Support keyless signing when CI config is located outside of the project
In Add claims to ID token to support Fulcio integr... (#404722 - closed), we added ci_config_ref_uri
and ci_config_sha
claims to the ID token in order to support keyless signing with Sigstore. The first iteration only populates these two claims when the CI config is located within the project.
In order to expand support for keyless signing, we should populate ci_config_ref_uri
and ci_config_sha
when the CI config is located outside of the project (e.g. AutoDevOps, CI config in another repo, CI config coming from arbitrary URL, bridge pipelines, compliance pipelines).
Edited by Alishan Ladhani