diff --git a/.github/workflows/cosign-test.yml b/.github/workflows/cosign-test.yml deleted file mode 100644 index fe792b58..00000000 --- a/.github/workflows/cosign-test.yml +++ /dev/null @@ -1,48 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Cosign tests - -on: - workflow_dispatch: - push: - paths: - - 'repository/**' - pull_request: - -jobs: - validate: - env: - COSIGN_EXPERIMENTAL: "true" - runs-on: ubuntu-latest - steps: - # Install cosign - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - # Set up a repository server with python - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - cd repository/repository/ - python -m http.server 8001 & - echo "REPO=http://localhost:8001" >> $GITHUB_ENV - - # Test cosign initialize - - name: cosign initialize on published repository - run: cosign initialize --mirror http://localhost:8001 diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml index 6dfce059..95c8c097 100644 --- a/.github/workflows/create-signing-events.yml +++ b/.github/workflows/create-signing-events.yml @@ -1,9 +1,8 @@ name: TUF-on-CI create Signing events on: - # disabled during migration - #schedule: - # - cron: '17 1,7,13,19 * * *' + schedule: + - cron: '17 1,7,13,19 * * *' workflow_dispatch: permissions: {} diff --git a/.github/workflows/delegation-pop-verify.yml b/.github/workflows/delegation-pop-verify.yml deleted file mode 100644 index 50a43bb4..00000000 --- a/.github/workflows/delegation-pop-verify.yml +++ /dev/null @@ -1,54 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Verify POP for a delegation - -on: - pull_request: - branches: - - 'ceremony/**' - - 'test-ceremony/**' - - 'test-delegation/**' - -jobs: - verify: - if: ${{ startsWith(github.event.pull_request.title, 'feat/add-delegation for ') }} - runs-on: ubuntu-latest - permissions: - contents: 'write' - pull-requests: 'read' - env: - GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} - PR_NUMBER: ${{ github.event.pull_request.number }} - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: Setup go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - - name: Install deps - run: sudo apt-get install libpcsclite-dev - - - name: build - run: make tuf - - - name: Verify POP - run: .github/workflows/scripts/dpop-wrapper.sh "${{ github.event.pull_request.title }}" diff --git a/.github/workflows/initialize.yml b/.github/workflows/initialize.yml deleted file mode 100644 index 2280d1a6..00000000 --- a/.github/workflows/initialize.yml +++ /dev/null @@ -1,161 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stage a new root and targets on a new branch - -permissions: read-all - -# Execute this ONLY as workflow dispatch. -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch to stage changes against, generally ceremony/YYYY-MM-DD' - required: true - type: string - revoke_key: - description: 'If provided, revokes the given HSM key, identified by the serial number' - required: false - type: string - repo: - description: 'The repository in which to stage a new root and targets' - required: false - default: repository - type: string - draft: - description: 'Use for testing; creates a draft pull request' - required: false - default: false - type: boolean - -jobs: - check_branch: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Check if remote branch exists - env: - BRANCH: ${{ inputs.branch }} - run: | - branch_exists=$(git ls-remote --heads origin ${BRANCH}) - - if [[ -z ${branch_exists} ]]; then - echo "Staging root branch ${BRANCH} does not exist: has a maintainer created one?" - exit 1 - fi - - init_root: - runs-on: ubuntu-latest - needs: check_branch - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - # TODO(https://github.com/sigstore/root-signing/issues/98): Use a common configuration checked into source control - - name: setup environment - run: | - echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV - echo "SNAPSHOT_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot" >> $GITHUB_ENV - echo "TIMESTAMP_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" >> $GITHUB_ENV - echo "REPO=${{ inputs.repo }}" >> $GITHUB_ENV - echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV - # Note: we set LOCAL=1 because we manually push the changes in the next job. - echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth for signing with KMS - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: sigstore-root-signing - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - # Initialize the new root and targets layout - - name: step 0 - # Note that we are already in a git repository and are manually pushing changes with the job below - # so we can simply build the TUF binary and bypass git setup in step 0. - run: | - sudo apt-get install libpcsclite-dev - go build -o tuf -tags=pivkey ./cmd/tuf - - name: step 1.5 - run: | - ./scripts/step-1.5.sh ${{ inputs.revoke_key }} - - name: Upload new repository - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: ${{ inputs.repo }} - path: ${{ inputs.repo }} - retention-days: 5 - - push: - needs: init_root - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.branch }} - fetch-depth: 0 - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: ${{ inputs.repo }} - path: ${{ inputs.repo }} - # Detect new version and expiration to add to the PR description. - - name: Detect new version - env: - REPO: ${{ inputs.repo }} - run: | - # Detects the new root version. - VERSION=$(cat ${REPO}/staged/root.json | jq -r '.signed.version') - echo "VERSION=$VERSION" >> $GITHUB_ENV - - # Create commits - - name: Create commits - env: - REPO: ${{ inputs.repo }} - run: | - # Set identity. - git config --global user.email "noreply@github.com" - git config --global user.name "GitHub" - - git checkout -b init-root-targets - # Commit the REPO changes - git add ${REPO} - git commit -s -m "Add staged repository metadata" - git push origin HEAD - - # Open pull request changes. Use the fine-grained PAT in order to trigger presubmits. - - name: create pull request - env: - DRAFT: ${{ inputs.draft && '-d' || '' }} - run: - GH_TOKEN=${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} gh pr create -B ${{ inputs.branch }} -H init-root-targets -t "Update Root and Targets to version ${{ env.VERSION }}" -b "Initializes a new root and targets to version ${{ env.VERSION }}" ${DRAFT} -r bobcallaway -r haydentherapper -r kommendorkapten diff --git a/.github/workflows/ci-test.yml b/.github/workflows/lint.yml similarity index 50% rename from .github/workflows/ci-test.yml rename to .github/workflows/lint.yml index 46e5e7eb..ef563fbd 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/lint.yml @@ -13,31 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: CI Test +name: Lint on: push: - paths-ignore: - - 'ceremony/**' pull_request: - paths-ignore: - - 'ceremony/**' jobs: - golangci: - name: lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 - with: - version: v1.59 - yamllint: runs-on: ubuntu-latest steps: @@ -65,40 +47,6 @@ jobs: with: actionlint_flags: -color -shellcheck= - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - - name: Test - run: go test -tags=pivkey -v ./... - - name: Ensure no files were modified as a result of the build - run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code - - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - - name: build verification - run: go build -o verify ./cmd/verify/ - - name: build TUF script - run: go build -o tuf -tags=pivkey ./cmd/tuf - - name: build test script - run: go build -o keygen -tags=pivkey ./tests/keygen - shellcheck: name: Shellcheck runs-on: ubuntu-latest diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml index 92d1c1f2..eed0c1bd 100644 --- a/.github/workflows/online-sign.yml +++ b/.github/workflows/online-sign.yml @@ -3,12 +3,11 @@ name: TUF-on-CI online signing permissions: {} on: - # disabled during migration - #schedule: - # - cron: '17 1,7,13,19 * * *' - #push: - # branches: [ main ] - # paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] + schedule: + - cron: '17 1,7,13,19 * * *' + push: + branches: [main] + paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] workflow_dispatch: jobs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 834d1b17..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,86 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: cut-release - -on: - push: - tags: - - "v*" - -# Note: read permissions are set globally. -jobs: - release: - runs-on: ubuntu-latest - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 - - uses: imjasonh/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 - - - name: Set LDFLAGS - id: ldflags - run: | - source ./release/ldflags.sh - goflags=$(ldflags) - echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV" - - - name: Run GoReleaser - id: run-goreleaser - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 - with: - version: latest - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - LDFLAGS: ${{ env.GO_FLAGS }} - - - name: Generate subject - id: hash - env: - ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - - - name: Set tag output - id: tag - run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" - - provenance: - needs: [release] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 - with: - base64-subjects: "${{ needs.release.outputs.hashes }}" - upload-assets: true # upload to a new release - upload-tag-name: "${{ needs.release.outputs.tag_name }}" # Upload to tag rather than generate a new release - draft-release: true diff --git a/.github/workflows/reuseable-snapshot-timestamp.yml b/.github/workflows/reuseable-snapshot-timestamp.yml deleted file mode 100644 index c0a9f1e3..00000000 --- a/.github/workflows/reuseable-snapshot-timestamp.yml +++ /dev/null @@ -1,234 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Snapshot