POP verification workflow is failing

[kommendorkapten]

Description

See https://github.com/sigstore/root-signing/pull/742

The POP verification flow fails, as it can't get access to a secret which is needed to post a comment back to the PR that the verification was successful (pull requests don't have access to secrets): https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#accessing-secrets

Workflows triggered using the pull_request event have read-only permissions and have no access to secrets.

I would suggest we remove that functionality, as if the signature verification is failing, the workflow fails and that is clearly visible in the PR.

Options to work around this:

• Rely on pull_request_target: could work, but this is probably complicated and not safe, as secrets may be stolen if we manage to get it to work.
• Add a new workflow, that runs from this repo when a POP verify workflow has ran successfully. That workflow could then add a comment that the execution was successful.

cc @asraa @cpanato

Version

main as of today, 2023-03-22

[asraa]

I would suggest we remove that functionality, as if the signature verification is failing, the workflow fails and that is clearly visible in the PR.

I would likely suggest this.

If we get to the point of fully automating this and want a "review workflow" similar to snapshot/timestamp, then I think it's best as a scheduled cron instead of a trigger on pull request, right?

[kommendorkapten]

Agreed!

I can prepare a PR later today that removes the functionality that adds a comment.