Skip to content

Sync Published Ceremony Branch to Main and Preprod #7

Sync Published Ceremony Branch to Main and Preprod

Sync Published Ceremony Branch to Main and Preprod #7

#
# Copyright 2023 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This workflow is triggered when a ceremony branch is completed, and will:
# - Create a PR that merges the completed ceremony branch to main
# - Sync the ceremony branch to the GCS preprod bucket
name: Sync Published Ceremony Branch to Main and Preprod
# Declare default permissions as none.
permissions: {}
on:
schedule:
- cron: '0 */12 * * *' # every 12 hours
workflow_dispatch:
inputs:
branch:
description: 'The branch to sync to main, generally ceremony/YYYY-MM-DD'
required: true
type: string
push:
# When any published repository metadata is changed on a ceremony/**
# branch.
branches:
- ceremony/**
paths:
- 'repository/repository/**'
jobs:
push:
if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron
permissions:
pull-requests: 'write'
contents: 'write'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
ref: ${{ github.event.repository.default_branch }}
- name: create pull request
uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1
with:
github_token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }}
# Use the input branch on workflow_dispatch, or the triggering branch on push to a ceremony/** branch.
source_branch: ${{ inputs.branch || github.ref_name }}
destination_branch: ${{ github.event.repository.default_branch }}
pr_title: "Merge ceremony branch ${{ inputs.branch || github.ref_name }} into ${{ github.event.repository.default_branch }}"
pr_body: "Merge ceremony branch to main"
pr_reviewer: asraa,dlorenc,haydentherapper,joshuagl,kommendorkapten
sync:
permissions:
id-token: 'write'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.20'
check-latest: true
- uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
with:
project_id: project-rekor
# Setup OIDC->SA auth
- uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
id: auth
with:
token_format: 'access_token'
workload_identity_provider: 'projects/237800849078/locations/global/workloadIdentityPools/root-signing-pool/providers/sigstore-root'
service_account: '[email protected]'
create_credentials_file: true
- name: Login
run: |
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth list
# sync
- name: sync
run: |
check_expiration() {
expiry=$(jq -r '.signed.expires' $1)
expires=$(date -d $expiry +%s)
current=$(date +%s)
if (( expires < current )); then
echo "Detected expired metadata file $1 at $expiry!"
exit 1
fi;
}
# Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded.
for f in $(ls repository/repository/ -I *timestamp.json)
do
# Check for expiration if this is a non-versioned metadata file.
# Versioned metadata like 1.root.json may be expired.
# TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that
# only old versioned metadata can be expired.
if [[ $f == [^0-9]*.json ]]; then
check_expiration repository/repository/$f
fi;
gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/
done
# Upload timestamp after checking latest timestamp expiration
check_expiration repository/repository/timestamp.json
gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/
# delete any files present in sigstore-preprod-tuf-root not in repository/repository
gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ .
diff -qr repository/repository sigstore-preprod-tuf-root | while read l; do
if [[ $l =~ "Only in sigstore-preprod-tuf-root" ]]; then
path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-preprod-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))")
gcloud --quiet storage rm gs://sigstore-preprod-tuf-root/$path
fi;
done
if-failed:
runs-on: ubuntu-latest
needs: [sync]
permissions:
issues: 'write'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: sigstore/root-signing
if: always() && needs.sync.result == 'failure'
steps:
- name: Create issue on failure
uses: sigstore/sigstore-probers/.github/actions/create-issue@main
with:
issue_repository: sigstore/root-signing
issue_type: FAILURE