Skip to content

TUF-on-CI online signing #1501

TUF-on-CI online signing

TUF-on-CI online signing #1501

Workflow file for this run

name: TUF-on-CI online signing
permissions: {}
on:
schedule:
- cron: '17 1,7,13,19 * * *'
push:
branches: [ main ]
paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json']
workflow_dispatch:
jobs:
online-sign:
runs-on: ubuntu-latest
permissions:
id-token: 'write' # for OIDC identity access
contents: 'write' # for commiting snapshot/timestamp changes
actions: 'write' # for dispatching publish workflow
steps:
- id: online-sign
uses: theupdateframework/tuf-on-ci/actions/online-sign@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0
with:
token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }}
gcp_workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
gcp_service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
update-issue:
runs-on: ubuntu-latest
needs: [online-sign]
if: always() && !cancelled()
permissions:
issues: 'write' # for modifying Issues
steps:
- name: Update the issue for the workflow
uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0
with:
token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }}
success: ${{ !contains(needs.*.result, 'failure') }}