From d653cb69001ef8dcd6e1e07747ac0f54a063e0dd Mon Sep 17 00:00:00 2001
From: Sam Joan Roque-Worcel <sroque-worcel@gitlab.com>
Date: Wed, 22 Oct 2025 06:50:12 +1300
Subject: [PATCH] Resolve bug with keyless signing in child pipelines

This commit resolves a bug in our keyless signing functionality which
resulted in the integration with Sigstore being broken for child
pipelines. More information: https://gitlab.com/gitlab-org/gitlab/-/issues/422146

Changelog: fixed
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/208180
---
 .../sigstore_child_pipelines_fix.yml          | 10 -------
 lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb   |  2 --
 lib/gitlab/ci/project_config/bridge.rb        |  2 --
 .../ci/jwt_v2/claim_mapper/bridge_spec.rb     | 10 -------
 spec/lib/gitlab/ci/jwt_v2_spec.rb             | 26 -------------------
 spec/lib/gitlab/ci/project_config_spec.rb     | 10 -------
 6 files changed, 60 deletions(-)
 delete mode 100644 config/feature_flags/gitlab_com_derisk/sigstore_child_pipelines_fix.yml

diff --git a/config/feature_flags/gitlab_com_derisk/sigstore_child_pipelines_fix.yml b/config/feature_flags/gitlab_com_derisk/sigstore_child_pipelines_fix.yml
deleted file mode 100644
index 8df70a6a246b82..00000000000000
--- a/config/feature_flags/gitlab_com_derisk/sigstore_child_pipelines_fix.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-name: sigstore_child_pipelines_fix
-description:
-feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/422146
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/208180
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/577193
-milestone: '18.6'
-group: group::pipeline security
-type: gitlab_com_derisk
-default_enabled: false
diff --git a/lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb b/lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb
index bcedf7bd028688..fdc3cd571deb06 100644
--- a/lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb
+++ b/lib/gitlab/ci/jwt_v2/claim_mapper/bridge.rb
@@ -11,8 +11,6 @@ def initialize(project_config, pipeline)
           end
 
           def to_h
-            return {} unless Feature.enabled?(:sigstore_child_pipelines_fix, pipeline.project)
-
             {
               ci_config_ref_uri: ci_config_ref_uri,
               ci_config_sha: pipeline.sha
diff --git a/lib/gitlab/ci/project_config/bridge.rb b/lib/gitlab/ci/project_config/bridge.rb
index 1f2726af85171c..39d4d1339a0b4a 100644
--- a/lib/gitlab/ci/project_config/bridge.rb
+++ b/lib/gitlab/ci/project_config/bridge.rb
@@ -23,8 +23,6 @@ def source
 
         override :url
         def url
-          return super unless Feature.enabled?(:sigstore_child_pipelines_fix, project)
-
           File.join(Settings.build_server_fqdn, project.full_path, '//', ci_config_path)
         end
       end
diff --git a/spec/lib/gitlab/ci/jwt_v2/claim_mapper/bridge_spec.rb b/spec/lib/gitlab/ci/jwt_v2/claim_mapper/bridge_spec.rb
index 74472f560162f6..34c8d22b14beec 100644
--- a/spec/lib/gitlab/ci/jwt_v2/claim_mapper/bridge_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_v2/claim_mapper/bridge_spec.rb
@@ -30,15 +30,5 @@
         })
       end
     end
-
-    context "when FF is disabled" do
-      before do
-        stub_feature_flags(sigstore_child_pipelines_fix: false)
-      end
-
-      it 'returns expected claims' do
-        expect(mapper.to_h).to eq({})
-      end
-    end
   end
 end
diff --git a/spec/lib/gitlab/ci/jwt_v2_spec.rb b/spec/lib/gitlab/ci/jwt_v2_spec.rb
index 3d1e956fc383ba..e275d4a1ef4b0d 100644
--- a/spec/lib/gitlab/ci/jwt_v2_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_v2_spec.rb
@@ -324,32 +324,6 @@
           end
         end
       end
-
-      context "when FF is disabled and bridge source" do
-        before do
-          stub_feature_flags(sigstore_child_pipelines_fix: false)
-        end
-
-        let(:project_config) do
-          instance_double(
-            Gitlab::Ci::ProjectConfig,
-            url: 'gitlab.com/gitlab-org/gitlab//.gitlab-ci.yml',
-            source: :bridge_source
-          )
-        end
-
-        it 'preserves original behaviour' do
-          expect(Gitlab::Ci::ProjectConfig).to receive(:new).with(
-            project: target_project,
-            sha: pipeline.sha,
-            pipeline_source: pipeline.source.to_sym,
-            pipeline_source_bridge: pipeline.source_bridge
-          ).and_return(project_config)
-
-          expect(payload[:ci_config_ref_uri]).to be_nil
-          expect(payload[:ci_config_sha]).to be_nil
-        end
-      end
     end
   end
 end
diff --git a/spec/lib/gitlab/ci/project_config_spec.rb b/spec/lib/gitlab/ci/project_config_spec.rb
index 95f141d0d4b20e..151b8b2bc3ea8c 100644
--- a/spec/lib/gitlab/ci/project_config_spec.rb
+++ b/spec/lib/gitlab/ci/project_config_spec.rb
@@ -43,16 +43,6 @@
       expect(config.url).to eq("localhost/#{project.full_path}//path/to/config.yml")
     end
 
-    context "when FF is disabled" do
-      before do
-        stub_feature_flags(sigstore_child_pipelines_fix: false)
-      end
-
-      it 'preserves the original behaviour' do
-        expect(config.url).to be_nil
-      end
-    end
-
     context "with nil ci_config_path" do
       let(:ci_config_path) { nil }
 
-- 
GitLab