Closed github-actions[bot] closed 3 months ago
I think this is an expected failure in the sense that the workflow run happened in the ceremony branch where it does not have permissions on GCP (see https://github.com/sigstore/root-signing/issues/984).
I don't know how "preprod" is meant to be deployed though: @kommendorkapten I assume you handle this one (once the client test issues are sorted)?
@jku yes, I take a look once we are ready. We did change how this worked a while ago (but after the last signing ceremony I believe) so there may be some issues with it.
Confirming the issue is that https://github.com/sigstore/root-signing/blob/refs/heads/ceremony/2024-03-12/.github/workflows/sync-ceremony-to-main.yml is running from a branch and trying to sync to the preprod bucket, when we don't allow workload impersonation from non-main branches. Thinking out loud, rather than syncing from a ceremony branch, when we push an update to the root metadata, we should sync the entire repository/* folder to preprod.
https://github.com/sigstore/root-signing/pull/1170/ should fix this. This splits the workflow into two:
root.json
file. Technically this doesn't cover only updating the target file, but a) we've never done that, b) if we're getting all keyholders together, we'd update the root too, c) this will all get simplified with tuf-on-ci. This workflow pushes the repository/repository/** contents to main.Note the two other workflows, which are unchanged:
Workflow run failed for 'Sync Published Ceremony Branch to Main and Preprod'.
Run: https://github.com/sigstore/root-signing/actions/runs/8261650990 Workflow: https://github.com/sigstore/root-signing/blob/refs/heads/ceremony/2024-03-12/.github/workflows/sync-ceremony-to-main.yml Workflow runs: https://github.com/sigstore/root-signing/actions/workflows/sync-ceremony-to-main.yml Trigger: push on refs/heads/ceremony/2024-03-12 Date: 2024-03-13T08:32:12Z