Are you open to adding Buildkite as a trusted publisher?

[yob]

Buildkite would love to publish it's own gems using OIDC, and we have customers who would benefit from this too.

I've been tested out OIDC and Api Key Roles for that, aiming to get the process documented (see #5296 (comment) and #5376). However, I also noticed that trusted publishers are now a thing, and the doc here says:

We would like to add a simplified workflow to allow gems to be published from “trusted” sources (e.g. github actions) that are configured on the RubyGem level. Heavily inspired by PyPi trusted publishing.

Differences from OIDC API Key Roles

• Not associated with a single user
• Fewer configuration options guides users towards a more secure default path
• Only gives API keys that allow publishing

Those all seem pretty compelling to me, so I'm up for implementing Buildkite as a trusted publisher if you're interested.

My assumption is that this would allow gems to be pushed from Buildkite CI jobs using the new --attestation flag released in rubygems 3.6.0?

Relatedly, I'm working with the sigstore folks to add some additional extensions to certs generated from our OIDC tokens: sigstore/fulcio#1903. I assume that might be helpful for trusted publisher reasons.

cc @sj26

[simi]

🤔 There was some work already done if I remember well at #4159.

[yob]

Yer, that was by my colleague @sj26. I've been experimenting with using Buildkite OIDC tokens via the Api Key Roles feature today and it almost works (and can be fixed easily enough once we decide whether to fix it on our side or rubygems).

Trusted Publishers seems similar, but different? When I open the new trusted provider form for a gem I own, GHA is the only option:

[segiddins]

Yup, we are open to adding buildkite! We were just waiting until someone expressed interest before doing the work ;)