Review GCP configuration for tuf-on-ci
Closed this issue · 3 comments
jku commented
Part of #1247: Make sure GCP allows tuf-on-ci to work
- online-sign workflow runs on the main branch and needs access to this key/account (the same one used by current workflows)
- SA: github-actions@sigstore-root-signing.iam.gserviceaccount.com
- provider: projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
- key: projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp
- online-sign dispatches the publish workflow which calls deploy-to-gcs workflow which uses gcloud with this account (the same one used by current workflows):
- SA: tuf-gha@project-rekor.iam.gserviceaccount.com
- provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
CC @haydentherapper let's review that this is all going to work
haydentherapper commented
For the second one, https://github.com/sigstore/public-good-instance/pull/2269. Adding publish branch. I've left main since that will be needed if/once we sign using the managed KMS key.
Edit: Merged and applied
haydentherapper commented
For the first, I don't believe any changes are needed, the restriction is for the repo, not the workflow
principalSet://iam.googleapis.com/projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/sigstore/root-signing
Signing running off main should also be fine, with the WLI pool condition assertion.ref == "refs/heads/main" && assertion.ref_type == "branch"
haydentherapper commented
Closing as complete.