Trusted publishing: support for Bitbucket Pipelines #17136
Description
This would enable PyPI users with Bitbucket Pipelines CI/CD to leverage trusted publishing.
An example claim set from a Bitbucket Pipelines repository (anonymized but the structure is saved):
{
"sub": "{d4e45493-4a33-477d-917b-a24e7e4bd39b}:{stepUuid}",
"aud": "ari:cloud:bitbucket::workspace/03b741e3-cf4a-41f9-9a59-cec52e21bdc3",
"stepUuid": "{xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}",
"deploymentEnvironmentUuid": "{xxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxxx}",
"iss": "https://api.bitbucket.org/2.0/workspaces/atlassian/pipelines-config/identity/oidc",
"repositoryUuid": "{d4e45493-4a33-477d-917b-a24e7e4bd39b}",
"branchName": "xxxxxxxxx",
"exp": "xxxxxxxxxx",
"iat": "xxxxxxxxxx",
"pipelineUuid": "{xxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx}",
"workspaceUuid": "{03b741e3-cf4a-41f9-9a59-cec52e21bdc3}"
}
For example, if user has a project at https://bitbucket.com/atlassian/pypi-publish with a pipeline defined in bitbucket-pipelines.yml file and a custom deployments named release, then user'd fill the form with the following fields:
- workspace or workspaceUuid
- repository or repositoryUuid
- pipeline_filename (i.e. bitbucket-pipelines.yml)
- deployments_environment (optional)
The guide with a configuration details: Integrate Pipelines with resource servers using OIDC | Bitbucket Cloud
Resource server-specific: