Skip to content

feat: add GitLab CI OIDC detector#302

Merged
cloudsmith-iduffy merged 1 commit into
masterfrom
iduffy/gitlab-oidc
Jun 10, 2026
Merged

feat: add GitLab CI OIDC detector#302
cloudsmith-iduffy merged 1 commit into
masterfrom
iduffy/gitlab-oidc

Conversation

@cloudsmith-iduffy

@cloudsmith-iduffy cloudsmith-iduffy commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a GitLab CI environment detector to the OIDC credential auto-discovery chain. When the CLI runs inside a GitLab pipeline, it reads an OIDC JWT minted by GitLab's id_tokens configuration and exchanges it for a short-lived Cloudsmith API token — no static API key required.

Behaviour

  • Detects via GITLAB_CI=true plus a token environment variable.
  • Reads the token from CLOUDSMITH_OIDC_TOKEN, falling back to the legacy CI_JOB_JWT_V2 / CI_JOB_JWT variables.
  • Registered ahead of the AWS detector, so a GitLab pipeline that happens to carry incidental AWS credentials still authenticates as GitLab CI.
  • No new dependencies — the token is already present in the job environment, so detection and retrieval are plain env reads.

Usage

job:
  id_tokens:
    CLOUDSMITH_OIDC_TOKEN:
      aud: "https://api.cloudsmith.io/openid/<your-org>"
  script:
    - cloudsmith push ...

The aud must be https://api.cloudsmith.io/openid/<org> — that is the audience the Cloudsmith OIDC endpoint validates.

Testing

  • 10 unit tests covering detection (env-var combinations, GITLAB_CI flag) and token retrieval (preference order, legacy fallback, missing-token error). black/isort/flake8/pylint clean.
  • Verified end-to-end on a real GitLab pipeline: the detector identified the environment, read the GitLab-minted id_token, exchanged it at POST /openid/<org>/ with the service slug, and cloudsmith whoami returned is_authenticated: true as the service account — authenticating purely via OIDC with no API key.

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings June 8, 2026 16:36
@cloudsmith-iduffy cloudsmith-iduffy requested a review from a team as a code owner June 8, 2026 16:36
Copilot AI reviewed Jun 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds GitLab CI/CD as a first-class OIDC auto-discovery environment for the CLI’s credential resolution chain, enabling GitLab pipelines to authenticate to Cloudsmith using a GitLab-minted OIDC JWT (instead of a static API key).

Changes:

  • Added a GitLabCIDetector that detects GitLab CI and retrieves an OIDC JWT from CLOUDSMITH_OIDC_TOKEN (with legacy fallbacks).
  • Registered the GitLab detector ahead of the AWS detector in the OIDC environment detection order.
  • Added unit tests for detection behavior and token retrieval precedence, and documented GitLab CI OIDC usage in the README.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
README.md Documents GitLab CI OIDC configuration and usage example.
cloudsmith_cli/core/tests/test_gitlab_ci_detector.py Adds unit tests for GitLab CI detection and token selection behavior.
cloudsmith_cli/core/credentials/oidc/detectors/gitlab_ci.py Implements the GitLab CI OIDC environment detector.
cloudsmith_cli/core/credentials/oidc/detectors/init.py Registers GitLab CI detector ahead of AWS in the detection chain.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread README.md Outdated
Comment thread README.md Outdated
Comment thread cloudsmith_cli/core/credentials/oidc/detectors/gitlab_ci.py
BartoszBlizniak
BartoszBlizniak reviewed Jun 10, 2026
View reviewed changes
Comment thread cloudsmith_cli/core/credentials/oidc/detectors/gitlab_ci.py Outdated
BartoszBlizniak
BartoszBlizniak approved these changes Jun 10, 2026
View reviewed changes

@BartoszBlizniak BartoszBlizniak left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pre-apprv

@cloudsmith-iduffy cloudsmith-iduffy mentioned this pull request Jun 10, 2026
Merged
@cloudsmith-iduffy @claude
feat: add GitLab CI OIDC detector
83faa10 
Add GitLab CI to OIDC credential auto-discovery. When running in GitLab
CI/CD, the CLI reads the OIDC token from CLOUDSMITH_OIDC_TOKEN (configured
via id_tokens in .gitlab-ci.yml, with legacy fallbacks to CI_JOB_JWT_V2 and
CI_JOB_JWT) and exchanges it for a Cloudsmith access token. Works out of the
box with no extra dependencies.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cloudsmith-iduffy cloudsmith-iduffy merged commit 792d9d6 into master Jun 10, 2026
40 checks passed
@cloudsmith-iduffy cloudsmith-iduffy deleted the iduffy/gitlab-oidc branch June 10, 2026 19:18
@BartoszBlizniak BartoszBlizniak mentioned this pull request Jun 11, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BartoszBlizniak BartoszBlizniak BartoszBlizniak approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cloudsmith-iduffy @BartoszBlizniak