diff --git a/config/identity/config.yaml b/config/identity/config.yaml
index d563a21ff..d9fb56fec 100644
--- a/config/identity/config.yaml
+++ b/config/identity/config.yaml
@@ -152,7 +152,7 @@ ci-issuer-metadata:
         runner-environment: "runner_environment"
         source-repository-uri: "{{ .url }}/{{ .repository }}"
         source-repository-digest: "sha"
-        source-repository-ref: "ref"
+        source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}/{{ .ref }}
         source-repository-identifier: "project_id"
         source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}"
         source-repository-owner-identifier: "namespace_id"
diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go
index aa387f995..e60b216b6 100644
--- a/pkg/identity/ciprovider/principal_test.go
+++ b/pkg/identity/ciprovider/principal_test.go
@@ -229,6 +229,10 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 		"workflow":              "foo",
 		"workflow_ref":          "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
 		"workflow_sha":          "example-sha-other",
+		"ref_type":              "branch",
+		"ref_gitlab":            "main",
+		"ref_type_tag":          "tag",
+		"ref_tag":               "1.0.0",
 	}
 	issuerMetadata := map[string]string{
 		"url": "https://github.com",
@@ -269,18 +273,28 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 			ExpectedResult: "",
 			ExpectErr:      true,
 		},
+		`If else template`: {
+			Template:       `refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_gitlab }}`,
+			ExpectedResult: "refs/heads/main",
+			ExpectErr:      false,
+		},
+		`If else template using else condition`: {
+			Template:       `refs/{{if eq .ref_type_tag "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_tag }}`,
+			ExpectedResult: "refs/tags/1.0.0",
+			ExpectErr:      false,
+		},
 	}
 
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
 			res, err := applyTemplateOrReplace(test.Template, tokenClaims, issuerMetadata)
 			if res != test.ExpectedResult {
-				t.Errorf("expected result don't matches: Expected %s, received: %s",
-					test.ExpectedResult, res)
+				t.Errorf("expected result don't matches: Expected %s, received: %s, error: %v",
+					test.ExpectedResult, res, err)
 			}
 			if (err != nil) != test.ExpectErr {
-				t.Errorf("should raise an error don't matches: Expected %v, received: %v",
-					test.ExpectErr, err != nil)
+				t.Errorf("should raise an error don't matches: Expected %v, received: %v, error: %v",
+					test.ExpectErr, err != nil, err)
 			}
 		})
 	}