Try to gracefully handle gitlab jwt

Signed-off-by: John Kjell <[email protected]>

attestation/gitlab/gitlab.go

@@ -107,13 +107,15 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	}
 
 	a.CIServerUrl = os.Getenv("CI_SERVER_URL")
-	jwksUrl := fmt.Sprintf("%s/-/jwks", a.CIServerUrl)
-	jwtString := os.Getenv("CI_JOB_JWT")
+	jwksUrl := fmt.Sprintf("%s/oauth/discovery/keys", a.CIServerUrl)
+	jwtString := os.Getenv("ID_TOKEN")
 	if jwtString != "" {
 		a.JWT = jwt.New(jwt.WithToken(jwtString), jwt.WithJWKSUrl(jwksUrl))
 		if err := a.JWT.Attest(ctx); err != nil {
 			return err
 		}
+	} else {
+		log.Warn("(attestation/gitlab) no jwt token found in environment")
 	}
 
 	a.CIConfigPath = os.Getenv("CI_CONFIG_PATH")

attestation/slsa/slsa.go

@@ -152,14 +152,31 @@ func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {
 			p.PbProvenance.RunDetails.Builder.Id = GHABuilderId
 			p.PbProvenance.RunDetails.Metadata.InvocationId = gh.Data().PipelineUrl
 			digest := make(map[string]string)
+
+			if gh.Data().JWT == nil {
+				log.Warn("No JWT found in GitHub attestor")
+				continue
+			}
+
 			digest["sha1"] = gh.Data().JWT.Claims["sha"].(string)
 
 		case gitlab.Name:
 			gl := attestor.Attestor.(gitlab.GitLabAttestor)
 			p.PbProvenance.RunDetails.Builder.Id = GLCBuilderId
 			p.PbProvenance.RunDetails.Metadata.InvocationId = gl.Data().PipelineUrl
 			digest := make(map[string]string)
-			digest["sha1"] = gl.Data().JWT.Claims["sha"].(string)
+
+			if gl.Data().JWT == nil {
+				log.Warn("No JWT found in GitLab attestor")
+				continue
+			}
+
+			sha, found := gl.Data().JWT.Claims["sha"]
+			if found {
+				digest["sha1"] = sha.(string)
+			} else {
+				log.Warn("No SHA found in GitLab JWT")
+			}
 
 		// Material Attestors
 		case material.Name: