Add support for reusable workflows in trusted publishing

This change addresses issue #4294 by adding optional fields to specify
a different repository for the workflow source when using GitHub Actions
reusable workflows.

When a repository calls a reusable workflow from a different repository,
the OIDC token's `job_workflow_ref` claim points to the reusable workflow's
location, not the caller's workflow. Previously, RubyGems trusted publishing
only supported workflows defined in the same repository as the caller.

Security: Still validates caller repository against repository_owner/name,
preventing unauthorized repositories from publishing via shared workflows

Example configuration for a gem using a shared release workflow:
- repository_owner: "my-org" (the gem's repo
- repository_name: my-gem
- workflow_filename: shared-release.yml
- workflow_repository_owner: shared-org (the shared workflow's repo)
- workflow_repository_name: shared-workflows

Author: cseeman

app/models/oidc/trusted_publisher/github_action.rb

@@ -11,23 +11,38 @@ class OIDC::TrustedPublisher::GitHubAction < ApplicationRecord
   validates :repository_owner, :repository_name, :workflow_filename, :repository_owner_id,
     presence: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
   validates :environment, allow_nil: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
+  validates :workflow_repository_owner, :workflow_repository_name,
+    allow_nil: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
 
   validate :unique_publisher
   validate :workflow_filename_format
+  validate :workflow_repository_fields_consistency
 
   def self.for_claims(claims)
     repository = claims.fetch(:repository)
     repository_owner, repository_name = repository.split("/", 2)
-    workflow_prefix = "#{repository}/.github/workflows/"
-    workflow_ref = claims.fetch(:job_workflow_ref).delete_prefix(workflow_prefix)
-    workflow_filename = workflow_ref.sub(/@[^@]+\z/, "")
+    job_workflow_ref = claims.fetch(:job_workflow_ref)
+
+    match = job_workflow_ref.match(%r{\A([^/]+)/([^/]+)/\.github/workflows/([^@]+)@})
+    raise ActiveRecord::RecordNotFound, "Invalid job_workflow_ref format" unless match
+
+    workflow_repo_owner, workflow_repo_name, workflow_filename = match.captures
 
     required = {
       repository_owner:, repository_name:, workflow_filename:,
       repository_owner_id: claims.fetch(:repository_owner_id)
     }
 
     base = where(required)
+
+    same_repo = workflow_repo_owner == repository_owner && workflow_repo_name == repository_name
+    base = if same_repo
+             base.where(workflow_repository_owner: workflow_repo_owner, workflow_repository_name: workflow_repo_name)
+               .or(base.where(workflow_repository_owner: nil, workflow_repository_name: nil))
+           else
+             base.where(workflow_repository_owner: workflow_repo_owner, workflow_repository_name: workflow_repo_name)
+           end
+
     if (env = claims[:environment])
       base.where(environment: env).or(base.where(environment: nil)).order(environment: :asc) # NULLS LAST by default for asc
     else
@@ -36,13 +51,17 @@ def self.for_claims(claims)
   end
 
   def self.permitted_attributes
-    %i[repository_owner repository_name workflow_filename environment]
+    %i[repository_owner repository_name workflow_filename environment
+       workflow_repository_owner workflow_repository_name]
   end
 
   def self.build_trusted_publisher(params)
-    params = params.reverse_merge(repository_owner_id: nil, repository_name: nil, workflow_filename: nil, environment: nil)
+    params = params.reverse_merge(repository_owner_id: nil, repository_name: nil, workflow_filename: nil, environment: nil,
+                                  workflow_repository_owner: nil, workflow_repository_name: nil)
     params.delete(:repository_owner_id)
     params[:environment] = nil if params[:environment].blank?
+    params[:workflow_repository_owner] = nil if params[:workflow_repository_owner].blank?
+    params[:workflow_repository_name] = nil if params[:workflow_repository_name].blank?
     find_or_initialize_by(params)
   end
 
@@ -55,7 +74,9 @@ def payload
       repository_name:,
       repository_owner_id:,
       workflow_filename:,
-      environment:
+      environment:,
+      workflow_repository_owner:,
+      workflow_repository_name:
     }
   end
 
@@ -98,7 +119,7 @@ def job_workflow_ref_condition(ref)
     OIDC::AccessPolicy::Statement::Condition.new(
       operator: "string_equals",
       claim: "job_workflow_ref",
-      value: "#{repository}/#{workflow_slug}@#{ref}"
+      value: "#{workflow_repository}/#{workflow_slug}@#{ref}"
     )
   end
 
@@ -127,7 +148,7 @@ def initialize(trusted_publisher)
     def verify(cert)
       ref = cert.openssl.find_extension("1.3.6.1.4.1.57264.1.14")&.value_der&.then { OpenSSL::ASN1.decode(it).value }
       Sigstore::Policy::Identity.new(
-        identity: "https://github.com/#{@trusted_publisher.repository}/#{@trusted_publisher.workflow_slug}@#{ref}",
+        identity: "https://github.com/#{@trusted_publisher.workflow_repository}/#{@trusted_publisher.workflow_slug}@#{ref}",
         issuer: OIDC::Provider::GITHUB_ACTIONS_ISSUER
       ).verify(cert)
     end
@@ -145,6 +166,14 @@ def name
 
   def repository = "#{repository_owner}/#{repository_name}"
 
