Review GCP configuration for tuf-on-ci

jku commented 3 weeks ago

Part of #1247: Make sure GCP allows tuf-on-ci to work

online-sign workflow runs on the main branch and needs access to this key/account (the same one used by current workflows)
- SA: github-actions@sigstore-root-signing.iam.gserviceaccount.com
- provider: projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
- key: projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp
online-sign dispatches the publish workflow which calls deploy-to-gcs workflow which uses gcloud with this account (the same one used by current workflows):
- SA: tuf-gha@project-rekor.iam.gserviceaccount.com
- provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider

CC @haydentherapper let's review that this is all going to work

haydentherapper commented 3 weeks ago

For the second one, https://github.com/sigstore/public-good-instance/pull/2269. Adding publish branch. I've left main since that will be needed if/once we sign using the managed KMS key.

Edit: Merged and applied

haydentherapper commented 2 weeks ago

For the first, I don't believe any changes are needed, the restriction is for the repo, not the workflow

principalSet://iam.googleapis.com/projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/sigstore/root-signing

Signing running off main should also be fine, with the WLI pool condition assertion.ref == "refs/heads/main" && assertion.ref_type == "branch"

haydentherapper commented 1 week ago

Closing as complete.

sigstore / root-signing