Closed jku closed 1 week ago
For the second one, https://github.com/sigstore/public-good-instance/pull/2269. Adding publish
branch. I've left main
since that will be needed if/once we sign using the managed KMS key.
Edit: Merged and applied
For the first, I don't believe any changes are needed, the restriction is for the repo, not the workflow
principalSet://iam.googleapis.com/projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/sigstore/root-signing
Signing running off main should also be fine, with the WLI pool condition assertion.ref == "refs/heads/main" && assertion.ref_type == "branch"
Closing as complete.
Part of #1247: Make sure GCP allows tuf-on-ci to work
CC @haydentherapper let's review that this is all going to work