and Timestamp Template - -# Reusable workflow that runs snapshot and timestamp on directories. -# TODO(asraa): Create user workflows for repository-beta/, and ceremony/ flows. -on: - workflow_call: - secrets: - token: - description: > - Optional token. - This argument is passed, unchanged, to the job that creates the pull request. - required: false - inputs: - snapshot_key: - description: 'Sets the snapshotting key reference' - required: false - type: string - timestamp_key: - description: 'Sets the timestamping key reference' - required: true - type: string - branch: - description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' - required: true - type: string - repo: - description: 'Sets the repository to perform the operation on: expects relative path to GitHub repository, for example: repository' - required: false - default: repository - type: string - provider: - description: 'Sets the workflow identity provider' - required: true - type: string - service_account: - description: 'Sets the GitHub service account authorized for keys' - required: true - type: string - snapshot_timestamp: - description: 'Enables snapshot/timestamp step. During ceremonies, you may flip this to false to allow for just a publish step.' - required: false - default: true - type: boolean - disable_snapshot: - description: 'Disables snapshot and only generates timestamp.' - required: false - default: false - type: boolean - publish: - description: 'Enables publishing step. During ceremonies, you may flip this to false to allow for reviewing changes before publishing.' - required: false - default: true - type: boolean - -jobs: - snapshot_and_timestamp: - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ inputs.branch }} - - name: setup - run: | - echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV - echo "REPO=$(pwd)/${{ inputs.repo }}" >> $GITHUB_ENV - echo "SNAPSHOT_KEY=${{ inputs.snapshot_key }}" >> $GITHUB_ENV - echo "TIMESTAMP_KEY=${{ inputs.timestamp_key }}" >> $GITHUB_ENV - echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV - # Note: we set LOCAL=1 because we manually push the changes in the next job. - echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: ${{ inputs.provider }} - service_account: ${{ inputs.service_account }} - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - # Note: This needs to be parameterized if the KMS keys are in a different project - project_id: sigstore-root-signing - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - # Build binary - - name: build - run: | - sudo apt-get install libpcsclite-dev - go build -o tuf -tags=pivkey ./cmd/tuf/ - - - name: setup timestamping - if: ${{ inputs.disable_snapshot }} - run: | - echo "DISABLE_SNAPSHOT=1" >> $GITHUB_ENV - - # Snapshot and timestamp - - name: snapshot and timestamp - if: ${{ inputs.snapshot_timestamp }} - run: | - ./scripts/step-3.sh - - # Publish - - name: publish - if: ${{ inputs.publish }} - run: | - ./scripts/step-4.sh - - - name: get patch - run: | - # Setting git config is only needed to create the patch to download in the next step. - git config user.name "GitHub Actions Bot" - git config user.email "<>" - # Commit and create patch - git add . - git commit -m "snapshot and timestamp" - git format-patch HEAD^ -o snapshot-timestamp - - - name: Upload snapshot and timestamp - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: snapshot-timestamp - path: snapshot-timestamp - retention-days: 5 - - if-failed: - runs-on: ubuntu-latest - needs: [snapshot_and_timestamp] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.snapshot_and_timestamp.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true - - if-pass: - runs-on: ubuntu-latest - needs: [snapshot_and_timestamp] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.snapshot_and_timestamp.result == 'success' - steps: - - name: Close issue if one is open - uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main - - push: - needs: snapshot_and_timestamp - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ inputs.branch }} - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: snapshot-timestamp - path: snapshot-timestamp - - run: | - git checkout -b update-snapshot-timestamp - git apply --verbose snapshot-timestamp/* - rm -r snapshot-timestamp - git add ${{ inputs.repo }} - git config --global user.email "noreply@github.com" - git config --global user.name "GitHub" - - # Open pull request changes - - name: create pull request for no snapshot - if: ${{ inputs.disable_snapshot }} - run: | - git commit -s -m "Update timestamp" - git push origin update-snapshot-timestamp - GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Timestamp" -b "Sign timestamp file" -r bobcallaway -r haydentherapper -r kommendorkapten - - - name: create pull request for timestamp/snapshot - if: ${{ !inputs.disable_snapshot }} - run: | - git commit -s -m "Update snapshot and timestamp" - git push origin update-snapshot-timestamp - GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Snapshot and Timestamp" -b "Sign snapshot and timestamp files" -r bobcallaway -r haydentherapper -r kommendorkapten - - if-push-failed: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.push.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true - - if-push-pass: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.push.result == 'success' - steps: - - name: Close issue if one is open - uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main diff --git a/.github/workflows/review-snapshot-timestamp.yml b/.github/workflows/review-snapshot-timestamp.yml deleted file mode 100644 index f5491882..00000000 --- a/.github/workflows/review-snapshot-timestamp.yml +++ /dev/null @@ -1,39 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Review Snapshot and Timestamp - -permissions: read-all - -on: - # Enable cron for checking if a snapshot/timestamp PR needs review - # every 2 hours and attempts to merge. - schedule: - - cron: '30 */2 * * *' # every 2 hours - workflow_dispatch: - -jobs: - review: - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - env: - GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - run: | - set -euo pipefail - ./.github/workflows/scripts/review-pull-request.sh diff --git a/.github/workflows/scripts/dpop-wrapper.sh b/.github/workflows/scripts/dpop-wrapper.sh deleted file mode 100755 index bbd18492..00000000 --- a/.github/workflows/scripts/dpop-wrapper.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -# -# This is just a thin wrapper that takes on the input from a pull request -# and parses out the name of the delegation and the signature. -# It then calls the real script which will invoke the actual verification. -# -TITLE=$1 - -DELEGATION=$(echo "${TITLE}" | sed -E 's/(.+) for (.+)/\2/') -OUTPUT=$(mktemp) -./scripts/dpop-verify.sh "${DELEGATION}" 2>&1 | tee "${OUTPUT}" diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh deleted file mode 100644 index 07ba66be..00000000 --- a/.github/workflows/scripts/e2e-utils.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Gets the name of the currently running workflow file. -# Note: this requires GITHUB_TOKEN to be set in the workflows. -this_file() { - gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3 -} - -# File is BODY in current directory. -create_issue_body() { - RUN_DATE=$(date --utc) - - # see https://docs.github.com/en/actions/learn-github-actions/environment-variables - # https://docs.github.com/en/actions/learn-github-actions/contexts. - cat <BODY -Repo: https://github.com/$GITHUB_REPOSITORY/tree/$GITHUB_REF_NAME -Run: https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID -Workflow file: https://github.com/$GITHUB_REPOSITORY/tree/main/.github/workflows/$THIS_FILE -Workflow runs: https://github.com/$GITHUB_REPOSITORY/actions/workflows/$THIS_FILE -Trigger: $GITHUB_EVENT_NAME -Branch: $GITHUB_REF_NAME -Date: $RUN_DATE -EOF -} \ No newline at end of file diff --git a/.github/workflows/scripts/review-pull-request.sh b/.github/workflows/scripts/review-pull-request.sh deleted file mode 100755 index 241e7845..00000000 --- a/.github/workflows/scripts/review-pull-request.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -# Gets the open snapshot/timestamp update pull requests of the repository -timestamp_update() { - gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/pulls?head=sigstore:update-snapshot-timestamp" | jq '.[0]' | jq 'select (.!=null)' -} - -UPDATE_PR=$(timestamp_update) -if [[ -n "${UPDATE_PR}" ]]; then - PULL_NUMBER=$(echo "${UPDATE_PR}" | jq -r '.number') - TITLE=$(echo "${UPDATE_PR}" | jq -r '.title') - echo "pull request found: " - echo "${PULL_NUMBER}" - echo "${TITLE}" - - # Approve PR - curl \ - -o review_output.json \ - -X POST \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - https://api.github.com/repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews - - echo "review: " - cat review_output.json - - # TODO: Use gh pr review PR_NUMBER --approve - REVIEW_ID=$(jq -r '.id' review_output.json) - GH_TOKEN=$GITHUB_TOKEN gh api \ - --method POST \ - -H "Accept: application/vnd.github+json" \ - /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews/"${REVIEW_ID}"/events \ - -f event='APPROVE' - - # Get login for DCO - GH_TOKEN="${GITHUB_TOKEN}" gh api \ - -H "Accept: application/vnd.github+json" \ - /user > login.json - - LOGIN=$(jq -r '.login' login.json) - # Attempt to merge PR - GH_TOKEN="${GITHUB_TOKEN}" gh api \ - --method PUT \ - -H "Accept: application/vnd.github+json" \ - /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/merge \ - -f commit_title="${TITLE} (#${PULL_NUMBER})" \ - -f commit_message="Signed-off-by: ${LOGIN} <${LOGIN}@users.noreply.github.com>" \ - -f merge_method='merge' - -else - echo "No open snapshot/timestamp pull request found" -fi diff --git a/.github/workflows/stable-snapshot-timestamp.yml b/.github/workflows/stable-snapshot-timestamp.yml deleted file mode 100644 index 4f765680..00000000 --- a/.github/workflows/stable-snapshot-timestamp.yml +++ /dev/null @@ -1,105 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stable Snapshot and Timestamp - -permissions: read-all - -# Execute this as a weekly cron job and on changes to repository/ -# when new published metadata is submitted. -on: - # Enable cron for re-signing snapshot and timestamp every week - schedule: - - cron: '0 16 * * 2' # every Tuesday at 9am PST - # When a new root is staged - push: - branches: - - main - paths: - - 'repository/staged/root.json' - workflow_dispatch: - inputs: - dry_run: - type: boolean - default: false - description: Does not trigger job, but checks on whether the job should run. - force_snapshot: - description: 'Whether to force a snapshot. Useful if workflow is within 5 days of a ceremony' - required: false - default: false - type: boolean - -jobs: - check: - # This job checks whether snapshot/timestamp should run. - runs-on: ubuntu-latest - outputs: - block_snapshot: ${{ steps.check.outputs.block_snapshot }} - env: - FORCE_SNAPSHOT: ${{ inputs.force_snapshot }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Determine whether to run a snapshot/timestamp - id: check - shell: bash - run: | - set -euo pipefail - - BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) - echo "${BRANCHES}" - # Check whether a ceremony was initiated within a week of the current date. - echo "block_snapshot=false" >> "${GITHUB_OUTPUT}" - - # If we force a snapshot, exit early. - if [[ "${FORCE_SNAPSHOT}" ]]; then - exit - fi - - ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" - for branch in ${BRANCHES} - do - if [[ "$branch" =~ ${ceremonyRegex} ]]; then - echo "found ceremony branch $branch" - branch_date=$(echo "${branch}" | cut -d '/' -f3) - days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) - if [[ "$days_diff" -lt 2 ]]; then - # Detected ceremony within 2 days of current date - echo "detected ceremony branch $branch within 2 days, stopping automated cron" - echo "block_snapshot=true" >> "${GITHUB_OUTPUT}" - fi - fi - done - - run_snapshot_timestamp_publish: - needs: check - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_snapshot == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - repo: 'repository/' - branch: main - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/stable-timestamp.yml b/.github/workflows/stable-timestamp.yml deleted file mode 100644 index fd5f643c..00000000 --- a/.github/workflows/stable-timestamp.yml +++ /dev/null @@ -1,99 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stable Timestamp - -permissions: read-all - -# Execute this as a once a week cron job (in addition to stable-snapshot-timestamp) -on: - # Enable cron for re-signing timestamp every week. Timestamp is also - # regenerated in stable-snapshot-timestamp.yml - schedule: - - cron: '0 16 * * 5' # every Friday at 9am PST - workflow_dispatch: - inputs: - dry_run: - type: boolean - default: false - description: Does not trigger job, but checks on whether the job should run. - force_timestamp: - description: 'Whether to force a timestamp. Useful if workflow is within 5 days of a ceremony' - required: false - default: false - type: boolean - -jobs: - check: - # This job checks whether timestamp should run. - runs-on: ubuntu-latest - outputs: - block_timestamp: ${{ steps.check.outputs.block_timestamp }} - env: - FORCE_TIMESTAMP: ${{ inputs.force_timestamp }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Determine whether to create a timestamp - id: check - shell: bash - run: | - set -euo pipefail - - BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) - echo "${BRANCHES}" - # Check whether a ceremony was initiated within a week of the current date. - echo "block_timestamp=false" >> "${GITHUB_OUTPUT}" - - # If we force a timestamp, exit early. - if [[ "${FORCE_TIMESTAMP}" ]]; then - exit - fi - - ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" - for branch in ${BRANCHES} - do - if [[ "$branch" =~ ${ceremonyRegex} ]]; then - echo "found ceremony branch $branch" - branch_date=$(echo "${branch}" | cut -d '/' -f3) - days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) - if [[ "$days_diff" -lt 2 ]]; then - # Detected ceremony within 2 days of current date - echo "detected ceremony branch $branch within 2 days, stopping automated cron" - echo "block_timestamp=true" >> "${GITHUB_OUTPUT}" - fi - fi - done - - run_timestamp_publish: - needs: check - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_timestamp == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - repo: 'repository/' - branch: main - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - disable_snapshot: true - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/staging-snapshot-timestamp.yml b/.github/workflows/staging-snapshot-timestamp.yml deleted file mode 100644 index 55509c54..00000000 --- a/.github/workflows/staging-snapshot-timestamp.yml +++ /dev/null @@ -1,44 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Staging Snapshot and Timestamp - -permissions: read-all - -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' - required: true - type: string - -jobs: - run_snapshot_timestamp_publish: - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - branch: ${{ inputs.branch }} - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/sync-ceremony-to-main.yml b/.github/workflows/sync-ceremony-to-main.yml deleted file mode 100644 index b239d860..00000000 --- a/.github/workflows/sync-ceremony-to-main.yml +++ /dev/null @@ -1,74 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This workflow is triggered when a ceremony branch is completed, -# creating a PR that merges the completed ceremony branch to main - -name: Sync Published Ceremony Branch to Main and Preprod - -# Declare default permissions as none. -permissions: {} - -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch to sync to main, generally ceremony/YYYY-MM-DD' - required: true - type: string - push: - # When any published repository metadata is changed on a ceremony/** - # branch. - branches: - - ceremony/** - paths: - - 'repository/repository/**' - -jobs: - push: - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron - permissions: - pull-requests: 'write' - contents: 'write' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ github.event.repository.default_branch }} - - - name: create pull request - uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1 - with: - github_token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} - # Use the input branch on workflow_dispatch, or the triggering branch on push to a ceremony/** branch. - source_branch: ${{ inputs.branch || github.ref_name }} - destination_branch: ${{ github.event.repository.default_branch }} - pr_title: "Merge ceremony branch ${{ inputs.branch || github.ref_name }} into ${{ github.event.repository.default_branch }}" - pr_body: "Merge ceremony branch to main" - pr_reviewer: bobcallaway,haydentherapper,joshuagl,kommendorkapten - - if-failed: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod-and-prod.yml b/.github/workflows/sync-main-to-preprod-and-prod.yml deleted file mode 100644 index 5b4c680c..00000000 --- a/.github/workflows/sync-main-to-preprod-and-prod.yml +++ /dev/null @@ -1,144 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This sync will execute when any combination of the following files, -# and no other files, are changed on the main branch: -# - timestamp.json -# - snapshot.json -# - [0-9]+.snapshot.json -# Under this condition, all files from the repository/repository directory -# on the main branch will sync to both preprod and prod. - -name: Sync Repository Main Branch with both GCS Preprod and Prod Buckets - -on: - push: - branches: - - main - paths: - # When timestamp or snapshot files are changed. - # Note: the sync job below uses a diff to ensure ONLY these files are changed - # prior to syncing. - - 'repository/repository/timestamp.json' - - 'repository/repository/snapshot.json' - - 'repository/repository/[0-9]+.snapshot.json' - workflow_dispatch: - -jobs: - sync: - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - name: check-updated-files - id: check-updated-files - run: | - # Checks whether a filename matches timestamp.json, snapshot.json, or [0-9]+.snapshot.json. If not, - # this workflow will exit as we only want to run it when ONLY these files are changed. - # TODO it may be good to check whether the [0-9]+.snapshot.json is the next one chronologically - check_filename() { - if [[ $1 != "timestamp.json" && $1 != "snapshot.json" && !($1 =~ ^[0-9]+\.snapshot.json$) ]]; then - echo "Sync main to preprod and prod workflow: Files other than timestamp and snapshot were updated in main branch, including file: $1. Not syncing, exiting." - echo "abort=true" >> $GITHUB_OUTPUT - fi; - } - # Diff main and prod to determine whether ONLY the timestamp and snapshot files have changed in main. - # If other files have also changed, exit - in this case, the sync should be to preprod only. - # NOTE other non-timestamp/snapshot changes should only occur during a ceremony, and - # will go through the sync-ceremony-* flow that hits main and preprod. This means there should never - # be changed files in prod that have not also hit the main branch. - # NOTE We deliberately diff only with prod to avoid a scenario in which the ceremony branch's sync to - # main and preprod kicks off this workflow, in which case the lack of diff between main and preprod - # could trigger this workflow to auto sync to prod. - # - # TODO this does not check whether the updates are in main or in prod, only that files differ. We could - # make this more exact later to check that the updates are in main (anything else is unexpected). - diff -qr repository/repository sigstore-tuf-root | grep -Po '([0-9\.]*\w+[\.\w+]*(?= differ))|((Only in \w+\: )\K(.*))' | while read l; do check_filename $l; done - - name: sync - id: sync - if: ${{ steps.check-updated-files.outputs.abort != 'true' }} - run: | - check_expiration() { - expiry=$(jq -r '.signed.expires' $1) - expires=$(date -d $expiry +%s) - current=$(date +%s) - if (( expires < current )); then - echo "Detected expired metadata file $1 at $expiry!" - exit 1 - fi; - } - - # Download bucket metadata - gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . - - # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls repository/repository/ -I *timestamp.json) - do - # Check for expiration if this is a non-versioned metadata file. - # Versioned metadata like 1.root.json may be expired. - # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that - # only old versioned metadata can be expired. - if [[ $f == [^0-9]*.json ]]; then - check_expiration repository/repository/$f - fi; - - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-tuf-root/ - done - - # Upload timestamp after checking latest timestamp expiration - check_expiration repository/repository/timestamp.json - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-tuf-root/ - - # NOTE as this workflow runs only when timestamp or snapshot files are added or updated, there should not - # be a scenario where files that are removed from main must be synced to (removed from) preprod/prod. - gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async - gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod.yml b/.github/workflows/sync-main-to-preprod.yml deleted file mode 100644 index 4c3be18e..00000000 --- a/.github/workflows/sync-main-to-preprod.yml +++ /dev/null @@ -1,109 +0,0 @@ -# -# Copyright 2024 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This workflow is triggered a root signing completes and is merged -# into main, syncing the repository to the GCS preprod bucket - -name: Sync Published Root Signing to Preprod - -# Declare default permissions as none. -permissions: {} - -on: - workflow_dispatch: - push: - # When a root signing ceremony completes - branches: - - main - paths: - - 'repository/repository/root.json' - -jobs: - sync: - permissions: - id-token: 'write' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - # sync - - name: sync - run: | - check_expiration() { - expiry=$(jq -r '.signed.expires' $1) - expires=$(date -d $expiry +%s) - current=$(date +%s) - if (( expires < current )); then - echo "Detected expired metadata file $1 at $expiry!" - exit 1 - fi; - } - # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls repository/repository/ -I *timestamp.json) - do - # Check for expiration if this is a non-versioned metadata file. - # Versioned metadata like 1.root.json may be expired. - # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that - # only old versioned metadata can be expired. - if [[ $f == [^0-9]*.json ]]; then - check_expiration repository/repository/$f - fi; - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ - done - # Upload timestamp after checking latest timestamp expiration - check_expiration repository/repository/timestamp.json - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ - # delete any files present in sigstore-preprod-tuf-root not in repository/repository - gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . - diff -qr repository/repository sigstore-preprod-tuf-root | while read l; do - if [[ $l =~ "Only in sigstore-preprod-tuf-root" ]]; then - path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-preprod-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") - gcloud --quiet storage rm gs://sigstore-preprod-tuf-root/$path - fi; - done - gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-preprod-to-prod.yml b/.github/workflows/sync-preprod-to-prod.yml deleted file mode 100644 index 5cfe94a0..00000000 --- a/.github/workflows/sync-preprod-to-prod.yml +++ /dev/null @@ -1,79 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Sync Preprod Repository with GCS Prod Bucket - -on: - workflow_dispatch: - -jobs: - sync: - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - - name: sync - run: | - # download preprod bucket and copy over to production bucket - gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . - - # upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls sigstore-preprod-tuf-root/ -I *timestamp.json) - do - gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/$f gs://sigstore-tuf-root/ - done - # upload timestamp - gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/*timestamp.json gs://sigstore-tuf-root/ - - # delete any files present in sigstore-tuf-root not in sigstore-preprod-tuf-root - gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . - - diff -qr