Add additional unchecked GitLab claims (#18650)

di · web-flow · commit 7e38c57d0136 · 2025-09-08T14:20:32.000Z
* Add additional unchecked GitLab claims

* Update comment
diff --git a/tests/unit/oidc/models/test_gitlab.py b/tests/unit/oidc/models/test_gitlab.py
@@ -218,6 +218,10 @@ def test_gitlab_publisher_all_known_claims(self):
             "project_visibility",
             "user_access_level",
             "groups_direct",
+            "job_namespace_id",
+            "job_namespace_path",
+            "job_project_id",
+            "job_project_path",
         }
 
     def test_gitlab_publisher_computed_properties(self):
diff --git a/warehouse/oidc/models/gitlab.py b/warehouse/oidc/models/gitlab.py
@@ -154,7 +154,7 @@ class GitLabPublisherMixin:
 
     __unchecked_claims__ = {
         # We are not currently verifying project_id or namespace_id to protect against
-        # resurrection attacks: https://github.com/pypi/warehouse/issues/13575
+        # resurrection attacks: https://github.com/pypi/warehouse/issues/15643
         "project_id",
         "namespace_id",
         "namespace_path",
@@ -177,6 +177,10 @@ class GitLabPublisherMixin:
         "project_visibility",
         "user_access_level",
         "groups_direct",
+        "job_namespace_id",
+        "job_namespace_path",
+        "job_project_id",
+        "job_project_path",
     }
 
     # Get the most specific publisher from a list of publishers,
