Sync Published Ceremony Branch to Main and Preprod

Sync Published Ceremony Branch to Main and Preprod #407

Summary
Jobs
- push
- sync
- if-failed
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/sync-ceremony-to-main.yml at 45c0ed0

	#
	# Copyright 2023 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	# This workflow is triggered when a ceremony branch is completed, and will:
	# - Create a PR that merges the completed ceremony branch to main
	# - Sync the ceremony branch to the GCS preprod bucket

	name: Sync Published Ceremony Branch to Main and Preprod

	# Declare default permissions as none.
	permissions: {}

	on:
	schedule:
	- cron: '0 /12 * *' # every 12 hours
	workflow_dispatch:
	inputs:
	branch:
	description: 'The branch to sync to main, generally ceremony/YYYY-MM-DD'
	required: true
	type: string
	push:
	# When any published repository metadata is changed on a ceremony/**
	# branch.
	branches:
	- ceremony/**
	paths:
	- 'repository/repository/**'

	jobs:
	push:
	if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') \|\| (github.event_name != 'schedule') # Don't run workflow in forks on cron
	permissions:
	pull-requests: 'write'
	contents: 'write'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
	with:
	fetch-depth: 0
	ref: ${{ github.event.repository.default_branch }}

	- name: create pull request
	uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1
	with:
	github_token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }}
	# Use the input branch on workflow_dispatch, or the triggering branch on push to a ceremony/** branch.
	source_branch: ${{ inputs.branch \|\| github.ref_name }}
	destination_branch: ${{ github.event.repository.default_branch }}
	pr_title: "Merge ceremony branch ${{ inputs.branch \|\| github.ref_name }} into ${{ github.event.repository.default_branch }}"
	pr_body: "Merge ceremony branch to main"
	pr_reviewer: asraa,dlorenc,haydentherapper,joshuagl,kommendorkapten

	sync:
	permissions:
	id-token: 'write'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
	with:
	fetch-depth: 0
	- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
	with:
	go-version: '1.20'
	check-latest: true
	- uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
	with:
	project_id: project-rekor
	# Setup OIDC->SA auth
	- uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
	id: auth
	with:
	token_format: 'access_token'
	workload_identity_provider: 'projects/237800849078/locations/global/workloadIdentityPools/root-signing-pool/providers/sigstore-root'
	service_account: 'sigstore-root-signing@project-rekor.iam.gserviceaccount.com'
	create_credentials_file: true
	- name: Login
	run: \|
	gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
	gcloud auth list
	# sync
	- name: sync
	run: \|
	check_expiration() {
	expiry=$(jq -r '.signed.expires' $1)
	expires=$(date -d $expiry +%s)
	current=$(date +%s)
	if (( expires < current )); then
	echo "Detected expired metadata file $1 at $expiry!"
	exit 1
	fi;
	}
	# Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded.
	for f in $(ls repository/repository/ -I *timestamp.json)
	do
	# Check for expiration if this is a non-versioned metadata file.
	# Versioned metadata like 1.root.json may be expired.
	# TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that
	# only old versioned metadata can be expired.
	if [[ $f == [^0-9]*.json ]]; then
	check_expiration repository/repository/$f
	fi;
	gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/
	done
	# Upload timestamp after checking latest timestamp expiration
	check_expiration repository/repository/timestamp.json
	gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/
	# delete any files present in sigstore-preprod-tuf-root not in repository/repository
	gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ .
	diff -qr repository/repository sigstore-preprod-tuf-root \| while read l; do
	if [[ $l =~ "Only in sigstore-preprod-tuf-root" ]]; then
	path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-preprod-tuf-root(\/?)(.): (.)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))")
	gcloud --quiet storage rm gs://sigstore-preprod-tuf-root/$path
	fi;
	done

	if-failed:
	runs-on: ubuntu-latest
	needs: [sync]
	permissions:
	issues: 'write'
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	ISSUE_REPOSITORY: sigstore/root-signing
	if: always() && needs.sync.result == 'failure'
	steps:
	- name: Create issue on failure
	uses: sigstore/sigstore-probers/.github/actions/create-issue@main
	with:
	issue_repository: sigstore/root-signing
	issue_type: FAILURE

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync Published Ceremony Branch to Main and Preprod #407

Workflow file

Sync Published Ceremony Branch to Main and Preprod #407

Jobs

Run details

Workflow file for this run