Skip to content

Add `ci_config_ref_uri` claim to Ci::JwtV2 for repository source

What does this MR do and why?

Add a new claim called ci_config_ref_uri to Ci::JwtV2.

The ci_config_ref_uri claim is only populated if the CI config is located in the repository. In a future iteration we will populate it for other config sources as well.

This MR was extracted from !121597 (closed) with a few changes. See !121597 (comment 1413086883) for context.

Related to #404722 (closed)

Screenshots or screen recordings

{
  "namespace_id": "22",
  "namespace_path": "gitlab-org",
  "project_id": "2",
  "project_path": "gitlab-org/gitlab-shell",
  "user_id": "1",
  "user_login": "root",
  "user_email": "admin@example.com",
  "pipeline_id": "13",
  "pipeline_source": "push",
  "job_id": "208",
  "ref": "memory-limit",
  "ref_type": "branch",
  "ref_path": "refs/heads/memory-limit",
  "ref_protected": "",
  "runner_id": null,
  "runner_environment": null,
  "sha": "4e9b7dbc7e42626ca4f4676ad91f17951f97af9a",
  "ci_config_ref_uri": "gitlab.localdev:3000/gitlab-org/gitlab-shell//.gitlab-ci.yml@refs/heads/memory-limit",
  "jti": "4fd07b67-10e8-4fa5-8017-76307ad75a65",
  "iss": "http://gitlab.localdev:3000",
  "iat": 1686857681,
  "nbf": 1686857676,
  "exp": 1686857981,
  "sub": "project_path:gitlab-org/gitlab-shell:ref_type:branch:ref:memory-limit",
  "aud": "http://gitlab.localdev:3000"
}

How to set up and validate locally

Feature.enable(:ci_jwt_v2_ref_uri_claim)
build = Ci::Build.last
Gitlab::Ci::Jwt.new(build, ttl: 1.hour).payload
Gitlab::Ci::JwtV2.new(build, aud: 'my-aud', ttl: 1.hour).payload

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Alishan Ladhani

Merge request reports

Loading