Closed
Description
I work for Buildkite, and have been experimenting with using an API Key Role for publishing a personal gem from CI (pdf-reader).
Clicking the link from the gem page (https://rubygems.org/profile/oidc/api_key_roles/new?rubygem=pdf-reader&scopes%5B%5D=push_rubygem), I was able to create an API Key Role from the gem page (starts with rg_oidc_akr_meof
, now revoked), however after clicking the Create Api Key Role
button and the page reloading, the policy has a principal for Github Actions:
To fix it I can edit the token, then make a hidden form element visible and type in the Buildkite issuer:
Then, clicking the Update Api Key Role
button saves the correct value:
Environment
Browser and its version: Firefox 133.0.3, Linux
Activity
yob commentedon Jan 30, 2025
Oh, I think it might be this?
For a gem that declares its source code is hosted on github (like pdf-reader, the one I tested with) then the api key roles controller sets the provider to Github Actions when rendering the new form.
Then the principal input is rendered on the form but hidden, so the user doesn't get a chance to see or change it.
I also note that
OIDC::ApiKeyRole
has a before validation callback (set_statement_principals
) that will set a default principal when the new form is submitted.I'm happy to open a PR with a fix and test case, and I think the
==
change above would do it... but would removing the hidden principal input from the form all together also work? Happy to follow your guidance.