Closed jku closed 4 weeks ago
I have a rough POC with markdown in https://github.com/jku/tuf-on-ci/tree/markdown-description. I think I'd prefer HTML but this was so quick to write that I did it. It currently produces the following content for this repository (apologies to signers for unnecessary pings):
Signers
Role required # of signatures Signers root 2 @jku, @kommendorkapten, @joshuagl, @mnm678 timestamp 1 online key snapshot 1 online key targets 1 @jku, @kommendorkapten, @joshuagl, @mnm678 registry.npmjs.org 1 @jku
possible downsides:
_config.yml
file to git is enough)this will likely require enabling markdown on GitHub Pages (I think adding a _config.yml file to git is enough)
I was not able to do this. Maybe it's possible but I can't figure it out
I think GH pages requires pushing to git, but it doesn't need to be your main branch or even a branch with similar contents to main. IIRC default configuration is to have a gh-pages branch, or similar, where the contents for the pages are stored.
I think GH pages requires pushing to git, but it doesn't need to be your main branch or even a branch with similar contents to main. IIRC default configuration is to have a gh-pages branch, or similar, where the contents for the pages are stored.
tuf-on-ci uses "Github Actions" as source instead of "Deploy from branch" (and I won't change that, the branch method is just insane). Your comment did make me try a fresh project from scratch and the proposed template does this before uploading to pages:
uses: actions/jekyll-build-pages@v1
with:
source: ./
destination: ./_site
that looks promising. Would be nice to get this as documentation instead of having to create new projects to find out but this works...
That actually pretty much worked: https://jku.github.io/tuf-on-ci-sigstore-test/metadata/
The downside of "rendering" on the server is that the description cannot say things like "signing event starts in 2 days" (and guarantee that it stays updated) - a javascript solution could.
See https://jku.github.io/tuf-on-ci-sigstore-test/metadata/ for current example
Initial version is in tuf-on-ci now, we should get it in the next release
First version of this is now live:
Two issues remain for the actual sigstage repository:
both have the same underlying reason: jekyll writes links as absolute so changing the "root" location from /root-signing-staging/
in staging-preprod to /
in staging breaks the links.
A workaround for the json links has been merged in tuf-on-ci.
I'll modify the README to link to the description and will close this issue.
Production root-signing relies on documentation that's manually kept up-to-date to list who the root signers are, what delegations exists, which artifacts the repository contains etc. This has significant downsides and I'd like to avoid this manual work.
It's completely reasonable to expect the tooling to automatically describe important repository details in a way that is always up-to-date and readable in a browser. Some options:
tuf-on-ci-build-repository
where some static docs (markdown or html) are produced and then published alongside the repository