Skip to content

Creating an API Key Role for Buildkite results in an access policy that requires Github Actions  #5376

Closed
@yob

Description

I work for Buildkite, and have been experimenting with using an API Key Role for publishing a personal gem from CI (pdf-reader).

Clicking the link from the gem page (https://rubygems.org/profile/oidc/api_key_roles/new?rubygem=pdf-reader&scopes%5B%5D=push_rubygem), I was able to create an API Key Role from the gem page (starts with rg_oidc_akr_meof, now revoked), however after clicking the Create Api Key Role button and the page reloading, the policy has a principal for Github Actions:

2025-01-07_18-34

To fix it I can edit the token, then make a hidden form element visible and type in the Buildkite issuer:

2025-01-07_18-36

Then, clicking the Update Api Key Role button saves the correct value:

2025-01-07_18-37

Environment

Browser and its version: Firefox 133.0.3, Linux

Activity

yob

yob commented on Jan 30, 2025

@yob
ContributorAuthor

Oh, I think it might be this?

diff --git a/app/controllers/oidc/api_key_roles_controller.rb b/app/controllers/oidc/api_key_roles_controller.rb
index b0322f589..29d065b07 100644
--- a/app/controllers/oidc/api_key_roles_controller.rb
+++ b/app/controllers/oidc/api_key_roles_controller.rb
@@ -134,7 +134,7 @@ class OIDC::ApiKeyRolesController < ApplicationController
 
     return unless rubygem
     return unless (gh = helpers.link_to_github(rubygem)).presence
-    return unless (@api_key_role.provider = OIDC::Provider.github_actions)
+    return unless (@api_key_role.provider == OIDC::Provider.github_actions)
 
     statement.principal = { oidc: @api_key_role.provider.issuer }

For a gem that declares its source code is hosted on github (like pdf-reader, the one I tested with) then the api key roles controller sets the provider to Github Actions when rendering the new form.

Then the principal input is rendered on the form but hidden, so the user doesn't get a chance to see or change it.

I also note that OIDC::ApiKeyRole has a before validation callback (set_statement_principals) that will set a default principal when the new form is submitted.

I'm happy to open a PR with a fix and test case, and I think the == change above would do it... but would removing the hidden principal input from the form all together also work? Happy to follow your guidance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Creating an API Key Role for Buildkite results in an access policy that requires Github Actions · Issue #5376 · rubygems/rubygems.org