search

sigstore / root-signing

TUF repository for Sigstore trust root
Apache License 2.0
85 stars 81 forks source link

Trigger preproduction sync only after merge to main #1170

Closed haydentherapper closed 6 months ago

haydentherapper commented 6 months ago

In #916, we restructured the sync scripts. As part of this, the sync to preprod after a ceremony completed would occur from the ceremony branch. We only allow workload impersonation (which is needed to push to GCS and update the CDN cache) from main, so this breaks.

To fix this, we simply split the workflow into two: The first triggers on a push to ceremony and creates a PR to merge to main. After merging from main and updating the root, we sync all contents from the repository directory.

I also removed the cron job because I don't think it's needed. Also updated documentation for post-merge steps.

Fixes https://github.com/sigstore/root-signing/issues/1165

Summary

Release Note

Documentation

haydentherapper commented 6 months ago

Had to rebase, ready to merge