Closed jku closed 4 months ago
Production variables look like this:
workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
service_account: 'github-actions@projectsigstore-staging.iam.gserviceaccount.com'
Here the values are in GitHub actions variables but otherwise used similarly:
GCP_WORKLOAD_IDENTITY_PROVIDER: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
GCP_SERVICE_ACCOUNT: tuf-gha@projectsigstore-staging.iam.gserviceaccount.com
So the service account is different but it looks correct.
Oh the workload identity principal is: principal://iam.googleapis.com/projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/subject/repo:sigstore/root-signing-staging:ref:refs/heads/main
I think the issue is that we're likely not running on "refs/heads/main" (although I don't know exactly where google-github-actions/auth gets that value -- I assume some field in the JWT)
Longer term we could try to change that in tuf-on-ci if that's an issue... The original idea behind this was
refs/heads/publish
: it's always safe to re-publish at any time from that branch (unlike main that could be unpublishable)publish
and expect to get the commit we just pushed (and we can't just wait for the push event because that doesn't trigger when using the default GH token)ref
argument which is set to the specific commit revision when the workflow is dispatched (note that dispatch still happens on "publish")So my assumption here is that the ref in the workload identity principal is the ref the workflow runs on: This should be "publish" at the moment (see https://github.com/theupdateframework/tuf-on-ci/blob/main/actions/online-sign/action.yml#L90) .
Options:
refs/heads/publish
to approved refs in the GCP workload id principal: "publish" is a protected branch so should be just as safe as refs/heads/main
Based on discussion with @kommendorkapten I'm leaning towards option 2 if that's feasible.
Option (2) is in https://github.com/sigstore/public-good-instance/pull/2118.
I would like to hear more about the design choice to publish from a different branch than main. Is the concern that main ends up with invalid metadata?
Applied 2118. We can follow up later if we want to change the ref later.
I would like to hear more about the design choice to publish from a different branch than main. Is the concern that main ends up with invalid metadata?
I tried to do that in a comment above:
This one seems to work, debugging continues in #67
This the cause of #63 which is a publish failure after the GCS publishing was first enabled: https://github.com/sigstore/root-signing-staging/actions/runs/8152961297/job/22283469446