Approval for installing Octo STS in Sigstore GitHub organization

[codysoyland]

Question

I am seeking permission to install the Octo STS GitHub App in the Sigstore GitHub organization, to enable the following workflows:

• Add workflow to synchronize go mod changes with submodules sigstore-go#314
• Add workflow to synchronize go dependencies in submodules sigstore#1866

This app can be used to replace PATs used within the Sigstore organization, simplifying maintenance burden and improving security.

The alternative to this is to use PATs for the above workflows.

I have already updated the first (sigstore-go) workflow to use octo-sts, and I have successfully demonstrated this working on a private organization.

[haydentherapper]

cc @jku who had looked into PATs vs apps for tuf-on-ci

[cpanato]

when we install the App we can select only the repos we want for now

+1 to have this! :D

[hectorj2f]

+1

[jku]

I think the idea is far better than other options so far: +1.

I can't confidently say I understand the policy side fully. Is the trust policy file documented somewhere? I have trouble finding anything other than the short README.

[codysoyland]

I can't confidently say I understand the policy side fully. Is the trust policy file documented somewhere? I have trouble finding anything other than the short README.

I was wondering about this too as I wrote this policy. I didn't find any more docs but I located the source code that compiles and checks the policy here.

[cpanato]

I can't confidently say I understand the policy side fully. Is the trust policy file documented somewhere? I have trouble finding anything other than the short README.

I was wondering about this too as I wrote this policy. I didn't find any more docs but I located the source code that compiles and checks the policy here.

i will add some examples, thanks for the feedback