You can now perform attestations from Gitlab.com runners without the need to use Chainloop API tokens and instead leverage Gitlab's OIDC ephemeral tokens.
To achieve this you'll need to
Enroll Your Gitlab repositories to Chainloop
Send Gitlab token during the attestation process
1 - Enroll Your Gitlab repositories to Chainloop
To make sure you own the repository that the attestation is coming from, you'll need to onboard your GitLab repository into the Chainloop platform first. This can be done by clicking on the "Add GitLab repositories" button in the repositories section.
Chainloop will only store repositories ID and Name, it will not store repository code.
2 - Send Gitlab token during the attestation process
You are now ready to leverage GitLab's OIDC tokens from your pipelines. The requirement is to create an ID token that has the chainloop audience.
β
To achieve this in GitLab, you can add the following snippet to your pipeline yaml file.
id_tokens:
CHAINLOOP_TOKEN:
aud: chainloop # make sure the audience is chainloop
A full pipeline example could look like
stages:
- build
build-job:
stage: build
id_tokens:
CHAINLOOP_TOKEN:
aud: chainloop
script:
- curl -sfL https://docs.chainloop.dev/install.sh | bash -s
- chainloop att init --workflow test-gitlab --project demo
- chainloop attestation push
after_script:
- chainloop attestation reset || true
Note that if you have onboarded the same repository to more than one Chainloop organization, you'll need to pass the --org flag to the init command, for example.
β
chainloop att init --workflow test-gitlab --project demo --org my-org