Sync to prod unexpectedly occurred

[haydentherapper]

Description

This morning, we merged a root signing event.

• As expected, first, a script kicked off to sync main to the GCS preprod bucket since a push occurred updating root.json - https://github.com/sigstore/root-signing/actions/runs/8347556788
• As expected, a script kicked off to sync main to both the GCS preprod and prod buckets since a push occurred updating timestamp.json or snapshot.json - https://github.com/sigstore/root-signing/actions/runs/8347556789
  • The purpose of this script is to automatically push timestamp/snapshot updates to prod, while not updating prod during a root signing, so that we can manually test.
  • Unexpectedly, the script ran. The script is supposed to exit if more than just the timestamp or snapshot is updated.

Here is the check. We diff what's in repository/repository (which should contain the updated metadata) and in gcs://sigstore-tuf-root, and if any file names are not timestamp.json, snapshot.json, or 0-9.snapshot.json, exit 0.

I tested this locally and it seems to work, exiting since a non-ts/snapshot file was updated.

@lkatalin @kommendorkapten @jku if you have any ideas on why this succeeded? If you have any suggestions on how to simplify this too, let's do that.

[lkatalin]

Hm. It looks like it did detect a least one non-snapshot/non-timestamp file correctly to trigger the exit condition: https://github.com/sigstore/root-signing/actions/runs/8347556789/job/22847432435#step:7:197

It just didn't actually exit, despite the next line being exit 0.

[haydentherapper]

Ah good catch, didn't see that line. Does it have to be exit 1 instead?

[lkatalin]

It looks like exit 1 should work, based on the docs I'm finding. I'm trying to think of a good way to test this, though.

[lkatalin]

I did a few tests of exit codes with GHA and it seems like non-zero exit codes do work properly. PR here to fix this bug: #1180