search

sigstore / community

General sigstore community repo
Apache License 2.0
36 stars 45 forks source link

root-signing: Prepare for tuf-on-ci migration #451

Closed jku closed 4 weeks ago

jku commented 1 month ago

As part of https://github.com/sigstore/root-signing/issues/1247 root-signing requires some project setting changes:

CC @kommendorkapten @haydentherapper

github-actions[bot] commented 1 month ago

:tropical_drink: preview on sigstore-github-sync/sigstore/github-prod

Pulumi report ``` Previewing update (sigstore/github-prod) View Live: https://app.pulumi.com/sigstore/sigstore-github-sync/github-prod/previews/a42bd7d1-9f71-4779-a3a8-80a663cda011 @ Previewing update.... pulumi:pulumi:Stack: (same) [urn=urn:pulumi:github-prod::sigstore-github-sync::pulumi:pulumi:Stack::sigstore-github-sync-github-prod] @ Previewing update.... ~ github:index/repository:Repository: (update) 🔒 [id=root-signing] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repository:Repository::root-signing] [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_1::c4864a06-f2c2-4a7a-b9b8-d9a955761310] ~ allowMergeCommit: false => true ~ allowRebaseMerge: true => false ~ allowSquashMerge: true => false + description : "TUF repository for Sigstore trust root" ~ github:index/branchProtection:BranchProtection: (update) [id=BPR_kwDOFotDCM4DA1RL] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-main] [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_1::c4864a06-f2c2-4a7a-b9b8-d9a955761310] ~ requiredLinearHistory : true => false ~ requiredPullRequestReviews: [ ~ [0]: { ~ dismissalRestrictions: [ [0]: "T_kwDOBDzYIc4AYVWd" - [1]: "MDQ6VGVhbTQ4OTkzMDk=" ] ~ pullRequestBypassers : [ + [0]: "MDQ6VXNlcjg2ODM3MzY5" ] } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "lint" => "DCO" ~ [1]: "test" => "yamllint" ~ [2]: "client" => "test" ~ [3]: "DCO" => "lint" - [4]: "yamllint" - [5]: "validate" ] } ] ~ restrictPushes : [ ~ [0]: { ~ pushAllowances: [ ~ [0]: "U_kgDOByoNQQ" => "T_kwDOBDzYIc4AYVWd" ~ [1]: "T_kwDOBDzYIc4AYVWd" => "MDQ6VXNlcjg2ODM3MzY5" ~ [2]: "MDQ6VGVhbTQ4OTkzMDk=" => "U_kgDOByoNQQ" - [3]: "MDQ6VXNlcjg2ODM3MzY5" ] } ] + github:index/branchProtection:BranchProtection: (create) [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-publish] [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_1::c4864a06-f2c2-4a7a-b9b8-d9a955761310] allowsDeletions : false allowsForcePushes : false enforceAdmins : true lockBranch : false pattern : "publish" repositoryId : "MDEwOlJlcG9zaXRvcnkzNzgyMjU0MTY=" requireConversationResolution: false requireSignedCommits : false requiredLinearHistory : false requiredPullRequestReviews : [ [0]: { dismissStaleReviews : true dismissalRestrictions : [ [0]: "T_kwDOBDzYIc4AYVWd" ] pullRequestBypassers : [ [0]: "MDQ6VXNlcjg2ODM3MzY5" ] requireCodeOwnerReviews : false requireLastPushApproval : true requiredApprovingReviewCount: 1 restrictDismissals : true } ] requiredStatusChecks : [ [0]: { contexts : [] strict : false } ] restrictPushes : [ [0]: { blocksCreations: true pushAllowances : [ [0]: "T_kwDOBDzYIc4AYVWd" [1]: "MDQ6VXNlcjg2ODM3MzY5" [2]: "U_kgDOByoNQQ" ] } ] Resources: + 1 to create ~ 2 to update 3 changes. 585 unchanged ```
jku commented 1 month ago

the diff algorithm makes a mess of this one: it's hard to notice e.g. that sigstore-keyholders is removed from pushRestrictions but that is actually the case and it seems to be reflected in the pulumi update

haydentherapper commented 1 month ago

@jku Is this good to go?

jku commented 4 weeks ago

@jku Is this good to go?

yes LGTM.

haydentherapper commented 3 weeks ago

This is now applied as of https://github.com/sigstore/community/actions/runs/9605680915