Skip to content

Add SemaphoreCI OIDC trusted provider support #19048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cchristous wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add SemaphoreCI OIDC trusted provider support #19048

cchristous wants to merge 9 commits into from

Conversation

@cchristous
Copy link

@cchristous cchristous commented Nov 14, 2025
edited
Loading

This attempts to implement #18882.

The automated tests are all passing, but I don't have confidence this actually works because I don't know how to test the actual integration. I have access to and familiarity with Semaphore, and I could test using the 2 SaaS services, if the warehouse were deployed. Though, I am hoping there is an easier way to test this, so I could use some guidance on how to proceed.

@cchristous cchristous marked this pull request as ready for review November 14, 2025 05:15
@cchristous cchristous requested a review from a team as a code owner November 14, 2025 05:15
di
di reviewed Nov 14, 2025
View reviewed changes
di
di reviewed Nov 14, 2025
View reviewed changes
warehouse/oidc/models/semaphore.py
from sqlalchemy.orm import Session


SEMAPHORE_OIDC_ISSUER_URL_SUFFIX = ".semaphoreci.com"
Copy link
Member

@di di Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting! Generally our model has been either to support a specific issuer URL or to support custom issuer URLs on a per-organization basis.

Does this mean that there is a different issuer for every SemaphoreCI project? Or generally, what are the expected values here?

Copy link
Author

@cchristous cchristous Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that there is a different issuer for every SemaphoreCI project? Or generally, what are the expected values here?

Yes, the expected values are of the format https://<org-name>.semaphoreci.com where org-name is the name of the Semaphore organization (not the GitHub organization). Ref https://docs.semaphore.io/reference/openid#reference.

@di
Copy link
Member

di commented Nov 14, 2025

The automated tests are all passing, but I don't have confidence this actually works because I don't know how to test the actual integration. I have access to and familiarity with Semaphore, and I could test using the 2 SaaS services, if the warehouse were deployed. Though, I am hoping there is an easier way to test this, so I could use some guidance on how to proceed.

I think the best way to test this would be to put it behind a feature flag and enable it only for test.pypi.org first.

di
di reviewed Nov 20, 2025
View reviewed changes
@di
Copy link
Member

di commented Nov 20, 2025

@cchristous FYI you have linting errors here

@cchristous
Copy link
Author

cchristous commented Dec 3, 2025

@cchristous FYI you have linting errors here

I thought had everything passing, but clearly not. Sorry about that. I ran make tests and make lint and fixed issues, and now they are both passing.

@cchristous cchristous requested a review from di December 17, 2025 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@di di Awaiting requested review from di

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cchristous @di