Open jku opened 3 weeks ago
Instead of the variables, we could just embed them directly in online-sign workflow if that's preferred (when I built this variable design I assumed they would be set by configuration-as-code...) in #1256
In fact I think I will do that: currently the variable would not be visible to project members in general and that feels wrong.
As part of #1247 I'd like to define a GH secret.
Actions: write
to dispatch other workflows when neededContents: write
to create online signing commits, and to create targets metadata change commits in signing eventsIssues: write
to create issues for workflow failuresPull requests: write
to create and modify signing event pull requestsOriginally I was planning to also set two variables but that would only make sense if sigstore/github-sync would support them -- I will instead include them in the workflow in #1256:
github-actions@sigstore-root-signing.iam.gserviceaccount.com
projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider