Define GitHub variables

[jku]

As part of #1247 I'd like to define a GH secret.

• Secret TUF_ON_CI_TOKEN: this should be a sigstore-bot token with following permissions for sigstore/root-signing:
  • Actions: write to dispatch other workflows when needed
  • Contents: write to create online signing commits, and to create targets metadata change commits in signing events
  • Issues: write to create issues for workflow failures
  • Pull requests: write to create and modify signing event pull requests

There may already be a token but I'd like a new one to get the right name and to double check the permissions (they may not match exactly what the legacy systems needs).

---

Originally I was planning to also set two variables but that would only make sense if sigstore/github-sync would support them -- I will instead include them in the workflow in #1256

[jku]

for reference there is also an issue for using a GitHub App instead of a plain token sigstore/root-signing-staging#98 -- I plan to test that in staging but that's not done yet

[haydentherapper]

@bobcallaway Do you have access to sigstore-bot and can do this? (Also, how do we get access to sigstore-bot?)

[bobcallaway]

@bobcallaway Do you have access to sigstore-bot and can do this? (Also, how do we get access to sigstore-bot?)

yes

[jku]

Thanks, this should now be sorted. We will see when the smoke clears after #1323