Skip to content

build(deps-dev): bump mypy from 2.1.0 to 2.2.0 #590

build(deps-dev): bump mypy from 2.1.0 to 2.2.0

build(deps-dev): bump mypy from 2.1.0 to 2.2.0 #590

Workflow file for this run

# Copyright 2025 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Cross-platform sign and verify
on:
push:
branches:
- main
- series/*
pull_request:
workflow_dispatch:
permissions: {}
defaults:
run:
shell: bash
jobs:
sign:
name: Sign on ${{ matrix.os }}
runs-on: ${{ matrix.os }}-latest
strategy:
fail-fast: false
matrix:
os: [ ubuntu, macos, windows ]
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Fetch testing oidc token
run: |
curl --fail --retry 3 --output oidc-token.txt \
https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt
- name: Sign
run: uv run python -m sigstore --staging sign --identity-token $(cat
oidc-token.txt) test/assets/a.txt
- name: upload signature bundle
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ matrix.os }}-bundle
path: test/assets/a.txt.sigstore.json
if-no-files-found: error
retention-days: 1
verify:
name: Verify ${{ matrix.signed-with-os }} bundle on ${{ matrix.os }}
if: ${{ always() }} # don't stop some verification if one of the signing jobs failed
needs: [ sign ]
runs-on: ${{ matrix.os }}-latest
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ ubuntu, macos, windows ]
signed-with-os: [ ubuntu, macos, windows ]
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ matrix.signed-with-os }}-bundle
- name: Verify
run: |
uv run python -m sigstore --staging verify identity --verbose \
--cert-identity "untrusted-sa@sigstore-conformance.iam.gserviceaccount.com" \
--cert-oidc-issuer "https://accounts.google.com" \
--bundle a.txt.sigstore.json \
test/assets/a.txt