sigstore-preprod-tuf-root sigstore-tuf-root | while read l; do - if [[ $l =~ "Only in sigstore-tuf-root" ]]; then - path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") - gcloud --quiet storage rm gs://sigstore-tuf-root/$path - fi; - done - gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/test-gcs.yml b/.github/workflows/test-gcs.yml index 4c1d7a08..93c2d9de 100644 --- a/.github/workflows/test-gcs.yml +++ b/.github/workflows/test-gcs.yml @@ -3,9 +3,8 @@ name: root-signing GCS repository tests on: workflow_call: workflow_dispatch: - # disabled during migration - #schedule: - # - cron: '17 4,10,16,22 * * *' + schedule: + - cron: '17 4,10,16,22 * * *' permissions: {} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 950da4ff..5e4ed003 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,9 +3,8 @@ name: TUF-on-CI repository tests on: workflow_call: workflow_dispatch: - # disabled during migration - #schedule: - # - cron: '17 4,10,16,22 * * *' + schedule: + - cron: '17 4,10,16,22 * * *' permissions: {} diff --git a/.github/workflows/tuf_client_tests.yml b/.github/workflows/tuf_client_tests.yml deleted file mode 100644 index 88f1fc95..00000000 --- a/.github/workflows/tuf_client_tests.yml +++ /dev/null @@ -1,100 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: TUF Client tests - -on: - workflow_dispatch: - push: - paths: - - 'repository/**' - pull_request: - -jobs: - client: - runs-on: ubuntu-latest - steps: - # Set up a repository server with python - - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - cd repository/repository/ - python -m http.server 8001 & - echo "REPO=http://localhost:8001" >> $GITHUB_ENV - # Test with go-tuf client - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - run: | - go install github.com/theupdateframework/go-tuf/cmd/tuf-client@v0.7.0 - - run: | - # Only 5.root.json is compatible with new versions of go-tuf - if [ -f repository/repository/5.root.json ]; then - tuf-client init http://localhost:8001 repository/repository/5.root.json - tuf-client list http://localhost:8001 - fi - # Verify with a go-tuf client that can understand deprecated keys - go run ./tests/client-tests init http://localhost:8001 repository/repository/1.root.json - go run ./tests/client-tests list http://localhost:8001 - # Test with rust client - - name: Configure cargo cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 - with: - path: | - /tmp/tuftool-target - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ~/.cargo/git/db/ - key: ${{ runner.os }}-cargo-tuftool - - name: Install tuftool - run: | - # use the latest version - cargo install tuftool \ - --target-dir /tmp/tuftool-target - - run: | - tuftool download out \ - --root repository/repository/2.root.json \ - -t http://localhost:8001/targets \ - -m http://localhost:8001 - # Test with python-tuf ngclient - - run: | - python3 -m pip install securesystemslib[crypto,pynacl] "tuf>=4.0.0" - python3 tests/client-tests/python-tuf.py - - jsclient: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 - with: - node-version: 20 - - name: Install tufjs/cli - run: npm install -g @tufjs/cli - - run: | - cd repository/repository/ - python -m http.server 8001 & - - name: Download and verify root - run: | - tuf download \ - --metadata-base-url http://localhost:8001 \ - --root repository/repository/5.root.json \ - --target-name trusted_root.json diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml deleted file mode 100644 index e05144db..00000000 --- a/.github/workflows/validate.yml +++ /dev/null @@ -1,62 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: CI Validate - -on: - push: - paths: - - 'ceremony/**' - - 'repository/**' - pull_request: - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - echo "REPO=$(pwd)/repository" >> $GITHUB_ENV - echo "CDN_REPO=https://tuf-repo-cdn.sigstore.dev" >> $GITHUB_ENV - echo "CDN_PREPROD_REPO=https://tuf-preprod-repo-cdn.sigstore.dev" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - curl -fsO https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem - - name: build - run: go build -o verify ./cmd/verify/ - - name: build - run: go build -o tuf -tags=pivkey ./cmd/tuf - - name: verify local published repository - run: ./verify repository --repository $REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify CDN remote published repository - run: ./verify repository --repository $CDN_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify CDN preprod remote published repository - run: ./verify repository --repository $CDN_PREPROD_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify staged ceremony changes - run: | - set -euo pipefail - export CHANGED=$(git diff --name-only HEAD^ HEAD ceremony/20* | grep ".*staged.*" | head -1) - echo "$CHANGED" - if [ -n "$CHANGED" ]; then - export REPO=$(echo "$CHANGED" | cut -d/ -f 1-2) - ./verify repository --repository "$REPO" --staged true - fi