add support for --root-issuer when generating CCI claims by meeech · Pull Request #438 · di/id

meeech · 2026-01-28T22:15:24Z

make this default behaviour

di · 2026-01-28T22:27:04Z

/gcbrun

meeech · 2026-01-28T22:31:23Z

@di sorry - reviewing contrib rules, realized i hadnt signed or updated the changelog, so did some force pushing

di · 2026-01-28T22:35:07Z

Hmm, looks like our circleci config was only configured to run on pushes to main, I've changed the trigger to be on pushes to PRs or the default branch.

Opening/closing to see if I can kick off that job.

di · 2026-01-28T22:36:02Z

Doesn't seem like it worked. @meeech can you force-push here again?

di · 2026-01-28T22:46:06Z

Not sure what I'm missing. AFAICT circleci is configured to run on PRs: https://github.com/di/id/blob/main/.circleci/config.yml

Here's the settings:

meeech · 2026-01-28T22:46:14Z

I dont know if it will kick off on my PR if you dont have this enabled -

di · 2026-01-28T22:47:08Z

Aha, that should do it. Mind pushing again?

make this default behaviour di#437 Signed-off-by: meeech <4623+meeech@users.noreply.github.com>

meeech · 2026-01-28T23:01:44Z

@di let me set it up on my fork and see why the cci job failing

meeech · 2026-01-28T23:12:08Z

OOOOO - duh on me. @di this is working as expected. A fork is not allowed to access OIDC token for the parent project. So this is behaving as designed for security reasons.

You can see my run here https://app.circleci.com/pipelines/github/meeech/id/2

di · 2026-01-29T01:36:49Z

Ah, makes sense. At the very least, I think we will want to fail more gracefully when the ambient credential is not present.

meeech · 2026-01-29T03:05:42Z

@di So I've updated ambient to use stderr. I think that was the mistake. Otherwise, what sort of graceful fail would you like to see? There error seems pretty clear about the source of the fail

question: should I make the same change for the buildkite code? it also references process.stdout for the error message.

CircleCI: the `circleci` tool encountered an error: oidc: error: failed to get oidc token: this project does not allow issuing tokens to forks
Error: exit status 1: oidc: error: failed to get oidc token: this project does not allow issuing tokens to forks

as far as the pipeline goes, we could make that 'sniff' if its a fork (env var CIRCLE_OIDC_TOKEN would be missing from the pipeline), so we could deliver the same message in the pipeline, but that feel redundant since the circleci binary gives a pretty clear message about why it failed.

Anyhow, I'm pretty flexible so let me know what you prefer

di · 2026-01-29T14:23:05Z

There error seems pretty clear about the source of the fail

Yes, this works, thanks! I think we're good.

di · 2026-01-29T14:23:16Z

/gcbrun

di · 2026-01-29T14:24:36Z

@meeech Looks like you need to update the tests to match c432b86.

meeech · 2026-01-29T14:28:00Z

@di will do. what about buildkite? want to keep it stdout for the error?

…ircleci binary This then produces an error message of ``` CircleCI: the `circleci` tool encountered an error: oidc: error: failed to get oidc token: this project does not allow issuing tokens to forks Error: exit status 1: oidc: error: failed to get oidc token: this project does not allow issuing tokens to forks ``` Signed-off-by: meeech <4623+meeech@users.noreply.github.com>

di · 2026-01-29T14:39:16Z

/gcbrun

meeech force-pushed the use-root-issuer-cci branch 2 times, most recently from 6a9442c to 2d57461 Compare January 28, 2026 22:30

meeech force-pushed the use-root-issuer-cci branch from 2d57461 to e06e769 Compare January 28, 2026 22:32

di closed this Jan 28, 2026

di reopened this Jan 28, 2026

meeech force-pushed the use-root-issuer-cci branch from e06e769 to e183c41 Compare January 28, 2026 22:37

add support for --root-issuer when generating CircleCI OIDC token

8138558

make this default behaviour di#437 Signed-off-by: meeech <4623+meeech@users.noreply.github.com>

meeech force-pushed the use-root-issuer-cci branch from e183c41 to 8138558 Compare January 28, 2026 22:50

meeech mentioned this pull request Jan 28, 2026

add support for new circleci root issuer sigstore/fulcio#2278

Merged

woodruffw mentioned this pull request Jan 29, 2026

CircleCI support astral-sh/ambient-id#22

Merged

meeech force-pushed the use-root-issuer-cci branch from c432b86 to b49bae0 Compare January 29, 2026 14:30

di approved these changes Jan 29, 2026

View reviewed changes

di merged commit 4a95f5c into di:main Jan 29, 2026
15 checks passed

meeech mentioned this pull request Jan 30, 2026

Add circleci to pypi attestations pypi/pypi-attestations#166

Merged

3 tasks

Conversation

meeech commented Jan 28, 2026

Uh oh!

di commented Jan 28, 2026

Uh oh!

meeech commented Jan 28, 2026

Uh oh!

di commented Jan 28, 2026

Uh oh!

di commented Jan 28, 2026

Uh oh!

di commented Jan 28, 2026

Uh oh!

meeech commented Jan 28, 2026

Uh oh!

di commented Jan 28, 2026

Uh oh!

meeech commented Jan 28, 2026

Uh oh!

meeech commented Jan 28, 2026

Uh oh!

di commented Jan 29, 2026

Uh oh!

meeech commented Jan 29, 2026

Uh oh!

di commented Jan 29, 2026

Uh oh!

di commented Jan 29, 2026

Uh oh!

di commented Jan 29, 2026

Uh oh!

meeech commented Jan 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

di commented Jan 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

meeech commented Jan 29, 2026 •

edited

Loading