+  def workflow_repository
+    if workflow_repository_owner.present? && workflow_repository_name.present?
+      "#{workflow_repository_owner}/#{workflow_repository_name}"
+    else
+      repository
+    end
+  end
+
   def workflow_slug = ".github/workflows/#{workflow_filename}"
 
   def owns_gem?(rubygem) = rubygem_trusted_publishers.exists?(rubygem: rubygem)
@@ -169,7 +198,9 @@ def unique_publisher
       repository_name: repository_name,
       repository_owner_id: repository_owner_id,
       workflow_filename: workflow_filename,
-      environment: environment
+      environment: environment,
+      workflow_repository_owner: workflow_repository_owner,
+      workflow_repository_name: workflow_repository_name
     )
 
     errors.add(:base, "publisher already exists")
@@ -181,4 +212,13 @@ def workflow_filename_format
     errors.add(:workflow_filename, "must end with .yml or .yaml") unless /\.ya?ml\z/.match?(workflow_filename)
     errors.add(:workflow_filename, "must be a filename only, without directories") if workflow_filename.include?("/")
   end
+
+  def workflow_repository_fields_consistency
+    owner_present = workflow_repository_owner.present?
+    name_present = workflow_repository_name.present?
+
+    return if owner_present == name_present
+
+    errors.add(:base, "workflow_repository_owner and workflow_repository_name must both be set or both be blank")
+  end
 end

app/views/components/oidc/trusted_publisher/github_action/form_component.rb

@@ -9,6 +9,8 @@ def view_template
       field trusted_publisher_form, :text_field, :repository_name, autocomplete: :off
       field trusted_publisher_form, :text_field, :workflow_filename, autocomplete: :off
       field trusted_publisher_form, :text_field, :environment, autocomplete: :off, optional: true
+      field trusted_publisher_form, :text_field, :workflow_repository_owner, autocomplete: :off, optional: true
+      field trusted_publisher_form, :text_field, :workflow_repository_name, autocomplete: :off, optional: true
     end
   end
 

config/locales/de.yml

@@ -94,6 +94,8 @@ de:
         api_key_permissions: API-Schlüsselberechtigungen
       oidc/trusted_publisher/github_action:
         repository_owner_id: GitHub Repository-Besitzer-ID
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name: RubyGem-Name
     errors:
@@ -1042,6 +1044,8 @@ de:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

config/locales/en.yml

@@ -91,6 +91,8 @@ en:
         api_key_permissions: API Key Permissions
       oidc/trusted_publisher/github_action:
         repository_owner_id: GitHub Repository Owner ID
+        workflow_repository_owner: Workflow Repository Owner
+        workflow_repository_name: Workflow Repository Name
       oidc/pending_trusted_publisher:
         rubygem_name: RubyGem name
     errors:
@@ -971,6 +973,12 @@ en:
           The name of the <a href="https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment">GitHub Actions environment</a> that the above workflow uses for publishing.<br>
           This should be configured under the repository's settings.<br>
           While not required, a dedicated publishing environment is strongly encouraged, especially if your repository has maintainers with commit access who shouldn't have RubyGems.org gem push access.
+        workflow_repository_owner_help_html: |
+          <strong>For <a href="https://docs.github.com/en/actions/sharing-automations/reusing-workflows">reusable workflows</a> only:</strong> The GitHub organization or username that owns the repository containing the reusable workflow file.<br>
+          Leave blank if the workflow is defined in the same repository as above (the common case).
+        workflow_repository_name_help_html: |
+          <strong>For <a href="https://docs.github.com/en/actions/sharing-automations/reusing-workflows">reusable workflows</a> only:</strong> The name of the repository containing the reusable workflow file.<br>
+          Leave blank if the workflow is defined in the same repository as above (the common case).
       pending:
         rubygem_name_help_html: "The gem (on RubyGems.org) that will be created when this publisher is used"
   duration:

config/locales/es.yml

@@ -92,6 +92,8 @@ es:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -1088,6 +1090,8 @@ es:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

config/locales/fr.yml

@@ -91,6 +91,8 @@ fr:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -999,6 +1001,8 @@ fr:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

config/locales/ja.yml

@@ -87,6 +87,8 @@ ja:
         api_key_permissions: APIキーのパーミッション
       oidc/trusted_publisher/github_action:
         repository_owner_id: GitHubリポジトリの所有者ID
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name: RubyGem名
     errors:
@@ -990,6 +992,8 @@ ja:
           これはリポジトリの設定で構成されていると良いでしょう。<br>
           必須ではありませんが、個別の公開環境は強く推奨されます。
           特にリポジトリに、コミットアクセスを持つがRubyGems.orgへのgemのプッシュアクセスを持つべきではないメンテナがいるときが該当します。
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html: "（RubyGems.orgの）gemはこの発行元が使われたときに作られます"
   duration:

config/locales/nl.yml

@@ -86,6 +86,8 @@ nl:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -956,6 +958,8 @@ nl:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

config/locales/pt-BR.yml

@@ -91,6 +91,8 @@ pt-BR:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -978,6 +980,8 @@ pt-BR:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

config/locales/zh-CN.yml

@@ -87,6 +87,8 @@ zh-CN:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -970,6 +972,8 @@ zh-CN:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration: