Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Approval for installing Octo STS in Sigstore GitHub organization #51

Closed
codysoyland opened this issue Oct 29, 2024 · 7 comments
Closed

Approval for installing Octo STS in Sigstore GitHub organization #51

codysoyland opened this issue Oct 29, 2024 · 7 comments
Assignees
@trevrosen @bobcallaway @SantiagoTorres @lukehinds @priyawadhwa
Labels
enhancement New feature or request governance vote-required

Comments

@codysoyland
Copy link
Member

Question

I am seeking permission to install the Octo STS GitHub App in the Sigstore GitHub organization, to enable the following workflows:

This app can be used to replace PATs used within the Sigstore organization, simplifying maintenance burden and improving security.

The alternative to this is to use PATs for the above workflows.

I have already updated the first (sigstore-go) workflow to use octo-sts, and I have successfully demonstrated this working on a private organization.
@codysoyland codysoyland added the question Further information is requested label Oct 29, 2024
@codysoyland codysoyland mentioned this issue Oct 29, 2024
Closed
@haydentherapper
Copy link

cc @jku who had looked into PATs vs apps for tuf-on-ci

@cpanato
Copy link
Member

cpanato commented Oct 30, 2024

when we install the App we can select only the repos we want for now

+1 to have this! :D

@cpanato cpanato added enhancement New feature or request governance vote-required and removed question Further information is requested labels Oct 30, 2024
@hectorj2f
Copy link

+1

@jku
Copy link
Member

jku commented Oct 30, 2024

I think the idea is far better than other options so far: +1.

I can't confidently say I understand the policy side fully. Is the trust policy file documented somewhere? I have trouble finding anything other than the short README.

@codysoyland
Copy link
Member Author

I can't confidently say I understand the policy side fully. Is the trust policy file documented somewhere? I have trouble finding anything other than the short README.

I was wondering about this too as I wrote this policy. I didn't find any more docs but I located the source code that compiles and checks the policy here.

@cpanato
Copy link
Member

cpanato commented Oct 30, 2024

I can't confidently say I understand the policy side fully. Is the trust policy file documented somewhere? I have trouble finding anything other than the short README.

I was wondering about this too as I wrote this policy. I didn't find any more docs but I located the source code that compiles and checks the policy here.

i will add some examples, thanks for the feedback

@codysoyland
Copy link
Member Author

During the TSC call on this, some concerns were raised about giving octo-sts too many permissions, and I have since begun using Dependabot grouped updates which resolve the original issue well enough, so this is no longer needed.

@jku jku mentioned this issue Jan 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@trevrosen trevrosen

@bobcallaway bobcallaway

@SantiagoTorres SantiagoTorres

@lukehinds lukehinds

@priyawadhwa priyawadhwa

Labels
enhancement New feature or request governance vote-required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@trevrosen @jku @codysoyland @bobcallaway @SantiagoTorres @hectorj2f @cpanato @lukehinds @haydentherapper @priyawadhwa