From 11440662bd45ada7b83cfcfcf6df32eaf4410d28 Mon Sep 17 00:00:00 2001
From: Michael Trainor <mtrainor@gitlab.com>
Date: Tue, 30 Sep 2025 10:58:27 +1000
Subject: [PATCH 1/2] Add bridge claim mapper

---
 lib/gitlab/ci/jwt_v2/claim_mapper.rb        |  3 +-
 lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb | 31 +++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb

diff --git a/lib/gitlab/ci/jwt_v2/claim_mapper.rb b/lib/gitlab/ci/jwt_v2/claim_mapper.rb
index c51c6114737f30..aefa05b9c708c4 100644
--- a/lib/gitlab/ci/jwt_v2/claim_mapper.rb
+++ b/lib/gitlab/ci/jwt_v2/claim_mapper.rb
@@ -5,7 +5,8 @@ module Ci
     class JwtV2
       class ClaimMapper
         MAPPER_FOR_CONFIG_SOURCE = {
-          repository_source: ClaimMapper::Repository
+          repository_source: ClaimMapper::Repository,
+          bridge_source: ClaimMapper::Bridge
         }.freeze
 
         def initialize(project_config, pipeline)
diff --git a/lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb b/lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb
new file mode 100644
index 00000000000000..fdc3cd571deb06
--- /dev/null
+++ b/lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    class JwtV2
+      class ClaimMapper
+        class Bridge
+          def initialize(project_config, pipeline)
+            @project_config = project_config
+            @pipeline = pipeline
+          end
+
+          def to_h
+            {
+              ci_config_ref_uri: ci_config_ref_uri,
+              ci_config_sha: pipeline.sha
+            }
+          end
+
+          private
+
+          attr_reader :project_config, :pipeline
+
+          def ci_config_ref_uri
+            "#{project_config.url}@#{pipeline.source_ref_path}"
+          end
+        end
+      end
+    end
+  end
+end
-- 
GitLab


From 62b4485369c7a4acf372356a3e94292b8c9e650f Mon Sep 17 00:00:00 2001
From: Michael Trainor <mtrainor@gitlab.com>
Date: Tue, 7 Oct 2025 13:16:38 +1000
Subject: [PATCH 2/2] Add url to ProjectConfig::Bridge for JWT claim generation

Child pipelines need ci_config_ref_uri claims for SLSA provenance
and keyless signing
---
 lib/gitlab/ci/project_config/bridge.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/gitlab/ci/project_config/bridge.rb b/lib/gitlab/ci/project_config/bridge.rb
index 45aa330508fa3e..fec526966a688c 100644
--- a/lib/gitlab/ci/project_config/bridge.rb
+++ b/lib/gitlab/ci/project_config/bridge.rb
@@ -18,6 +18,12 @@ def internal_include_prepended?
         def source
           :bridge_source
         end
+
+        def url
+          return unless source == :bridge_source
+
+          File.join(Settings.build_server_fqdn, project.full_path, '//', ci_config_path)
+        end
       end
     end
   end
-- 
GitLab