OIDC Build Creator Claim

Features Requests
1

Proposed Change

We propose adding the option for including the Build Creator’s email and name as additional claims, which can be requested through the --claim option in the buildkite-agent oidc request-token command. While Buildkite already makes this information available as environment variables (BUILDKITE_BUILD_CREATOR_EMAIL and BUILDKITE_BUILD_CREATOR), embedding them in the OIDC token enhances traceability and attributions of build initiators.

Example Command

Executing the command:

$ buildkite-agent oidc request-token ... --claim "build_creator,build_creator_email"

will generate an OIDC token that includes:

{
  "iss": "https://agent.buildkite.com",
  "sub": "organization:acme-inc:pipeline:super-duper-app:ref:refs/heads/main:commit:9f3182061f1e2cca4702c368cbc039b7dc9d4485:step:build",
  "aud": "https://buildkite.com/acme-inc",
  "iat": 1669014898,
  "nbf": 1669014898,
  "exp": 1669015198,
  "organization_slug": "acme-inc",
  "pipeline_slug": "super-duper-app",
  "build_number": 1,
  "build_branch": "main",
  "build_tag": "v1.0.0",
  "build_commit": "9f3182061f1e2cca4702c368cbc039b7dc9d4485",
  "step_key": "build",
  "job_id": "0184990a-477b-4fa8-9968-496074483cee",
  "agent_id": "0184990a-4782-42b5-afc1-16715b10b8ff",
  "build_source": "ui",
  "runner_environment": "buildkite-hosted",
  "BUILDKITE_BUILD_CREATOR_EMAIL": "john.smith@airbnb.com",
  "BUILDKITE_BUILD_CREATOR": "John Smith"
}

Additional Options

Incorporating Build Author variables as optional claims (BUILDKITE_BUILD_AUTHOR_EMAIL and BUILDKITE_BUILD_AUTHOR) would also be beneficial, though they are considered less critical compared to the aforementioned claims.

2

Hey @amarquez :waving_hand:,

This is Suma from Buildkite support team. Thank you for reaching out to us and sharing the feedback.
I have noted down the details of your feedback and how it can help with your workflow so I will share this product feedback with our team to evaluate potential solutions.

Thanks,
Suma