Review GCP configuration for tuf-on-ci

[jku]

Part of #1247: Make sure GCP allows tuf-on-ci to work

• online-sign workflow runs on the main branch and needs access to this key/account (the same one used by current workflows)
  • SA: [email protected]
  • provider: projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
  • key: projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp
• online-sign dispatches the publish workflow which calls deploy-to-gcs workflow which uses gcloud with this account (the same one used by current workflows):
  • SA: [email protected]
  • provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider

CC @haydentherapper let's review that this is all going to work

[haydentherapper]

For the second one, https://github.com/sigstore/public-good-instance/pull/2269. Adding publish branch. I've left main since that will be needed if/once we sign using the managed KMS key.

Edit: Merged and applied

[haydentherapper]

For the first, I don't believe any changes are needed, the restriction is for the repo, not the workflow

• principalSet://iam.googleapis.com/projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/sigstore/root-signing

Signing running off main should also be fine, with the WLI pool condition assertion.ref == "refs/heads/main" && assertion.ref_type == "branch"

[haydentherapper]

Closing as complete.