Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trusted publishing: support for Bitbucket Pipelines #17136

Open
okyrdan opened this issue Nov 20, 2024 · 3 comments
Open

Trusted publishing: support for Bitbucket Pipelines #17136

okyrdan opened this issue Nov 20, 2024 · 3 comments
Labels
awaiting-response PRs and issues that are awaiting author response feature request requires triaging maintainers need to do initial inspection of issue trusted-publishing

Comments

@okyrdan
Copy link

okyrdan commented Nov 20, 2024

This would enable PyPI users with Bitbucket Pipelines CI/CD to leverage trusted publishing.

An example claim set from a Bitbucket Pipelines repository (anonymized but the structure is saved):

{
	"sub": "{d4e45493-4a33-477d-917b-a24e7e4bd39b}:{stepUuid}",
	"aud": "ari:cloud:bitbucket::workspace/03b741e3-cf4a-41f9-9a59-cec52e21bdc3",
	"stepUuid": "{xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}",
        "deploymentEnvironmentUuid": "{xxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxxx}",
	"iss": "https://api.bitbucket.org/2.0/workspaces/atlassian/pipelines-config/identity/oidc",
	"repositoryUuid": "{d4e45493-4a33-477d-917b-a24e7e4bd39b}",
	"branchName": "xxxxxxxxx",
	"exp": "xxxxxxxxxx",
	"iat": "xxxxxxxxxx",
	"pipelineUuid": "{xxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx}",
	"workspaceUuid": "{03b741e3-cf4a-41f9-9a59-cec52e21bdc3}"
}

For example, if user has a project at https://bitbucket.com/atlassian/pypi-publish with a pipeline defined in bitbucket-pipelines.yml file and a custom deployments named release, then user'd fill the form with the following fields:

  • workspace or workspaceUuid
  • repository or repositoryUuid
  • pipeline_filename (i.e. bitbucket-pipelines.yml)
  • deployments_environment (optional)

The guide with a configuration details: Integrate Pipelines with resource servers using OIDC | Bitbucket Cloud

Resource server-specific:

@okyrdan okyrdan added feature request requires triaging maintainers need to do initial inspection of issue labels Nov 20, 2024
@di
Copy link
Member

di commented Nov 20, 2024

Thanks for filing the issue!

Per https://docs.pypi.org/trusted-publishers/internals/#how-do-i-become-a-trusted-publishing-provider:

Additionally, the claimset must support a customizable aud claim that can be set to the value pypi

Is that possible here? Based on my read of https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/, it seems like the audience claim is not configurable.

@di di added the awaiting-response PRs and issues that are awaiting author response label Dec 2, 2024
@okyrdan
Copy link
Author

okyrdan commented Dec 23, 2024

Hi @di thanks for the feedback!
Yep, currently, the aud claim value is predefined per workspace.
Our team is working on the support a customizable aud claim.
Stay in touch!

@woodruffw
Copy link
Member

That's great news, thanks for sharing @okyrdan!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting-response PRs and issues that are awaiting author response feature request requires triaging maintainers need to do initial inspection of issue trusted-publishing
Projects
None yet
Development

No branches or pull requests

3 participants