We've made an improvement inTUF-on-CI: in v0.6 signing events will happen in PRs instead of issues. This means the custom token requires an additional permission Pull requests: write.
The new token should be created for @sigstore-bot user and should be stored in repository secrets as TUF_ON_CI_TOKEN. It's ok to replace the existing secret at any time. The old token can be deleted.
Required permissions for sigstore/root-signing-staging are:
Actions: write to dispatch other workflows when needed
Contents: write to create online signing commits, and to create targets metadata change commits in signing event
Issues: write to create issues on workflow failures
Pull requests: write to create and modify signing event pull requests
We've made an improvement inTUF-on-CI: in v0.6 signing events will happen in PRs instead of issues. This means the custom token requires an additional permission
Pull requests: write.The new token should be created for @sigstore-bot user and should be stored in repository secrets as TUF_ON_CI_TOKEN. It's ok to replace the existing secret at any time. The old token can be deleted.
Required permissions for sigstore/root-signing-staging are:
Actions: writeto dispatch other workflows when neededContents: writeto create online signing commits, and to create targets metadata change commits in signing eventIssues: writeto create issues on workflow failuresPull requests: writeto create and modify signing event pull requestsAssigning bob as the first approximation.