Revert "Signing event: sign/migration"

.github/workflows/lint.yml → .github/workflows/ci-test.yml

@@ -13,13 +13,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Lint
+name: CI Test
 
 on:
   push:
+    paths-ignore:
+      - 'ceremony/**'
   pull_request:
+    paths-ignore:
+      - 'ceremony/**'
 
 jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: './go.mod'
+          check-latest: true
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+        with:
+          version: v1.59
+
   yamllint:
     runs-on: ubuntu-latest
     steps:
@@ -47,6 +65,40 @@ jobs:
         with:
           actionlint_flags: -color -shellcheck=
 
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: './go.mod'
+          check-latest: true
+      - name: install deps
+        run: |
+          sudo apt-get install libpcsclite-dev
+      - name: Test
+        run: go test -tags=pivkey -v ./...
+      - name: Ensure no files were modified as a result of the build
+        run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: './go.mod'
+          check-latest: true
+      - name: install deps
+        run: |
+          sudo apt-get install libpcsclite-dev
+      - name: build verification
+        run: go build -o verify ./cmd/verify/
+      - name: build TUF script
+        run: go build -o tuf -tags=pivkey ./cmd/tuf
+      - name: build test script
+        run: go build -o keygen -tags=pivkey ./tests/keygen
+
   shellcheck:
     name: Shellcheck
     runs-on: ubuntu-latest

.github/workflows/cosign-test.yml

@@ -0,0 +1,48 @@
+#
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Cosign tests
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - 'repository/**'
+  pull_request:
+
+jobs:
+  validate:
+    env:
+      COSIGN_EXPERIMENTAL: "true"
+    runs-on: ubuntu-latest
+    steps:
+      # Install cosign
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      # Set up a repository server with python
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '3.x'
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 2
+      - run: |
+          cd repository/repository/
+          python -m http.server 8001 &
+          echo "REPO=http://localhost:8001" >> $GITHUB_ENV
+
+      # Test cosign initialize
+      - name: cosign initialize on published repository
+        run: cosign initialize --mirror http://localhost:8001

.github/workflows/create-signing-events.yml

@@ -1,8 +1,9 @@
 name: TUF-on-CI create Signing events
 
 on:
-  schedule:
-    - cron: '17 1,7,13,19 * * *'
+  # disabled during migration
+  #schedule:
+  #  - cron:  '17 1,7,13,19 * * *'
   workflow_dispatch:
 
 permissions: {}

.github/workflows/delegation-pop-verify.yml

@@ -0,0 +1,54 @@
+#
+# Copyright 2023 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Verify POP for a delegation
+
+on:
+  pull_request:
+    branches:
+      - 'ceremony/**'
+      - 'test-ceremony/**'
+      - 'test-delegation/**'
+
+jobs:
+  verify:
+    if: ${{ startsWith(github.event.pull_request.title, 'feat/add-delegation for ') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'write'
+      pull-requests: 'read'
+    env:
+      GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: Setup go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: './go.mod'
+          check-latest: true
+
+      - name: Install deps
+        run: sudo apt-get install libpcsclite-dev
+
+      - name: build
+        run: make tuf
+
+      - name: Verify POP
+        run: .github/workflows/scripts/dpop-wrapper.sh "${{ github.event.pull_request.title }}"

.github/workflows/initialize.yml

@@ -0,0 +1,161 @@
+#
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Stage a new root and targets on a new branch
+
+permissions: read-all
+
+# Execute this ONLY as workflow dispatch.
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'The branch to stage changes against, generally ceremony/YYYY-MM-DD'
+        required: true
+        type: string
+      revoke_key:
+        description: 'If provided, revokes the given HSM key, identified by the serial number'
+        required: false
+        type: string
+      repo:
+        description: 'The repository in which to stage a new root and targets'
+        required: false
+        default: repository
+        type: string
+      draft:
+        description: 'Use for testing; creates a draft pull request'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  check_branch:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - name: Check if remote branch exists
+        env:
+          BRANCH: ${{ inputs.branch }}
+        run: |
+          branch_exists=$(git ls-remote --heads origin ${BRANCH})
+
+          if [[ -z ${branch_exists} ]]; then
+            echo "Staging root branch ${BRANCH} does not exist: has a maintainer created one?"
+            exit 1
+          fi
+
+  init_root:
+    runs-on: ubuntu-latest
+    needs: check_branch
+    permissions:
+      id-token: 'write'
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      # TODO(https://github.com/sigstore/root-signing/issues/98): Use a common configuration checked into source control
+      - name: setup environment
+        run: |
+          echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV
+          echo "SNAPSHOT_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot" >> $GITHUB_ENV
+          echo "TIMESTAMP_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" >> $GITHUB_ENV
+          echo "REPO=${{ inputs.repo }}" >> $GITHUB_ENV
+          echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV
+          # Note: we set LOCAL=1 because we manually push the changes in the next job.
+          echo "LOCAL=1" >> $GITHUB_ENV
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: './go.mod'
+          check-latest: true
+      # Setup OIDC->SA auth for signing with KMS
+      - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4
+        id: auth
+        with:
+          token_format: 'access_token'
+          workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
+          service_account: '[email protected]'
+          create_credentials_file: true
+      - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
+        with:
+          project_id: sigstore-root-signing
+      - name: Login
+        run: |
+          gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
+          gcloud auth list
+
+      # Initialize the new root and targets layout
+      - name: step 0
+        # Note that we are already in a git repository and are manually pushing changes with the job below
+        # so we can simply build the TUF binary and bypass git setup in step 0.
+        run: |
+          sudo apt-get install libpcsclite-dev
+          go build -o tuf -tags=pivkey ./cmd/tuf
+      - name: step 1.5
+        run: |
+          ./scripts/step-1.5.sh ${{ inputs.revoke_key }}
+      - name: Upload new repository
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        with:
+          name: ${{ inputs.repo }}
+          path: ${{ inputs.repo }}
+          retention-days: 5
+
+  push:
+    needs: init_root
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: 'write'
+      contents: 'write'
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ inputs.branch }}
+          fetch-depth: 0
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ inputs.repo }}
+          path: ${{ inputs.repo }}
+      # Detect new version and expiration to add to the PR description.
+      - name: Detect new version
+        env:
+          REPO: ${{ inputs.repo }}
+        run: |
+          # Detects the new root version.
+          VERSION=$(cat ${REPO}/staged/root.json | jq -r '.signed.version')
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      # Create commits
+      - name: Create commits
+        env:
+          REPO: ${{ inputs.repo }}
+        run: |
+          # Set identity.
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub"
+
+          git checkout -b init-root-targets
+          # Commit the REPO changes
+          git add ${REPO}
+          git commit -s -m "Add staged repository metadata"
+          git push origin HEAD
+
+      # Open pull request changes. Use the fine-grained PAT in order to trigger presubmits.
+      - name: create pull request
+        env:
+          DRAFT: ${{ inputs.draft && '-d' || '' }}
+        run:
+          GH_TOKEN=${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} gh pr create -B ${{ inputs.branch }} -H init-root-targets -t "Update Root and Targets to version ${{ env.VERSION }}" -b "Initializes a new root and targets to version ${{ env.VERSION }}" ${DRAFT} -r bobcallaway -r haydentherapper -r kommendorkapten

.github/workflows/online-sign.yml

@@ -3,11 +3,12 @@
 permissions: {}
 
 on:
-  schedule:
-    - cron: '17 1,7,13,19 * * *'
-  push:
-    branches: [main]
-    paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json']
+  # disabled during migration
+  #schedule:
+  #  - cron:  '17 1,7,13,19 * * *'
+  #push:
+  #  branches: [ main ]
+  #  paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json']
   workflow_dispatch:
 
 jobs: