While trusted publishing technically works for gitlab.com / github.com, its messy on the client side's CI environments currently, it looks like below:
GitLab CI code for trusted publishing
publish:
image: ghcr.io/sensmetry/sysand:0.1.0-rc.1
variables:
SYSAND_INDEX_URL: https://staging.sysand.com
id_tokens:
GITLAB_OIDC_TOKEN:
aud: sysand
script:
# acquire and configure sysand index credentials
- |
TOKEN=$(
curl -s -X POST "${SYSAND_INDEX_URL}/api/v1/oidc/token" \
-H "Content-Type: application/json" \
-d "{\"token\": \"${GITLAB_OIDC_TOKEN}\"}" \
| grep -o '"token": *"[^"]*"' \
| cut -d'"' -f4 \
)
export SYSAND_CRED_X="${SYSAND_INDEX_URL}/api/v1/**"
export SYSAND_CRED_X_BEARER_TOKEN="$TOKEN"GitHub CI code for trusted publishing
jobs:
publish:
runs-on: ubuntu-latest
env:
SYSAND_INDEX_URL: https://staging.sysand.com
permissions:
id-token: write
steps:
- name: Acquire and configure sysand index credentials
run: |
GITHUB_OIDC_TOKEN=$(
curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sysand" \
| grep -o '"value": *"[^"]*"' \
| cut -d'"' -f4 \
)
SYSAND_INDEX_TOKEN=$(
curl -s -X POST "${SYSAND_INDEX_URL}/api/v1/oidc/token" \
-H "Content-Type: application/json" \
-d "{\"token\": \"${GITHUB_OIDC_TOKEN}\"}" \
| grep -o '"token": *"[^"]*"' \
| cut -d'"' -f4 \
)
echo "SYSAND_CRED_X=${SYSAND_INDEX_URL}/api/v1/**" >> "$GITHUB_ENV"
echo "SYSAND_CRED_X_BEARER_TOKEN=$SYSAND_INDEX_TOKEN" >> "$GITHUB_ENV"What to do for 0.1.0
Right now, I look to provide .gitlab-ci.yml and .github/workflow/publish.yaml examples that works, is a bit messy, but also links back to see the latest version of doing it from some place in our docs.
After 0.1.0, --trusted-publishing
I think we should let sysand publish accept --trusted-publishing, and when that is passed, detect and do whats needed. I think it would then look more like this on GitLab / GitHub respectively:
publish:
image: ghcr.io/sensmetry/sysand:0.1.0-rc.1
id_tokens:
GITLAB_OIDC_TOKEN:
aud: sysand
script:
- |
sysand publish --trusted-publishing --index https://staging.sysand.comjobs:
publish:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Publish
run: |
sysand publish --trusted-publishing --index https://staging.sysand.comMaybe the values github or gitlab could be provided here to not need to automate detection of the environment. Not sure what makes sense.
Practically, it would detect if its one of the supported environments, initially just GitHub.com, GitLab.com, exchange a short lived GitLab / GitHub CI token (with permission to be used for exchanges) for a short lived sysand-index project scoped token, and then publish using it.
While trusted publishing technically works for gitlab.com / github.com, its messy on the client side's CI environments currently, it looks like below:
GitLab CI code for trusted publishing
GitHub CI code for trusted publishing
What to do for 0.1.0
Right now, I look to provide .gitlab-ci.yml and .github/workflow/publish.yaml examples that works, is a bit messy, but also links back to see the latest version of doing it from some place in our docs.
After 0.1.0,
--trusted-publishingI think we should let
sysand publishaccept--trusted-publishing, and when that is passed, detect and do whats needed. I think it would then look more like this on GitLab / GitHub respectively:Maybe the values
githuborgitlabcould be provided here to not need to automate detection of the environment. Not sure what makes sense.Practically, it would detect if its one of the supported environments, initially just GitHub.com, GitLab.com, exchange a short lived GitLab / GitHub CI token (with permission to be used for exchanges) for a short lived sysand-index project scoped token, and then publish using it.