Migrate github to ci provider flow (#1738)

Contribute towards #1111 Moves GitHub configuration to the new ci-provider configuration. No changes to issued certificates. Signed-off-by: Javan Lacerda <[email protected]>
sigstore · Jul 23, 2024 · 9f02ba2 · 9f02ba2
1 parent 7cb695f
commit 9f02ba2
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 5 deletions.
diff --git a/config/identity/config.yaml b/config/identity/config.yaml
@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+define: &github-type "github-workflow"
+
 oidc-issuers:
   https://accounts.google.com:
     issuer-url: https://accounts.google.com
@@ -90,7 +92,8 @@ oidc-issuers:
   https://token.actions.githubusercontent.com:
     issuer-url: https://token.actions.githubusercontent.com
     client-id: sigstore
-    type: github-workflow
+    type: ci-provider
+    ci-provider: *github-type
     contact: [email protected]
     description: "GitHub Actions OIDC auth"
 meta-issuers:
@@ -108,5 +111,30 @@ meta-issuers:
     type: kubernetes
   https://token.actions.githubusercontent.com/*:
     client-id: sigstore
-    type: github-workflow
-
+    type: ci-provider
+    ci-provider: *github-type
+ci-issuer-metadata:
+  *github-type:
+      default-template-values:
+          url: "https://github.com"
+      extension-templates: 
+          github-workflow-trigger: "event_name"
+          github-workflow-sha: "sha"
+          github-workflow-name: "workflow"
+          github-workflow-repository: "repository"
+          github-workflow-ref: "ref"
+          build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}"
+          build-signer-digest: "job_workflow_sha"
+          runner-environment: "runner_environment"
+          source-repository-uri: "{{ .url }}/{{ .repository }}"
+          source-repository-digest: "sha"
+          source-repository-ref: "ref"
+          source-repository-identifier: "repository_id"
+          source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}"
+          source-repository-owner-identifier: "repository_owner_id"
+          build-config-uri: "{{ .url }}/{{ .workflow_ref }}"
+          build-config-digest: "workflow_sha"
+          build-trigger: "event_name"
+          run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}"
+          source-repository-visibility-at-signing: "repository_visibility"
+      subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}"
diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go
@@ -53,11 +53,14 @@ func TestLoadFulcioConfig(t *testing.T) {
 			t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL)
 		}
 		if string(got.Type) == "" {
-			t.Errorf("Issuer Type should not be empty")
+			t.Errorf("issuer Type should not be empty")
 		}
 		if got.Type == IssuerTypeCIProvider {
 			if got.CIProvider == "" {
-				t.Errorf("Issuer CIProvider should not be empty when Type is ci-provider")
+				t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider")
+			}
+			if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok {
+				t.Error("issuer with type ci-provider should have the same CI provider name as key for CIIssuerMetadata")
 			}
 		}
 		if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok {