-
Notifications
You must be signed in to change notification settings - Fork 941
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trusted Publishing: Support self-hosted GitLab instances #15838
Comments
I think it would be technically possible to support a self-hosted instance like this (I see that https://gitlab.cern.ch/.well-known/openid-configuration and https://gitlab.cern.ch/oauth/discovery/keys are both publicly available, which is all we need for verification), the real question is what the process by which we would add support for all these one-off issuers. I think one thing we could do here would be to allow the user to optionally configure the Another option is that we allow-list certain issuers for projects in certain organizations, and manually handle these on a case-by-case basis. Open to ideas though! |
Yeah, I think this poses a decent risk 😅. I think a variant of this came up with self-hosted GitHub Enterprise users as well, and IIRC my thoughts there were:
With those being said, I think the allow-list on an organization basis could work! But I think it would require some architectural changes to the current implementation, particularly around claim flexibility 🙂 |
This seems the most reasonable, as otherwise there could easily be abuse. I am mindful however that this now requires the maintainer team to now be responsible for a growing list of issuers. Would it help having self-hosted instances that want to use Trusted Publishers self identify for vetting through making a PR to the system that controls the allow-list? Or does this not actually decrease the maintenance burden much? |
I think this would help a bit, but the bulk of the maintenance burden will (unfortunately) probably still be papering over the small differences between each self-hosted IdP. I suppose we could reduce the burden of that by enforcing a baseline set of claims for each "shape" of IdP (e.g. GitHub, GitLab) via |
@woodruffw I'm at a GitLab hackathon (and GitLab team member here) and we're trying to figure out what exactly you would need in the openid-configuration file to move this forward. From how I understand it, that would not necessarily solve any of the verification issues that are being discussed above. Any pointers how we can move forward here after we solve the issue you list? Most likely the warehouse software also need to be modified to have some sort of approval process for self-managed instances? |
From #13575:
Scanning the rest of this Issue quickly I didn't see a direct reply on this (apologies if I missed it). I don't have any technical experience on this issue, so is self-hosted GitLab instances something that would be feasible to support in the future? I'm specifically interested in CERN's GitLab instance (c.f. di/id#216) as there are multiple projects there that publish to PyPI where we'd like to transition to using Trusted Publishers.
Originally posted by @matthewfeickert in #13575 (comment)
The text was updated successfully, but these errors were encountered: