-
Notifications
You must be signed in to change notification settings - Fork 81
40 lines (35 loc) · 1.41 KB
/
online-sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: TUF-on-CI online signing
permissions: {}
on:
schedule:
- cron: '17 1,7,13,19 * * *'
push:
branches: [main]
paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json']
workflow_dispatch:
jobs:
online-sign:
runs-on: ubuntu-latest
permissions:
id-token: 'write' # for OIDC identity access
contents: 'write' # for commiting snapshot/timestamp changes
actions: 'write' # for dispatching publish workflow
steps:
- id: online-sign
uses: theupdateframework/tuf-on-ci/actions/online-sign@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0
with:
token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }}
gcp_workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
gcp_service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com'
update-issue:
runs-on: ubuntu-latest
needs: [online-sign]
if: always() && !cancelled()
permissions:
issues: 'write' # for modifying Issues
steps:
- name: Update the issue for the workflow
uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0
with:
token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }}
success: ${{ !contains(needs.*.result, 'failure') }}