haydentherapper
commented
1 year ago This doesn't solve the issue for the conformance suite since it would still want to run against production, correct? Unless they're ok with some instability brought on by staging (it is rarely down, but there is a higher risk and no SLO). Long term, I would love more environments, each with their own root of trust of course:
- Staging would be bleeding edge with deployments from HEAD
- Preprod would be like current staging where we'd stage production releases
- Prod-qual would match the production environment but explicitly be for testing, and in this environment, we could have a more permissive IDP
The Sigstore conformance test suite needs access to some OIDC token to run its tests (which run against Sigstore staging, and include OIDC-based signing flows). GHA (quite sensibly) prohibits access to OIDC tokens for PRs coming from third parties who are not trusted maintainers. However, this means that if we want to use GitHub Actions OIDC (which seems natural, given that our tests run on GHA), only maintainers can run the test suite pre-merge. This could lead to a lot of breakage.
The terrible hack that we've figured out is the extremely dangerous public OIDC beacon: a repo which runs a scheduled workflow that just posts a currently-valid GHA OIDC token for the repo in a public place. This is probably okay, given that nobody should be relying on a token from that repo. But it is a pretty gross hack.
Testing would be a lot easier of Sigstore supported something like justtrustme.dev—an OIDC identity provider that just issues tokens with any subject (or indeed, any claim you want) to anybody who asks. This was created by @eddiezane for demo purposes and comes with no uptime guarantees, but anecdotally appears to work pretty well. Something like this would meet our testing needs, though if we do depend on such a service we should probably run it ourselves under the Sigstore org. justtrustme is open source so that's an option.