Conversation
Contributor
Release plan
|
whd
commented
Jun 9, 2026
| default = [] | ||
| validation { | ||
| condition = alltrue( | ||
| [for attribute_specifier in var.gha_attribute_specifiers : |
Member
Author
There was a problem hiding this comment.
This set of attributes is statically encoded for additional safety but it does introduce an extra manual step if we add and rely on new attributes. I believe the additional plan-time safety is warranted especially since attribute updates are uncommon.
whd
commented
Jun 9, 2026
| circleci = var.wip_name == "circleci" | ||
| # explicit attributes replace all other kinds of assertions | ||
| # explicit attributes replace all other kinds of assertions. A subject | ||
| # specifier maps to a single identity (principal://); all other attributes |
Member
Author
There was a problem hiding this comment.
The 🤖 caught this edge case that wasn't accounted for before. It doesn't affect any existing config and isn't likely to affect any config in the future, but it is technically correct to make this change so I'm fixing it for CircleCI and the new GHA logic has the same logic.
whd
requested review from
a team,
bkochendorfer,
jasonthomas,
jbuck and
smarnach
as code owners
jasonthomas
approved these changes
Jun 10, 2026
jbuck
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is a no-op against existing configuration but introduces some new GHA options for branch-based OIDC configuration. See the Jira ticket for details.
Most of this is copypasta from the similar CircleCI config. There's a slight difference in precedence for GHA since there's no CircleCI context to consider but I expect only a couple people to ever need to do any advanced configuration.
I reordered the examples to make it clearer that GHA is the preferred CI system.
I've also updated CODEOWNERS to remove the individual members of gcp-wg since they already get reviews on all the things, and in the spirit of https://mozilla-hub.atlassian.net/browse/MZCLD-3214 removed Sven's old CODEOWNER access.
https://github.com/mozilla/global-platform-admin/pull/6590 was required to add the new
repository_refattribute upon which this is based.Related Tickets & Documents