Problem Statement
The extremely-dangerous-public-oidc-beacon action is being deprecated. A more reliable alternative already exists: https://github.com/sigstore/sigstore-conformance/#identity-token-for-signing-tests
Proposed Solution
The switch is usually trivial as getting the token is easy:
SIGSTORE_ID_TOKEN=$(curl -sSfL https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt)
The new identity is untrusted-sa@sigstore-conformance.iam.gserviceaccount.com with issuer https://accounts.google.com.
I did not provide a patch because of two sigstore-a2a specific issues:
- the new token is not from GitHub so the GitHub specific claims are not there so these will not work:
--repository <REPO> --workflow <WORKFLOW>. If you need the GitHub specific claims, you should implement your own testing token source
- There are some committed test signatures, I was not sure if you want to replace those at same time or not
Alternatives Considered
No response
Component
CLI
Additional Context
No response
Problem Statement
The
extremely-dangerous-public-oidc-beaconaction is being deprecated. A more reliable alternative already exists: https://github.com/sigstore/sigstore-conformance/#identity-token-for-signing-testsProposed Solution
The switch is usually trivial as getting the token is easy:
The new identity is
untrusted-sa@sigstore-conformance.iam.gserviceaccount.comwith issuerhttps://accounts.google.com.I did not provide a patch because of two sigstore-a2a specific issues:
--repository <REPO> --workflow <WORKFLOW>. If you need the GitHub specific claims, you should implement your own testing token sourceAlternatives Considered
No response
Component
CLI
Additional Context
No response