Creating an API Key Role for Buildkite results in an access policy that requires Github Actions

[yob]

I work for Buildkite, and have been experimenting with using an API Key Role for publishing a personal gem from CI (pdf-reader).

Clicking the link from the gem page (https://rubygems.org/profile/oidc/api_key_roles/new?rubygem=pdf-reader&scopes%5B%5D=push_rubygem), I was able to create an API Key Role from the gem page (starts with rg_oidc_akr_meof, now revoked), however after clicking the Create Api Key Role button and the page reloading, the policy has a principal for Github Actions:

To fix it I can edit the token, then make a hidden form element visible and type in the Buildkite issuer:

Then, clicking the Update Api Key Role button saves the correct value:

Environment

Browser and its version: Firefox 133.0.3, Linux

[yob]

Oh, I think it might be this?

diff --git a/app/controllers/oidc/api_key_roles_controller.rb b/app/controllers/oidc/api_key_roles_controller.rb
index b0322f589..29d065b07 100644
--- a/app/controllers/oidc/api_key_roles_controller.rb
+++ b/app/controllers/oidc/api_key_roles_controller.rb
@@ -134,7 +134,7 @@ class OIDC::ApiKeyRolesController < ApplicationController
 
     return unless rubygem
     return unless (gh = helpers.link_to_github(rubygem)).presence
-    return unless (@api_key_role.provider = OIDC::Provider.github_actions)
+    return unless (@api_key_role.provider == OIDC::Provider.github_actions)
 
     statement.principal = { oidc: @api_key_role.provider.issuer }

For a gem that declares its source code is hosted on github (like pdf-reader, the one I tested with) then the api key roles controller sets the provider to Github Actions when rendering the new form.

Then the principal input is rendered on the form but hidden, so the user doesn't get a chance to see or change it.

I also note that OIDC::ApiKeyRole has a before validation callback (set_statement_principals) that will set a default principal when the new form is submitted.

I'm happy to open a PR with a fix and test case, and I think the == change above would do it... but would removing the hidden principal input from the form all together also work? Happy to follow your guidance.