Add ci_config_sha JWT claim
What does this MR do and why?
Add a new claim called ci_config_sha
to Ci::JwtV2
. This claim will be used by Fulcio to generate certificates for keyless signing.
The ci_config_sha
claim is only populated if the CI config is located in the repository. In a future iteration we will populate it for other config sources as well.
Related to #404722 (closed)
Screenshots or screen recordings
Ci::JwtV2
payload:
{
"namespace_id": "22",
"namespace_path": "gitlab-org",
"project_id": "2",
"project_path": "gitlab-org/gitlab-shell",
"user_id": "1",
"user_login": "root",
"user_email": "admin@example.com",
"pipeline_id": "13",
"pipeline_source": "push",
"job_id": "208",
"ref": "memory-limit",
"ref_type": "branch",
"ref_path": "refs/heads/memory-limit",
"ref_protected": "",
"runner_id": null,
"runner_environment": null,
"sha": "4e9b7dbc7e42626ca4f4676ad91f17951f97af9a",
"ci_config_ref_uri": "gitlab.localdev:3000/gitlab-org/gitlab-shell//.gitlab-ci.yml@refs/heads/memory-limit",
"ci_config_sha": "4e9b7dbc7e42626ca4f4676ad91f17951f97af9a",
"jti": "8547b834-c512-413f-bf1e-721beb673c69",
"iss": "http://gitlab.localdev:3000",
"iat": 1688590755,
"nbf": 1688590750,
"exp": 1688591055,
"sub": "project_path:gitlab-org/gitlab-shell:ref_type:branch:ref:memory-limit",
"aud": "http://gitlab.localdev:3000"
}
How to set up and validate locally
build = Ci::Build.last
Gitlab::Ci::Jwt.new(build, ttl: 1.hour).payload
Gitlab::Ci::JwtV2.new(build, aud: 'my-aud', ttl: 1.hour).payload
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Alishan Ladhani