From b69aa376bab93d8c0289fede30bd4d0866f3ff87 Mon Sep 17 00:00:00 2001
From: Ilia Medvedev <ilia.medvedev@codefresh.io>
Date: Fri, 5 Apr 2024 10:51:15 +0300
Subject: [PATCH] add comment explaining the usage of worklow url as
 buildsigner

Signed-off-by: Ilia Medvedev <ilia.medvedev@codefresh.io>
---
 pkg/identity/codefresh/principal.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/identity/codefresh/principal.go b/pkg/identity/codefresh/principal.go
index 5579ac576..e0962b5e8 100644
--- a/pkg/identity/codefresh/principal.go
+++ b/pkg/identity/codefresh/principal.go
@@ -149,7 +149,9 @@ func (w workflowPrincipal) Embed(_ context.Context, cert *x509.Certificate) erro
 
 	cert.ExtraExtensions, err = certificate.Extensions{
 		Issuer: w.issuer,
-		// URL of the build in Codefresh
+		// URL of the build in Codefresh. 
+		// The workflow url is used for build signer in Codefresh because for public builds unauthenticated users only have access to the workflow, not the pipeline definition.
+		// Also, the workflow contains the definition of the pipeline that was used at the time of the build, making it ideal to be used as the signer url. 
 		BuildSignerURI:      baseURL.JoinPath("build", w.workflowID).String(),
 		RunnerEnvironment:   w.runnerEnvironment,
 		SourceRepositoryURI: w.scmRepoURL,