Skip to content

Commit

Permalink
workflows: various CQA fixes (#1140)
Browse files Browse the repository at this point in the history
* workflows: various CQA fixes

* README: fix minor doc errors
  • Loading branch information
woodruffw authored Sep 24, 2024
1 parent a93adca commit 29905fe
Show file tree
Hide file tree
Showing 10 changed files with 42 additions and 17 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ jobs:
runs-on: ${{ matrix.conf.os }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand Down Expand Up @@ -88,6 +90,8 @@ jobs:

steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/conformance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand All @@ -28,6 +30,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

# NOTE: We intentionally check `--help` rendering against our minimum Python,
# since it changes slightly between Python versions.
Expand All @@ -47,6 +51,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

# adapted from Warehouse's bin/licenses
- run: |
for fn in $(find . -type f -name "*.py"); do
Expand All @@ -60,6 +67,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

# NOTE: We intentionally check test certificates against our minimum supported Python.
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/pin-requirements.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ jobs:
# NOTE: Needed for `git describe` below.
fetch-depth: 0
fetch-tags: true
# NOTE: Needed to push back to the repo.
persist-credentials: true

- name: Get latest tag
run: |
Expand Down Expand Up @@ -118,6 +120,8 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.SIGSTORE_PIN_REQUIREMENTS_BRANCH }}
# NOTE: Needed to push back to the repo.
persist-credentials: true

- name: Reset remote PR branch
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/requirements.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,12 @@ jobs:
- name: Populate reference from context
if: ${{ env.SIGSTORE_REF == '' }}
run: |
echo "SIGSTORE_REF=${{ github.ref }}" >> "${GITHUB_ENV}"
echo "SIGSTORE_REF=${GITHUB_REF}" >> "${GITHUB_ENV}"
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.SIGSTORE_REF }}
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
name: Install Python ${{ matrix.python_version }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecards-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ on:
push:
branches: [ main ]

# Declare default permissions as read only.
permissions: read-all
# Clear default permissions.
permissions: {}

jobs:
analysis:
Expand Down
15 changes: 8 additions & 7 deletions .github/workflows/staging-tests.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,5 @@
name: Staging Instance Tests

permissions:
# Needed to access the workflow's OIDC identity.
id-token: write

# Needed to create an issue, on failure.
issues: write

on:
push:
branches:
Expand All @@ -17,8 +10,16 @@ on:
jobs:
staging-tests:
runs-on: ubuntu-latest
permissions:
# Needed to access the workflow's OIDC identity.
id-token: write

# Needed to create an issue, on failure.
issues: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand Down
14 changes: 7 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -358,12 +358,12 @@ provided below.

### Signing with ambient credentials

For environments that support OpenID Connect, natively `sigstore` supports ambient credential
For environments that support OpenID Connect, `sigstore` supports ambient credential
detection. This includes many popular CI platforms and cloud providers. See the full list of
supported environments [here](https://github.com/di/id#supported-environments).

Sign a single file (`foo.txt`) using an ambient OpenID Connect credential,
saving the bundle to `foo.txt.sigstore`:
saving the bundle to `foo.txt.sigstore.json`:

```console
$ python -m sigstore sign foo.txt
Expand All @@ -376,7 +376,7 @@ allowing you to request signing certificates that attest to control over
that email.

Sign a single file (`foo.txt`) using the OAuth2 flow, saving the
bundle to `foo.txt.sigstore`:
bundle to `foo.txt.sigstore.json`:

```console
$ python -m sigstore sign foo.txt
Expand Down Expand Up @@ -404,11 +404,11 @@ namely the Fulcio's supported identity providers and the claims expected within

### Verifying against a signature and certificate

By default, `sigstore verify identity` will attempt to find a `<filename>.sigstore` in the
same directory as the file being verified:
By default, `sigstore verify identity` will attempt to find a `<filename>.sigstore.json`
or `<filename>.sigstore` in the same directory as the file being verified:

```console
# looks for foo.txt.sigstore
# looks for foo.txt.sigstore.json
$ python -m sigstore verify identity foo.txt \
--cert-identity '[email protected]' \
--cert-oidc-issuer 'https://github.com/login/oauth'
Expand All @@ -417,7 +417,7 @@ $ python -m sigstore verify identity foo.txt \
Multiple files can be verified at once:

```console
# looks for {foo,bar}.txt.sigstore
# looks for {foo,bar}.txt.sigstore.json
$ python -m sigstore verify identity foo.txt bar.txt \
--cert-identity '[email protected]' \
--cert-oidc-issuer 'https://github.com/login/oauth'
Expand Down

0 comments on commit 29905fe

Please sign in to comment.