From e7456474222a04d4825bb6d2c796ba5722c2beb5 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 15 Jul 2024 21:22:07 +0000 Subject: [PATCH] migrate github to ci-provider Signed-off-by: Javan lacerda --- config/identity/config.yaml | 34 +++++++++++++++++++++++++++++--- pkg/config/fulcio_config_test.go | 7 +++++-- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index ecbfd64d6..82003927e 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +define: &github-type "github-workflow" + oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -84,7 +86,8 @@ oidc-issuers: https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore - type: github-workflow + type: ci-provider + ci-provider: *github-type contact: tac@sigstore.dev description: "GitHub Actions OIDC auth" meta-issuers: @@ -102,5 +105,30 @@ meta-issuers: type: kubernetes https://token.actions.githubusercontent.com/*: client-id: sigstore - type: github-workflow - + type: ci-provider + ci-provider: *github-type +ci-issuer-metadata: + *github-type: + default-template-values: + url: "https://github.com" + extension-templates: + github-workflow-trigger: "event_name" + github-workflow-sha: "sha" + github-workflow-name: "workflow" + github-workflow-repository: "repository" + github-workflow-ref: "ref" + build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}" + build-signer-digest: "job_workflow_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: "ref" + source-repository-identifier: "repository_id" + source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}" + source-repository-owner-identifier: "repository_owner_id" + build-config-uri: "{{ .url }}/{{ .workflow_ref }}" + build-config-digest: "workflow_sha" + build-trigger: "event_name" + run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go index c0c464523..f5a6fd3b2 100644 --- a/pkg/config/fulcio_config_test.go +++ b/pkg/config/fulcio_config_test.go @@ -53,11 +53,14 @@ func TestLoadFulcioConfig(t *testing.T) { t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL) } if string(got.Type) == "" { - t.Errorf("Issuer Type should not be empty") + t.Errorf("issuer Type should not be empty") } if got.Type == IssuerTypeCIProvider { if got.CIProvider == "" { - t.Errorf("Issuer CIProvider should not be empty when Type is ci-provider") + t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider") + } + if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok { + t.Error("isseuer with type ci provider should has the same ci provider name as key for CIIssuerMetadata") } } if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok {