Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract additional claims from github-workflow token #306

Merged
merged 1 commit into from
Jan 6, 2022
Merged

Extract additional claims from github-workflow token #306

merged 1 commit into from
Jan 6, 2022

Conversation

ckotzbauer
Copy link
Contributor

With reusable github-workflows the "job_workflow_ref" will reference the shared workflow instead the actual calling workflow.

Summary

This adds the additional infos repository, workflow and ref from the Github-Workflow OIDC token as described in #305. According to the Github-Docs I added the repository field instead of the repo.

Ticket Link

Fixes #305

Release Note

job_workflow_ref info was insufficient when using with shared github-workflows

@nsmith5
Copy link
Contributor

nsmith5 commented Jan 3, 2022

I believe this additional information also needs to be embedded into the x509 code signing certificate to fix #305. You can see here where the trigger and SHA are added. I believe you'd need to create new extensions for this new data and additionally document them here like the existing ones.

@ckotzbauer
Copy link
Contributor Author

Thanks for your comment @nsmith5, I will add the extensions and the docs.

@ckotzbauer
Extract additional claims from github-workflow token
4bffbd0 
With reusable github-workflows the "job_workflow_ref" will reference the shared workflow instead the actual calling workflow.

Fixes #305

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
@ckotzbauer ckotzbauer changed the title Add more additional fields from github-workflow token Extract additional claims from github-workflow token Jan 4, 2022
@ckotzbauer
Copy link
Contributor Author

@nsmith5 I added the new claims to the signing-cert and the docs now.

nsmith5
nsmith5 approved these changes Jan 4, 2022
View reviewed changes
Copy link
Contributor

@nsmith5 nsmith5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, great work! I'm not a maintainer so can't approve the workflow / merge, but this looks good to me

@nsmith5
Copy link
Contributor

nsmith5 commented Jan 4, 2022

cc @mattmoor for 👀

@mattmoor
Copy link
Member

mattmoor commented Jan 4, 2022

cc @dlorenc to merge/deploy once CI passes.

@bobcallaway
Copy link
Member

The code looks good to me; one thought though: should we consider using a separate child OID for GitHub-specific fields rather than keeping them all at the same depth? If we add information from other CI/CD systems it might make sense to separate them, but I'm curious to hear what others think.

@dlorenc
Copy link
Member

dlorenc commented Jan 5, 2022

The code looks good to me; one thought though: should we consider using a separate child OID for GitHub-specific fields rather than keeping them all at the same depth? If we add information from other CI/CD systems it might make sense to separate them, but I'm curious to hear what others think.

I'd be fine with that. I think we can nest them arbitrarily long.

@ckotzbauer
Copy link
Contributor Author

@dlorenc @bobcallaway Should the nesting be part of this PR? If yes, how is it supposed to look like?

@dlorenc
Copy link
Member

dlorenc commented Jan 6, 2022

I'm fine either way since we already have some un-nested Github OIDs. We could start nesting other providers going forward.

Wdyt @bobcallaway?

@bobcallaway
Copy link
Member

this PR is fine as is, we can nest them in a separate one.

@dlorenc dlorenc merged commit dcfd3e8 into sigstore:main Jan 6, 2022
This was referenced Feb 12, 2022
Closed
Closed
@asraa asraa mentioned this pull request Feb 24, 2022
Closed
@ckotzbauer ckotzbauer mentioned this pull request Feb 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nsmith5 nsmith5 nsmith5 approved these changes

@mattmoor mattmoor mattmoor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

job_workflow_ref is insufficient to disambiguate actions workflows
5 participants
@ckotzbauer @nsmith5 @mattmoor @bobcallaway @dlorenc