This feature is only available on Chainloop’s platform paid plans.

You can now perform attestations from Gitlab.com runners without the need to use Chainloop API tokens.

To achieve this you’ll need to:

  • Enroll Your Gitlab repositories to Chainloop
  • Send Gitlab token during the attestation process

1 - Enroll Your Gitlab repositories to Chainloop

To make sure you own the repository that the attestation is coming from, you’ll need to onboard your GitLab repository into the Chainloop platform first. This can be done by clicking on the “Add GitLab repositories” button in the repositories section.

Chainloop will only store repositories ID and Name, it will not store repository code.

2 - Send Gitlab token during the attestation process

You are now ready to leverage GitLab’s OIDC tokens from your pipelines. The requirement is to create an ID token that has the chainloop audience.

To achieve this in GitLab, you can add the following snippet to your pipeline yaml file.

id_tokens:
  CHAINLOOP_TOKEN:
    aud: chainloop # make sure the audience is chainloop

A full pipeline example could look like

stages:
  - build

build-job: 
  stage: build
  id_tokens:
    CHAINLOOP_TOKEN:
      aud: chainloop
  script:
    - curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
    - chainloop att init --workflow test-gitlab --project demo
    - chainloop attestation push
  after_script:
    - chainloop attestation reset || true

Note that if you have onboarded the same repository to more than one Chainloop organization, you’ll need to pass the —org flag to the init command, for example.

chainloop att init --workflow test-gitlab --project demo --org my-org