Replies: 4 comments
-
|
🤔 There was some work already done if I remember well at #4159. |
Beta Was this translation helpful? Give feedback.
-
|
Yer, that was by my colleague @sj26. I've been experimenting with using Buildkite OIDC tokens via the Api Key Roles feature today and it almost works (and can be fixed easily enough once we decide whether to fix it on our side or rubygems). Trusted Publishers seems similar, but different? When I open the new trusted provider form for a gem I own, GHA is the only option:
|
Beta Was this translation helpful? Give feedback.
-
|
Yup, we are open to adding buildkite! We were just waiting until someone expressed interest before doing the work ;) |
Beta Was this translation helpful? Give feedback.
-
|
@yob Good start would be to add Buildkite into TrustedPublisher.all rubygems.org/app/views/oidc/rubygem_trusted_publishers/new_view.rb Lines 22 to 24 in 093194a |
Beta Was this translation helpful? Give feedback.
-
Buildkite would love to publish it's own gems using OIDC, and we have customers who would benefit from this too.
I've been tested out OIDC and Api Key Roles for that, aiming to get the process documented (see #5296 (comment) and #5376). However, I also noticed that trusted publishers are now a thing, and the doc here says:
Those all seem pretty compelling to me, so I'm up for implementing Buildkite as a trusted publisher if you're interested.
My assumption is that this would allow gems to be pushed from Buildkite CI jobs using the new
--attestationflag released in rubygems 3.6.0?Relatedly, I'm working with the sigstore folks to add some additional extensions to certs generated from our OIDC tokens: sigstore/fulcio#1903. I assume that might be helpful for trusted publisher reasons.
cc @sj26
Beta Was this translation helpful? Give feedback.
All reactions