Add GitLab CI/CD support to Connect-PnPOnline -FederatedIdentity#5395
Merged
gautamdsheth merged 1 commit intoJul 14, 2026
Merged
Conversation
Detects GitLab CI via GITLAB_CI and GITLAB_OIDC_TOKEN (populated by the id_tokens block in .gitlab-ci.yml) and exchanges that OIDC token for an Entra ID access token via the existing federated token exchange, alongside the current GitHub Actions and Azure DevOps support.
Collaborator
|
Thanks @fabianhutzli , awesome stuff . It has been merged , much appreciated !! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type
Summary
Extends
Connect-PnPOnline -FederatedIdentityto support GitLab CI/CD pipelines, alongside the existing GitHub Actions and Azure DevOps support. This lets users authenticate to SharePoint/Microsoft Graph from a GitLab pipeline using GitLab's OIDCid_tokensfeature and a federated credential trust on the Entra ID app registration, without needing to store a client secret or certificate in GitLab.Modified cmdlets
-FederatedIdentityswitch parameter set now also recognizes a GitLab CI/CD context. As with GitHub Actions,-ClientIdand-Tenantmust be supplied explicitly (GitLab has no equivalent of Azure DevOps' service-connection auto-lookup).Implementation notes
TokenHandler.GetFederatedIdentityTokenAsyncgains a third detection branch, alongside the existing GitHub Actions (ACTIONS_ID_TOKEN_REQUEST_URL/ACTIONS_ID_TOKEN_REQUEST_TOKEN) and Azure DevOps (SYSTEM_OIDCREQUESTURI) branches. GitLab CI is detected via theGITLAB_CIenvironment variable combined with the presence ofGITLAB_OIDC_TOKEN.id_tokenspipeline feature mints the JWT directly into the configured job variable at job start. The pipeline must define it under that exact name: