tuf-on-ci migration preparation #1250
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* remove obsolete revocation/revocation.list and rekor.0.pub: Neither is included in current metadata * add registry.npmjs.org/keys.json: This file is included in the current metadata targets/ now matches the files in repository/repository/targets (apart from trusted_root.json that has been modified in targets/ after the last signing event). Signed-off-by: Jussi Kukkonen <[email protected]>
This script sets up the tuf-on-ci repository so that the initial signing event can be run. Signed-off-by: Jussi Kukkonen <[email protected]>
Same name is used in tuf-on-ci workflows: I would rather rename this one since the tuf-on-ci workflow is used with workflow_call so referenced in other workflows Signed-off-by: Jussi Kukkonen <[email protected]>
These are direct copies from root-signing-staging: the required changes are done in separate commits to make them visible. Signed-off-by: Jussi Kukkonen <[email protected]>
Workflows were copied from staging. Modify them for production: * Tweak PR and issue templates * test workflows require URL changes (and some variable name changes) * test workflows also get a new step where initial root is defined (as python-tuf does not consider root < 5 to be valid) * deploy-to-gcs was modified so the gcloud details are internal to the workflow (since in prod it's a separate gcloud project/account, not the "tuf-on-ci online signing accout") Signed-off-by: Jussi Kukkonen <[email protected]>
* Disable all scheduled runs * Additionally remove publishing to GCS completely for now Signed-off-by: Jussi Kukkonen <[email protected]>
These are likely not complete (e.g. key generation is under-documented). Signed-off-by: Jussi Kukkonen <[email protected]>
This was just added in root-signing-staging so was not in the initial copy. Signed-off-by: Jussi Kukkonen <[email protected]>
import-config.json is used as argument to tuf-on-ci-import-repo, it includes: * offline role expiry and signing periods to set in metadata * keyowners or online signing key identifiers for existing keys * snapshot key is left with placeholder value: it (along with online expiry and signing periods) is expected to be modified with a tuf-on-ci-delegate call in the same signing event Signed-off-by: Jussi Kukkonen <[email protected]>
|
This is likely ready for first review... but it's big enough that I should really split it first. I will do that tomorrow |
|
closing, I've split this into three separate PRs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is still a draft, missing a few bits and a self-review still.
Prepare for migration to tuf-on-ci managed TUF repository
This is a bunch of separate changes that prepare for #929 . They are in a single PR since they should all be no-ops with regards to day-to-day operations for now: just laying out some foundations. I can split to separate PRs if there's demand for that. See individual commits for more rationale.
targets/content to match what repository artifacts should beThis is a part of #1247