: IDL.Null,
+		Err: AuthenticationControllerError
+	});
 	const CommitBatch = IDL.Record({
 		batch_id: IDL.Nat,
 		headers: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
@@ -446,6 +473,11 @@ export const idlFactory = ({ IDL }) => {
 
 	return IDL.Service({
 		authenticate: IDL.Func([AuthenticationArgs], [AuthenticateResultResponse], []),
+		authenticate_controller: IDL.Func(
+			[AuthenticateControllerArgs],
+			[AuthenticateControllerResultResponse],
+			[]
+		),
 		commit_asset_upload: IDL.Func([CommitBatch], [], []),
 		commit_proposal: IDL.Func([CommitProposal], [IDL.Null], []),
 		commit_proposal_asset_upload: IDL.Func([CommitBatch], [], []),

diff --git a/src/declarations/satellite/satellite.factory.did.mjs b/src/declarations/satellite/satellite.factory.did.mjs
@@ -75,6 +75,33 @@ export const idlFactory = ({ IDL }) => {
 		Ok: Authentication,
 		Err: AuthenticationError
 	});
+	const AutomationScope = IDL.Variant({
+		Write: IDL.Null,
+		Submit: IDL.Null
+	});
+	const OpenIdAuthenticateControllerArgs = IDL.Record({
+		jwt: IDL.Text,
+		metadata: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
+		scope: AutomationScope,
+		max_time_to_live: IDL.Opt(IDL.Nat64),
+		controller_id: IDL.Principal
+	});
+	const AuthenticateControllerArgs = IDL.Variant({
+		OpenId: OpenIdAuthenticateControllerArgs
+	});
+	const VerifyOpenidAutomationCredentialsError = IDL.Variant({
+		GetCachedJwks: IDL.Null,
+		JwtVerify: JwtVerifyError,
+		GetOrFetchJwks: GetOrRefreshJwksError
+	});
+	const AuthenticationControllerError = IDL.Variant({
+		RegisterController: IDL.Text,
+		VerifyOpenIdCredentials: VerifyOpenidAutomationCredentialsError
+	});
+	const AuthenticateControllerResultResponse = IDL.Variant({
+		Ok: IDL.Null,
+		Err: AuthenticationControllerError
+	});
 	const CommitBatch = IDL.Record({
 		batch_id: IDL.Nat,
 		headers: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
@@ -446,6 +473,11 @@ export const idlFactory = ({ IDL }) => {
 
 	return IDL.Service({
 		authenticate: IDL.Func([AuthenticationArgs], [AuthenticateResultResponse], []),
+		authenticate_controller: IDL.Func(
+			[AuthenticateControllerArgs],
+			[AuthenticateControllerResultResponse],
+			[]
+		),
 		commit_asset_upload: IDL.Func([CommitBatch], [], []),
 		commit_proposal: IDL.Func([CommitProposal], [IDL.Null], []),
 		commit_proposal_asset_upload: IDL.Func([CommitBatch], [], []),

diff --git a/src/declarations/sputnik/sputnik.did.d.ts b/src/declarations/sputnik/sputnik.did.d.ts
@@ -34,6 +34,12 @@ export interface AssetNoContent {
 export interface AssetsUpgradeOptions {
 	clear_existing_assets: [] | [boolean];
 }
+export type AuthenticateControllerArgs = {
+	OpenId: OpenIdAuthenticateControllerArgs;
+};
+export type AuthenticateControllerResultResponse =
+	| { Ok: null }
+	| { Err: AuthenticationControllerError };
 export type AuthenticateResultResponse = { Ok: Authentication } | { Err: AuthenticationError };
 export interface Authentication {
 	doc: Doc;
@@ -56,6 +62,9 @@ export interface AuthenticationConfigOpenId {
 	observatory_id: [] | [Principal];
 	providers: Array<[OpenIdDelegationProvider, OpenIdAuthProviderConfig]>;
 }
+export type AuthenticationControllerError =
+	| { RegisterController: string }
+	| { VerifyOpenIdCredentials: VerifyOpenidAutomationCredentialsError };
 export type AuthenticationError =
 	| {
 			PrepareDelegation: PrepareDelegationError;
@@ -64,6 +73,7 @@ export type AuthenticationError =
 export interface AuthenticationRules {
 	allowed_callers: Array<Principal>;
 }
+export type AutomationScope = { Write: null } | { Submit: null };
 export type CollectionType = { Db: null } | { Storage: null };
 export interface CommitBatch {
 	batch_id: bigint;
@@ -267,6 +277,13 @@ export interface OpenIdAuthProviderDelegationConfig {
 	targets: [] | [Array<Principal>];
 	max_time_to_live: [] | [bigint];
 }
+export interface OpenIdAuthenticateControllerArgs {
+	jwt: string;
+	metadata: Array<[string, string]>;
+	scope: AutomationScope;
+	max_time_to_live: [] | [bigint];
+	controller_id: Principal;
+}
 export type OpenIdDelegationProvider = { GitHub: null } | { Google: null };
 export interface OpenIdGetDelegationArgs {
 	jwt: string;
@@ -438,8 +455,18 @@ export interface UploadChunk {
 export interface UploadChunkResult {
 	chunk_id: bigint;
 }
+export type VerifyOpenidAutomationCredentialsError =
+	| {
+			GetCachedJwks: null;
+	  }
+	| { JwtVerify: JwtVerifyError }
+	| { GetOrFetchJwks: GetOrRefreshJwksError };
 export interface _SERVICE {
 	authenticate: ActorMethod<[AuthenticationArgs], AuthenticateResultResponse>;
+	authenticate_controller: ActorMethod<
+		[AuthenticateControllerArgs],
+		AuthenticateControllerResultResponse
+	>;
 	commit_asset_upload: ActorMethod<[CommitBatch], undefined>;
 	commit_proposal: ActorMethod<[CommitProposal], null>;
 	commit_proposal_asset_upload: ActorMethod<[CommitBatch], undefined>;

diff --git a/src/declarations/sputnik/sputnik.factory.certified.did.js b/src/declarations/sputnik/sputnik.factory.certified.did.js
@@ -75,6 +75,33 @@ export const idlFactory = ({ IDL }) => {
 		Ok: Authentication,
 		Err: AuthenticationError
 	});
+	const AutomationScope = IDL.Variant({
+		Write: IDL.Null,
+		Submit: IDL.Null
+	});
+	const OpenIdAuthenticateControllerArgs = IDL.Record({
+		jwt: IDL.Text,
+		metadata: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
+		scope: AutomationScope,
+		max_time_to_live: IDL.Opt(IDL.Nat64),
+		controller_id: IDL.Principal
+	});
+	const AuthenticateControllerArgs = IDL.Variant({
+		OpenId: OpenIdAuthenticateControllerArgs
+	});
+	const VerifyOpenidAutomationCredentialsError = IDL.Variant({
+		GetCachedJwks: IDL.Null,
+		JwtVerify: JwtVerifyError,
+		GetOrFetchJwks: GetOrRefreshJwksError
+	});
+	const AuthenticationControllerError = IDL.Variant({
+		RegisterController: IDL.Text,
+		VerifyOpenIdCredentials: VerifyOpenidAutomationCredentialsError
+	});
+	const AuthenticateControllerResultResponse = IDL.Variant({
+		Ok: IDL.Null,
+		Err: AuthenticationControllerError
+	});
 	const CommitBatch = IDL.Record({
 		batch_id: IDL.Nat,
 		headers: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
@@ -446,6 +473,11 @@ export const idlFactory = ({ IDL }) => {
 
 	return IDL.Service({
 		authenticate: IDL.Func([AuthenticationArgs], [AuthenticateResultResponse], []),
+		authenticate_controller: IDL.Func(
+			[AuthenticateControllerArgs],
+			[AuthenticateControllerResultResponse],
+			[]
+		),
 		commit_asset_upload: IDL.Func([CommitBatch], [], []),
 		commit_proposal: IDL.Func([CommitProposal], [IDL.Null], []),
 		commit_proposal_asset_upload: IDL.Func([CommitBatch], [], []),

diff --git a/src/declarations/sputnik/sputnik.factory.did.js b/src/declarations/sputnik/sputnik.factory.did.js
@@ -75,6 +75,33 @@ export const idlFactory = ({ IDL }) => {
 		Ok: Authentication,
 		Err: AuthenticationError
 	});
+	const AutomationScope = IDL.Variant({
+		Write: IDL.Null,
+		Submit: IDL.Null
+	});
+	const OpenIdAuthenticateControllerArgs = IDL.Record({
+		jwt: IDL.Text,
+		metadata: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
+		scope: AutomationScope,
+		max_time_to_live: IDL.Opt(IDL.Nat64),
+		controller_id: IDL.Principal
+	});
+	const AuthenticateControllerArgs = IDL.Variant({
+		OpenId: OpenIdAuthenticateControllerArgs
+	});
+	const VerifyOpenidAutomationCredentialsError = IDL.Variant({
+		GetCachedJwks: IDL.Null,
+		JwtVerify: JwtVerifyError,
+		GetOrFetchJwks: GetOrRefreshJwksError
+	});
+	const AuthenticationControllerError = IDL.Variant({
+		RegisterController: IDL.Text,
+		VerifyOpenIdCredentials: VerifyOpenidAutomationCredentialsError
+	});
+	const AuthenticateControllerResultResponse = IDL.Variant({
+		Ok: IDL.Null,
+		Err: AuthenticationControllerError
+	});
 	const CommitBatch = IDL.Record({
 		batch_id: IDL.Nat,
 		headers: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
@@ -446,6 +473,11 @@ export const idlFactory = ({ IDL }) => {
 
 	return IDL.Service({
 		authenticate: IDL.Func([AuthenticationArgs], [AuthenticateResultResponse], []),
+		authenticate_controller: IDL.Func(
+			[AuthenticateControllerArgs],
+			[AuthenticateControllerResultResponse],
+			[]
+		),
 		commit_asset_upload: IDL.Func([CommitBatch], [], []),
 		commit_proposal: IDL.Func([CommitProposal], [IDL.Null], []),
 		commit_proposal_asset_upload: IDL.Func([CommitBatch], [], []),

diff --git a/src/libs/auth/src/automation/constants.rs b/src/libs/auth/src/automation/constants.rs
@@ -0,0 +1,7 @@
+const MINUTE_NS: u64 = 60 * 1_000_000_000;
+
+// 10 minutes in nanoseconds
+pub const DEFAULT_EXPIRATION_PERIOD_NS: u64 = 10 * MINUTE_NS;
+
+// The maximum duration for a automation controller
+pub const MAX_EXPIRATION_PERIOD_NS: u64 = 60 * MINUTE_NS;