Add Pages publishing to root-signing-staging

[jku]

This requires support for "workflow" build type (see sigstore/github-sync#122)

[github-actions]

🍹 preview on sigstore-github-sync/sigstore/github-prod

Pulumi report

Previewing update (sigstore/github-prod)

View Live: https://app.pulumi.com/sigstore/sigstore-github-sync/github-prod/previews/86807b23-9d88-4941-a3f4-13c659ec9f3d

@ Previewing update....
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:github-prod::sigstore-github-sync::pulumi:pulumi:Stack::sigstore-github-sync-github-prod]
@ Previewing update....
~ github:index/repository:Repository: (update) 🔒
    [id=root-signing-staging]
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repository:Repository::root-signing-staging]
  + pages: {
      + buildType : "workflow"
    }
- github:index/organizationCustomRole:OrganizationCustomRole: (delete)
    [id=13311]
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/organizationCustomRole:OrganizationCustomRole::write-with-bypass]
    baseRole   : "write"
    description: "write role with an additional permission to bypass branch protection"
    name       : "write-with-bypass-3d9b256"
    permissions: [
        [0]: "bypass_branch_protection"
    ]
Resources:
~ 1 to update
- 1 to delete
2 changes. 574 unchanged

[bobcallaway]

hmm, this shows no pending changes, i guess this is to be expected?

[jku]

hmm, this shows no pending changes, i guess this is to be expected?

It is weird... Because I used to have this configured manually in root-signing-staging but the previous "pulumi up" from this repo undid my manual changes. So I did expect this to do changes.

[jku]

hmm, this shows no pending changes, i guess this is to be expected?

Actually, I think my github-sync patch is missing the line that applies the changes.

Marking draft for now, thanks for double checking

[jku]

Added a further fix in github-sync: sigstore/github-sync#123

EDIT: fix is now in, thanks Hayden.

I can't re-run the preview so I will try close-reopen (that usually retriggers checks)

[jku]

Ok, preview looks pretty good now.

(the custom role removal is just because this branch is not based on tip of current tree and is missing #395). That looks totally correct to me but I can rebase if requested.

[jku]

the actual run is still unsuccessful because of the custom role not working: #400 will unblock