Skip to content

oidc: Buildkite support #499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 6 commits into from
Closed

oidc: Buildkite support #499

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f8e8418
oidc: Initial BuildKite support
tetsuo-cpp Feb 13, 2023
6df9d97
ambient: Use stdout instead of stderr for error messages
tetsuo-cpp Feb 13, 2023
97cbf51
ambient: Fix args
tetsuo-cpp Feb 13, 2023
2436948
ambient: Strip output
tetsuo-cpp Feb 13, 2023
dbdd040
Merge branch 'main' into alex/buildkite-support
woodruffw Feb 16, 2023
29c70e1
Merge branch 'main' into alex/buildkite-support
woodruffw Mar 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions sigstore/_internal/oidc/ambient.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@

import logging
import os
import shutil
import subprocess
from typing import Optional

import requests
Expand Down Expand Up @@ -191,3 +193,31 @@ def detect_gcp() -> Optional[str]:

logger.debug("GCP: successfully requested OIDC token")
return resp.text


def detect_buildkite() -> Optional[str]:
logger.debug("BuildKite: looking for OIDC credentials")
if not os.getenv("BUILDKITE"):
logger.debug("BuildKite: environment doesn't look like BuildKite; giving up")
return None

# Check that the BuildKite agent executable exists in the `PATH`.
if shutil.which("buildkite-agent") is None:
raise AmbientCredentialError(
"BuildKite: could not find BuildKite agent in BuildKite environment"
)

# Now query the agent for a token.
process = subprocess.run(
["buildkite-agent", "oidc", "request-token", "--audience", "sigstore"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True,
)

if process.returncode != 0:
raise AmbientCredentialError(
f"BuildKite: the BuildKite agent encountered an error: {process.stdout}"
)

return process.stdout.strip()
14 changes: 11 additions & 3 deletions sigstore/oidc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,9 +205,17 @@ def detect_credential() -> Optional[str]:
Raises `AmbientCredentialError` if any detector fails internally (i.e.
detects a credential, but cannot retrieve it).
"""
from sigstore._internal.oidc.ambient import detect_gcp, detect_github

detectors: List[Callable[..., Optional[str]]] = [detect_github, detect_gcp]
from sigstore._internal.oidc.ambient import (
detect_buildkite,
detect_gcp,
detect_github,
)

detectors: List[Callable[..., Optional[str]]] = [
detect_github,
detect_gcp,
detect_buildkite,
]
for detector in detectors:
credential = detector()
if credential is not None:
Expand Down