Merged
Conversation
12 tasks
There was a problem hiding this comment.
Pull request overview
Migrates the Terraform registry handler to use the shared oidc.OIDCRegistry so OIDC credentials can be matched collision-free (host bucket + longest path-prefix match), aligning Terraform with the registry-wide OIDC credential storage approach introduced in #78 / fixing #87 scenarios.
Changes:
- Replaced Terraform’s per-handler OIDC credential map + RWMutex with
oidc.OIDCRegistry. - Updated Terraform OIDC registration to use the credential’s
urlfield as the primary key (preserving path), with host fallback. - Adjusted OIDC handling tests to expect Terraform registration logs to include the full URL key.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| internal/handlers/terraform_registry.go | Switches Terraform OIDC auth to OIDCRegistry and removes handler-level mutex/map storage. |
| internal/handlers/oidc_handling_test.go | Updates expected Terraform OIDC registration log lines to match new URL-based keys. |
kbukum1
force-pushed
the
kamil/oidc-migrate-terraform
branch
from
8bec9a4 to
46ef1d8
Compare
kbukum1
force-pushed
the
kamil/oidc-migrate-terraform
branch
from
46ef1d8 to
e8fd91c
Compare
kbukum1
force-pushed
the
kamil/oidc-migrate-terraform
branch
3 times, most recently
from
88b4b90 to
64a9572
Compare
kbukum1
force-pushed
the
kamil/oidc-migrate-terraform
branch
from
64a9572 to
94dc3b5
Compare
AbhishekBhaskar
approved these changes
Apr 8, 2026
Contributor
AbhishekBhaskar
left a comment
AbhishekBhaskar
left a comment
There was a problem hiding this comment.
Just left a follow up comment for Copilot's comment.
Contributor
Author
Yes the comment is valid. It explains why OIDC creds continue (skip static credential processing) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Migrate the Terraform registry handler from manual OIDC credential map + mutex to the shared
OIDCRegistrytype introduced in #78.Why
Part of the phased migration to fix OIDC credential collisions when multiple registries share a host (#87).
Terraform was storing OIDC credentials keyed by hostname only via
cred.Host(). TheOIDCRegistrynow preserves the full URL (viaurlfield, withcred.Host()fallback), fixing potential collisions.Behavior changes
Credential selection is now deterministic. The old code iterated over a Go map (
map[string]*OIDCCredential), so with multiple OIDC credentials on the same host, which one matched was nondeterministic.OIDCRegistry.TryAuthuses longest path-prefix matching, ensuring the most specific credential always wins. This is the core fix for OIDC credential collision when multiple registries share a host #87.Host matching uses
strings.ToLowerinstead of IDNA normalization. The oldTryAuthOIDCRequestWithPrefixusedhelpers.AreHostnamesEqual(IDNAToASCII), whileOIDCRegistry.TryAuthuses lowercase comparison. This is acceptable because all real OIDC registries (Azure DevOps, JFrog, AWS CodeArtifact, Cloudsmith) use ASCII hostnames — no package registry uses internationalized domain names.