From b4367cd08a1ad45c9157939266005cb2e2128931 Mon Sep 17 00:00:00 2001 From: meeech <4623+meeech@users.noreply.github.com> Date: Thu, 13 Nov 2025 17:20:39 -0500 Subject: [PATCH 1/6] add required information for onboarding circleci into fulcio https://github.com/sigstore/fulcio/issues/591 Signed-off-by: meeech <4623+meeech@users.noreply.github.com> --- config/identity/config.yaml | 16 +++++++++++++ docs/oid-info.md | 45 +++++++++++++++++++------------------ 2 files changed, 39 insertions(+), 22 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 218e98e64..9984e3914 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -17,6 +17,7 @@ define: - &gitlab-type "gitlab-pipeline" - &codefresh-type "codefresh-workflow" - &buildkite-type "buildkite-job" + - &circleci-type "circleci-job" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -262,3 +263,18 @@ ci-issuer-metadata: # build_source: Event that triggered this workflow run. (valid values: api, ui, webhook, trigger_job, schedule) build-trigger: "build_source" subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" # seems correct, do we still need the code in pkg/identity/buildkite/principal.go ? + *circleci-type: + default-template-values: + # principal gives priority to the claimed value over the default + platform_url: "https://app.circleci.com" + api_url: "https://circleci.com/api/v2" + runner_environment: "" + extension-templates: + # this API call leads back to the exact generated config used for this run + build-config-uri: "{{.api_url}}/pipeline/{{.'oidc.circleci.com/pipeline-id'}}/config" + # this API call leads back to the definition of the pipeline used for this run + # https://circleci.com/api/v2/projects/{project_id}/pipeline-definitions/{pipeline_definition_id} + build-signer-uri: "{{.api_url}}/projects/{{.'oidc.circleci.com/project-id'}}/pipeline-definitions/{{.'oidc.circleci.com/pipeline-definition-id'}}" + runner-environment: "runner_environment" + source-repository-ref: "oidc.circleci.com/vcs-ref" + source-repository-uri: "oidc.circleci.com/vcs-origin" diff --git a/docs/oid-info.md b/docs/oid-info.md index e89d14cad..f42c11191 100644 --- a/docs/oid-info.md +++ b/docs/oid-info.md @@ -193,28 +193,29 @@ that Sigstore operates. ## Mapping OIDC token claims to Fulcio OIDs -| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | Buildkite [(docs)](https://buildkite.com/docs/agent/v3/cli-oidc#claims) | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | Fulcio Certificate Extension | Why / Notes / Questions | -| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| aud | aud | aud | aud | N/A | Only used to validate the JWT. | -| iss | iss | iss | iss | Issuer | This already exists. For example: | -| exp | exp | exp | exp | N/A | Only used to validate the JWT. | -| nbf | nbf | nbf | nbf | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | -| iat | iat | iat | iat | N/A | Only used to validate the JWT. | -| server_url + job_workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/build/" + workflow_id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | -| job_workflow_sha | ci_config_sha | N/A | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| runner_environment | runner_environment | runner_environment | runner_environment | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | -| server_url + repository | server_url + project_path | N/A | scm_repo_url | Source Repository URI | Should include a fully qualified repository URL. | -| sha | sha | build_commit | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| ref | "ref/heads/" + ref **OR** "ref/tags/" + ref | N/A | scm_ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | -| repository_id | project_id | N/A | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | -| server_url + repository_owner | server_url + namespace_path | N/A | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | -| repository_owner_id | namespace_id | N/A | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | -| server_url + workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/api/pipelines/" + pipeline_id | Build Config URI | A reference to the initiating build instructions. | -| workflow_sha | ci_config_sha | N/A | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| event_name | pipeline_source | build_source | N/A | Build Trigger | The event or action that triggered the build. | -| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + "/-/jobs/" + job_id | server_url + "/" organization_slug + "/" + pipeline_slug + "/builds/" + build_number + "#" + job_id | platform_url + "/build/" + workflow_id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | -| repository_visibility | project_visibility | N/A | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | -| environment | environment | N/A | N/A | Deployment Environment | Deployment target for a workflow or job | +| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | Buildkite [(docs)](https://buildkite.com/docs/agent/v3/cli-oidc#claims) | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | CircleCI [(docs)][circleci-oidc-doc] | Fulcio Certificate Extension | Why / Notes / Questions | +| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| aud | aud | aud | aud | aud | N/A | Only used to validate the JWT. | +| iss | iss | iss | iss | iss | Issuer | This already exists. For example: | +| exp | exp | exp | exp | exp | N/A | Only used to validate the JWT. | +| nbf | nbf | nbf | nbf | N/A | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | +| iat | iat | iat | iat | iat | N/A | Only used to validate the JWT. | +| server_url + job_workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/build/" + workflow_id | api_url + "/projects/" + project-id + "/pipeline-definition/" + pipeline-definition-id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | +| job_workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| runner_environment | runner_environment | runner_environment | runner_environment | runner_environment | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | +| server_url + repository | server_url + project_path | N/A | scm_repo_url | oidc.circleci.com/vcs-origin | Source Repository URI | Should include a fully qualified repository URL. | +| sha | sha | build_commit | N/A | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| ref | "ref/heads/" + ref **OR** "ref/tags/" + ref | N/A | scm_ref | oidc.circleci.com/vcs-ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | +| repository_id | project_id | N/A | N/A | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | +| server_url + repository_owner | server_url + namespace_path | N/A | N/A | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | +| repository_owner_id | namespace_id | N/A | N/A | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | +| server_url + workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/api/pipelines/" + pipeline_id | api_url + "/pipeline/" + pipeline-id + "/config" | Build Config URI | A reference to the initiating build instructions. | +| workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| event_name | pipeline_source | build_source | N/A | N/A | Build Trigger | The event or action that triggered the build. | +| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + "/-/jobs/" + job_id | server_url + "/" organization_slug + "/" + pipeline_slug + "/builds/" + build_number + "#" + job_id | platform_url + "/build/" + workflow_id | oidc.circleci.com/pipeline-id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | +| repository_visibility | project_visibility | N/A | N/A | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | +| environment | environment | N/A | N/A | N/A | Deployment Environment | Deployment target for a workflow or job | [github-oidc-doc]: https://docs.github.com/en/actions/reference/security/oidc#oidc-token-claims [oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264 +[circleci-oidc-doc]: https://circleci.com/docs/guides/permissions-authentication/openid-connect-tokens/ From 3bafa865abade53fe71ab700baaca370094dfc61 Mon Sep 17 00:00:00 2001 From: meeech <4623+meeech@users.noreply.github.com> Date: Thu, 13 Nov 2025 17:44:37 -0500 Subject: [PATCH 2/6] add SAN that copies what gha is doing Signed-off-by: meeech <4623+meeech@users.noreply.github.com> --- config/identity/config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 9984e3914..d614430df 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -266,7 +266,6 @@ ci-issuer-metadata: *circleci-type: default-template-values: # principal gives priority to the claimed value over the default - platform_url: "https://app.circleci.com" api_url: "https://circleci.com/api/v2" runner_environment: "" extension-templates: @@ -278,3 +277,4 @@ ci-issuer-metadata: runner-environment: "runner_environment" source-repository-ref: "oidc.circleci.com/vcs-ref" source-repository-uri: "oidc.circleci.com/vcs-origin" + subject-alternative-name-template: "{{.api_url}}/projects/{{.'oidc.circleci.com/project-id'}}/pipeline-definitions/{{.'oidc.circleci.com/pipeline-definition-id'}}" From 68986ac393dd8256149077c4d6be12839e1b6568 Mon Sep 17 00:00:00 2001 From: meeech <4623+meeech@users.noreply.github.com> Date: Tue, 18 Nov 2025 10:11:24 -0500 Subject: [PATCH 3/6] add some logic to runner_environment Signed-off-by: meeech <4623+meeech@users.noreply.github.com> --- config/identity/config.yaml | 2 +- docs/oid-info.md | 44 ++++++++++++++++++------------------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index d614430df..64b858827 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -274,7 +274,7 @@ ci-issuer-metadata: # this API call leads back to the definition of the pipeline used for this run # https://circleci.com/api/v2/projects/{project_id}/pipeline-definitions/{pipeline_definition_id} build-signer-uri: "{{.api_url}}/projects/{{.'oidc.circleci.com/project-id'}}/pipeline-definitions/{{.'oidc.circleci.com/pipeline-definition-id'}}" - runner-environment: "runner_environment" + runner-environment: '{{if eq (index . "oidc.circleci.com/ssh-rerun") "true"}}ssh-rerun{{ else }}""{{end}}' source-repository-ref: "oidc.circleci.com/vcs-ref" source-repository-uri: "oidc.circleci.com/vcs-origin" subject-alternative-name-template: "{{.api_url}}/projects/{{.'oidc.circleci.com/project-id'}}/pipeline-definitions/{{.'oidc.circleci.com/pipeline-definition-id'}}" diff --git a/docs/oid-info.md b/docs/oid-info.md index f42c11191..73ba42b2d 100644 --- a/docs/oid-info.md +++ b/docs/oid-info.md @@ -193,28 +193,28 @@ that Sigstore operates. ## Mapping OIDC token claims to Fulcio OIDs -| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | Buildkite [(docs)](https://buildkite.com/docs/agent/v3/cli-oidc#claims) | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | CircleCI [(docs)][circleci-oidc-doc] | Fulcio Certificate Extension | Why / Notes / Questions | -| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| aud | aud | aud | aud | aud | N/A | Only used to validate the JWT. | -| iss | iss | iss | iss | iss | Issuer | This already exists. For example: | -| exp | exp | exp | exp | exp | N/A | Only used to validate the JWT. | -| nbf | nbf | nbf | nbf | N/A | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | -| iat | iat | iat | iat | iat | N/A | Only used to validate the JWT. | -| server_url + job_workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/build/" + workflow_id | api_url + "/projects/" + project-id + "/pipeline-definition/" + pipeline-definition-id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | -| job_workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| runner_environment | runner_environment | runner_environment | runner_environment | runner_environment | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | -| server_url + repository | server_url + project_path | N/A | scm_repo_url | oidc.circleci.com/vcs-origin | Source Repository URI | Should include a fully qualified repository URL. | -| sha | sha | build_commit | N/A | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| ref | "ref/heads/" + ref **OR** "ref/tags/" + ref | N/A | scm_ref | oidc.circleci.com/vcs-ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | -| repository_id | project_id | N/A | N/A | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | -| server_url + repository_owner | server_url + namespace_path | N/A | N/A | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | -| repository_owner_id | namespace_id | N/A | N/A | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | -| server_url + workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/api/pipelines/" + pipeline_id | api_url + "/pipeline/" + pipeline-id + "/config" | Build Config URI | A reference to the initiating build instructions. | -| workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| event_name | pipeline_source | build_source | N/A | N/A | Build Trigger | The event or action that triggered the build. | -| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + "/-/jobs/" + job_id | server_url + "/" organization_slug + "/" + pipeline_slug + "/builds/" + build_number + "#" + job_id | platform_url + "/build/" + workflow_id | oidc.circleci.com/pipeline-id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | -| repository_visibility | project_visibility | N/A | N/A | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | -| environment | environment | N/A | N/A | N/A | Deployment Environment | Deployment target for a workflow or job | +| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | Buildkite [(docs)](https://buildkite.com/docs/agent/v3/cli-oidc#claims) | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | CircleCI [(docs)][circleci-oidc-doc] | Fulcio Certificate Extension | Why / Notes / Questions | +| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| aud | aud | aud | aud | aud | N/A | Only used to validate the JWT. | +| iss | iss | iss | iss | iss | Issuer | This already exists. For example: | +| exp | exp | exp | exp | exp | N/A | Only used to validate the JWT. | +| nbf | nbf | nbf | nbf | N/A | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | +| iat | iat | iat | iat | iat | N/A | Only used to validate the JWT. | +| server_url + job_workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/build/" + workflow_id | api_url + "/projects/" + project-id + "/pipeline-definition/" + pipeline-definition-id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | +| job_workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| runner_environment | runner_environment | runner_environment | runner_environment | if "oidc.circleci.com/ssh-rerun" is true, this will have value of "ssh-rerun". Don't trust when runner_environment is "ssh-rerun". | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | +| server_url + repository | server_url + project_path | N/A | scm_repo_url | oidc.circleci.com/vcs-origin | Source Repository URI | Should include a fully qualified repository URL. | +| sha | sha | build_commit | N/A | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| ref | "ref/heads/" + ref **OR** "ref/tags/" + ref | N/A | scm_ref | oidc.circleci.com/vcs-ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | +| repository_id | project_id | N/A | N/A | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | +| server_url + repository_owner | server_url + namespace_path | N/A | N/A | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | +| repository_owner_id | namespace_id | N/A | N/A | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | +| server_url + workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/api/pipelines/" + pipeline_id | api_url + "/pipeline/" + pipeline-id + "/config" | Build Config URI | A reference to the initiating build instructions. | +| workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| event_name | pipeline_source | build_source | N/A | N/A | Build Trigger | The event or action that triggered the build. | +| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + "/-/jobs/" + job_id | server_url + "/" organization_slug + "/" + pipeline_slug + "/builds/" + build_number + "#" + job_id | platform_url + "/build/" + workflow_id | oidc.circleci.com/pipeline-id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | +| repository_visibility | project_visibility | N/A | N/A | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | +| environment | environment | N/A | N/A | N/A | Deployment Environment | Deployment target for a workflow or job | [github-oidc-doc]: https://docs.github.com/en/actions/reference/security/oidc#oidc-token-claims [oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264 From d830f0ed38e012938025beea7a799707f229a21f Mon Sep 17 00:00:00 2001 From: meeech <4623+meeech@users.noreply.github.com> Date: Tue, 18 Nov 2025 10:11:43 -0500 Subject: [PATCH 4/6] adjust how we handle template fragments to account for keys with special characters Signed-off-by: meeech <4623+meeech@users.noreply.github.com> --- config/identity/config.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 64b858827..af981685c 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -269,12 +269,15 @@ ci-issuer-metadata: api_url: "https://circleci.com/api/v2" runner_environment: "" extension-templates: + # NOTE: Because of how the text/template parsing works with / and . characters, + # we use " inside our template fragments which is why we use ' to wrap + # this API call leads back to the exact generated config used for this run - build-config-uri: "{{.api_url}}/pipeline/{{.'oidc.circleci.com/pipeline-id'}}/config" + build-config-uri: '{{.api_url}}/pipeline/{{(index . "oidc.circleci.com/pipeline-id")}}/config' # this API call leads back to the definition of the pipeline used for this run # https://circleci.com/api/v2/projects/{project_id}/pipeline-definitions/{pipeline_definition_id} - build-signer-uri: "{{.api_url}}/projects/{{.'oidc.circleci.com/project-id'}}/pipeline-definitions/{{.'oidc.circleci.com/pipeline-definition-id'}}" + build-signer-uri: '{{.api_url}}/projects/{{(index . "oidc.circleci.com/project-id")}}/pipeline-definitions/{{(index . "oidc.circleci.com/pipeline-definition-id")}}' runner-environment: '{{if eq (index . "oidc.circleci.com/ssh-rerun") "true"}}ssh-rerun{{ else }}""{{end}}' - source-repository-ref: "oidc.circleci.com/vcs-ref" - source-repository-uri: "oidc.circleci.com/vcs-origin" - subject-alternative-name-template: "{{.api_url}}/projects/{{.'oidc.circleci.com/project-id'}}/pipeline-definitions/{{.'oidc.circleci.com/pipeline-definition-id'}}" + source-repository-ref: '{{index . "oidc.circleci.com/vcs-ref"}}' + source-repository-uri: '{{index . "oidc.circleci.com/vcs-origin"}}' + subject-alternative-name-template: '{{.api_url}}/projects/{{(index . "oidc.circleci.com/project-id")}}/pipeline-definitions/{{(index . "oidc.circleci.com/pipeline-definition-id")}}' From 82de652f91f3de9e50589bc28623d2fd4a40c1f1 Mon Sep 17 00:00:00 2001 From: meeech <4623+meeech@users.noreply.github.com> Date: Tue, 18 Nov 2025 10:27:18 -0500 Subject: [PATCH 5/6] add a test for claim key with . and / in it Signed-off-by: meeech <4623+meeech@users.noreply.github.com> --- pkg/identity/ciprovider/principal_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index b01bb9817..348390492 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -338,6 +338,7 @@ func TestApplyTemplateOrReplace(t *testing.T) { "ref_tag": "1.0.0", "html_claim": "", "claim_foo": "bar", + "with.dot.and/slash": "cat", } issuerMetadata := map[string]string{ "url": "https://github.com", @@ -397,6 +398,11 @@ func TestApplyTemplateOrReplace(t *testing.T) { ExpectedResult: "refs/tags/1.0.0", ExpectErr: false, }, + `Template with slash and dots in key`: { + Template: `{{ .aud }}/{{(index . "with.dot.and/slash")}}`, + ExpectedResult: "sigstore/cat", + ExpectErr: false, + }, `Raise error for empty key in comparison`: { Template: `{{if eq . ""}}foo{{else}}bar{{end}}`, ExpectedResult: "", From 2159a8a84c6824b9c524c2706e70c5445e5ae62c Mon Sep 17 00:00:00 2001 From: meeech <4623+meeech@users.noreply.github.com> Date: Tue, 18 Nov 2025 22:18:57 -0500 Subject: [PATCH 6/6] remove unneeded default claim value Signed-off-by: meeech <4623+meeech@users.noreply.github.com> --- config/identity/config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index af981685c..191bb81e6 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -267,7 +267,6 @@ ci-issuer-metadata: default-template-values: # principal gives priority to the claimed value over the default api_url: "https://circleci.com/api/v2" - runner_environment: "" extension-templates: # NOTE: Because of how the text/template parsing works with / and . characters, # we use " inside our template fragments which is why we use ' to wrap