From 29905fea50f37cfbe5430f7d99a82138767e00e4 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Tue, 24 Sep 2024 03:11:06 -0400
Subject: [PATCH] workflows: various CQA fixes (#1140)

* workflows: various CQA fixes

* README: fix minor doc errors
---
 .github/workflows/ci.yml                  |  4 ++++
 .github/workflows/conformance.yml         |  2 ++
 .github/workflows/docs.yml                |  2 ++
 .github/workflows/lint.yml                |  9 +++++++++
 .github/workflows/pin-requirements.yml    |  4 ++++
 .github/workflows/release.yml             |  2 ++
 .github/workflows/requirements.yml        |  3 ++-
 .github/workflows/scorecards-analysis.yml |  4 ++--
 .github/workflows/staging-tests.yml       | 15 ++++++++-------
 README.md                                 | 14 +++++++-------
 10 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 816d3883..1aa1e0f6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,6 +31,8 @@ jobs:
     runs-on: ${{ matrix.conf.os }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
@@ -88,6 +90,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index 6ef24e40..93537ad4 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 5443feaa..c4f9d2d1 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 473fa6e9..b7c0d765 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
@@ -28,6 +30,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       # NOTE: We intentionally check `--help` rendering against our minimum Python,
       # since it changes slightly between Python versions.
@@ -47,6 +51,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+
       # adapted from Warehouse's bin/licenses
       - run: |
           for fn in $(find . -type f -name "*.py"); do
@@ -60,6 +67,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       # NOTE: We intentionally check test certificates against our minimum supported Python.
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
diff --git a/.github/workflows/pin-requirements.yml b/.github/workflows/pin-requirements.yml
index abe1c510..ae322f1b 100644
--- a/.github/workflows/pin-requirements.yml
+++ b/.github/workflows/pin-requirements.yml
@@ -36,6 +36,8 @@ jobs:
           # NOTE: Needed for `git describe` below.
           fetch-depth: 0
           fetch-tags: true
+          # NOTE: Needed to push back to the repo.
+          persist-credentials: true
 
       - name: Get latest tag
         run: |
@@ -118,6 +120,8 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ env.SIGSTORE_PIN_REQUIREMENTS_BRANCH }}
+          # NOTE: Needed to push back to the repo.
+          persist-credentials: true
 
       - name: Reset remote PR branch
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index af6a3b1f..ff60dd72 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,6 +18,8 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
diff --git a/.github/workflows/requirements.yml b/.github/workflows/requirements.yml
index 30d87f03..164868cc 100644
--- a/.github/workflows/requirements.yml
+++ b/.github/workflows/requirements.yml
@@ -29,11 +29,12 @@ jobs:
       - name: Populate reference from context
         if: ${{ env.SIGSTORE_REF == '' }}
         run: |
-          echo "SIGSTORE_REF=${{ github.ref }}" >> "${GITHUB_ENV}"
+          echo "SIGSTORE_REF=${GITHUB_REF}" >> "${GITHUB_ENV}"
 
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ env.SIGSTORE_REF }}
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         name: Install Python ${{ matrix.python_version }}
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
index 9229b24d..1c64c14b 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@@ -8,8 +8,8 @@ on:
   push:
     branches: [ main ]
 
-# Declare default permissions as read only.
-permissions: read-all
+# Clear default permissions.
+permissions: {}
 
 jobs:
   analysis:
diff --git a/.github/workflows/staging-tests.yml b/.github/workflows/staging-tests.yml
index 0ac88ad6..96b4f8a2 100644
--- a/.github/workflows/staging-tests.yml
+++ b/.github/workflows/staging-tests.yml
@@ -1,12 +1,5 @@
 name: Staging Instance Tests
 
-permissions:
-  # Needed to access the workflow's OIDC identity.
-  id-token: write
-
-  # Needed to create an issue, on failure.
-  issues: write
-
 on:
   push:
     branches:
@@ -17,8 +10,16 @@ on:
 jobs:
   staging-tests:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to access the workflow's OIDC identity.
+      id-token: write
+
+      # Needed to create an issue, on failure.
+      issues: write
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
diff --git a/README.md b/README.md
index ea4b4529..5cbd426d 100644
--- a/README.md
+++ b/README.md
@@ -358,12 +358,12 @@ provided below.
 
 ### Signing with ambient credentials
 
-For environments that support OpenID Connect, natively `sigstore` supports ambient credential
+For environments that support OpenID Connect, `sigstore` supports ambient credential
 detection. This includes many popular CI platforms and cloud providers. See the full list of
 supported environments [here](https://github.com/di/id#supported-environments).
 
 Sign a single file (`foo.txt`) using an ambient OpenID Connect credential,
-saving the bundle to `foo.txt.sigstore`:
+saving the bundle to `foo.txt.sigstore.json`:
 
 ```console
 $ python -m sigstore sign foo.txt
@@ -376,7 +376,7 @@ allowing you to request signing certificates that attest to control over
 that email.
 
 Sign a single file (`foo.txt`) using the OAuth2 flow, saving the
-bundle to `foo.txt.sigstore`:
+bundle to `foo.txt.sigstore.json`:
 
 ```console
 $ python -m sigstore sign foo.txt
@@ -404,11 +404,11 @@ namely the Fulcio's supported identity providers and the claims expected within
 
 ### Verifying against a signature and certificate
 
-By default, `sigstore verify identity` will attempt to find a `<filename>.sigstore` in the
-same directory as the file being verified:
+By default, `sigstore verify identity` will attempt to find a `<filename>.sigstore.json`
+or `<filename>.sigstore` in the same directory as the file being verified:
 
 ```console
-# looks for foo.txt.sigstore
+# looks for foo.txt.sigstore.json
 $ python -m sigstore verify identity foo.txt \
     --cert-identity 'hamilcar@example.com' \
     --cert-oidc-issuer 'https://github.com/login/oauth'
@@ -417,7 +417,7 @@ $ python -m sigstore verify identity foo.txt \
 Multiple files can be verified at once:
 
 ```console
-# looks for {foo,bar}.txt.sigstore
+# looks for {foo,bar}.txt.sigstore.json
 $ python -m sigstore verify identity foo.txt bar.txt \
     --cert-identity 'hamilcar@example.com' \
     --cert-oidc-issuer 'https://github.com/login/oauth'