Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support gitlab #123

Merged
merged 7 commits into from
Oct 22, 2023
Merged

Support gitlab #123

merged 7 commits into from
Oct 22, 2023

Conversation

jku
Copy link
Contributor

@jku jku commented Oct 20, 2023
edited
Loading

I was looking at GitLab pipelines last night so decided to implement this since it was pretty trivial.

Fixes #121

Test pipeline with sigstore: https://gitlab.com/jku/test-oidc/-/blob/main/.gitlab-ci.yml,
Log from running that: https://gitlab.com/jku/test-oidc/-/pipelines/1044594956

Notes:

  • First version of this PR was a generic detect_env_var() but based on feedback this was changed to detect_gitlab()
  • detect_gitlab() is indeed better as it enables error handling (see the example pipeline run)
  • The fact that we now have to require the user to do something extra (configure the variable correctly) is annoying but there's not much we can do except maybe provide feedback to GitLab if they ask
  • there's an unrelated added test for buildkite
  • We don't check if the variable actually contains a token. Now that this is GitLab specific I think this is not critical and matches what other detectors dor. Maybe it makes sense to validate the token content but that sounds like a generic nice-to-have feature, not a GitLab specific thing

@woodruffw
Copy link
Collaborator

  • Called it detect_env_var instead of detect_gitlab since there's nothing really gitlab specific about it

I could be convinced otherwise, but IMO we should make this detect_gitlab and so similar checks for it as we do for other detectors (specifically, sniffing for GITLAB_CI).

My reasoning: each of the detectors is semi-intentionally bound to a single service, even though some services might copy each others' APIs (e.g. FooCI could use the same technique as GitHub Actions). Having an explicit detect_gitlab allows a user to communicate that they're intentionally obtaining a GitLab identity token.

(One idea: maybe we could have detect_env_var and detect_gitlab, with detect_gitlab wrapping the former?)

We don't check if the variable actually contains a token. We don't do that in other detectors either but arguably the chance of errors here is somewhat higher...

I'd be okay with adding this check, both here and elsewhere 🙂

di
di reviewed Oct 20, 2023
View reviewed changes
id/__init__.py Outdated Show resolved Hide resolved
id/_internal/oidc/ambient.py Outdated Show resolved Hide resolved
id/_internal/oidc/ambient.py Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@di
Copy link
Owner

di commented Oct 20, 2023

(One idea: maybe we could have detect_env_var and detect_gitlab, with detect_gitlab wrapping the former?)

I like this idea!

@jku
Copy link
Contributor Author

jku commented Oct 20, 2023

IMO we should make this detect_gitlab and so similar checks for it as we do for other detectors (specifically, sniffing for GITLAB_CI).

That makes sense

@woodruffw woodruffw added the enhancement New feature or request label Oct 20, 2023
@jku
Refactor env var detection to gitlab detection
e150ea6 
Based on feedback:
* Instead of generic env var handling, make the detector
  only work on gitlab (based on GITLAB_CI variable)
* Handle audience args that begin with a digit (replace with "_"
  in the env var name)
* Raise if we are in GitLab environment but token is not found
* Tweak README based on these changes

This does seem much better as a misconfigured pipeline (e.g. a missing
id_tokens section) now results in the following with sigstore:

    $ python -m sigstore sign README.md
                  An issue occurred with ambient credential detection.
                  Additional context:
                  GitLab: Environment variable SIGSTORE_ID_TOKEN not found

which seems pretty good to me.
@jku
Copy link
Contributor Author

jku commented Oct 21, 2023

Changed detect_env_var() to detect_gitlab(), see updated PR description

@di
Copy link
Owner

di commented Oct 22, 2023

/gcbrun

di
di approved these changes Oct 22, 2023
View reviewed changes
Copy link
Owner

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I will let @woodruffw review as well before merging.

@di
Copy link
Owner

di commented Oct 22, 2023

Can you also update the first line of the README to include Gitlab?

woodruffw
woodruffw approved these changes Oct 22, 2023
View reviewed changes
Copy link
Collaborator

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as well, thanks @jku!

@woodruffw woodruffw merged commit 7d73ba4 into di:main Oct 22, 2023
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@di di di approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support GitLab ambient credentials
3 participants
@jku @woodruffw @di