search

sigstore / root-signing

TUF repository for Sigstore trust root
Apache License 2.0
80 stars 77 forks source link

[bug]: Workflow failure 'Sync Published Ceremony Branch to Main and Preprod' #1165

Closed github-actions[bot] closed 3 months ago

github-actions[bot] commented 3 months ago

Workflow run failed for 'Sync Published Ceremony Branch to Main and Preprod'.

Run: https://github.com/sigstore/root-signing/actions/runs/8261650990 Workflow: https://github.com/sigstore/root-signing/blob/refs/heads/ceremony/2024-03-12/.github/workflows/sync-ceremony-to-main.yml Workflow runs: https://github.com/sigstore/root-signing/actions/workflows/sync-ceremony-to-main.yml Trigger: push on refs/heads/ceremony/2024-03-12 Date: 2024-03-13T08:32:12Z

jku commented 3 months ago

I think this is an expected failure in the sense that the workflow run happened in the ceremony branch where it does not have permissions on GCP (see https://github.com/sigstore/root-signing/issues/984).

I don't know how "preprod" is meant to be deployed though: @kommendorkapten I assume you handle this one (once the client test issues are sorted)?

kommendorkapten commented 3 months ago

@jku yes, I take a look once we are ready. We did change how this worked a while ago (but after the last signing ceremony I believe) so there may be some issues with it.

haydentherapper commented 3 months ago

Confirming the issue is that https://github.com/sigstore/root-signing/blob/refs/heads/ceremony/2024-03-12/.github/workflows/sync-ceremony-to-main.yml is running from a branch and trying to sync to the preprod bucket, when we don't allow workload impersonation from non-main branches. Thinking out loud, rather than syncing from a ceremony branch, when we push an update to the root metadata, we should sync the entire repository/* folder to preprod.

haydentherapper commented 3 months ago

https://github.com/sigstore/root-signing/pull/1170/ should fix this. This splits the workflow into two:

Note the two other workflows, which are unchanged: