forked from sigstore/root-signing
-
Notifications
You must be signed in to change notification settings - Fork 0
44 lines (35 loc) · 1.55 KB
/
deploy-to-gcs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Deploy repository to GCS
on:
workflow_call:
permissions: {}
jobs:
deploy-to-gcs:
runs-on: ubuntu-latest
permissions:
id-token: 'write' # For authenticating with the GitHub workflow identity
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: github-pages
- name: Prepare data for upload
run: |
# Extract the github-pages arcive into ./repository/
mkdir repository
tar --directory repository -xvf artifact.tar
# NOTE: This gcloud project/account is NOT the tuf-on-ci online signing account
- uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4
with:
token_format: access_token
workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
service_account: [email protected]
- uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
with:
project_id: project-rekor
- name: Upload repository to GCS
run: |
BUCKET="gs://sigstore-tuf-root/"
LOAD_BALANCER="tuf-repo-cdn-lb"
# Upload metadata, make sure we upload timestamp last
gcloud storage rsync --cache-control=no-store --recursive --exclude=timestamp.json \
repository/ $BUCKET
gcloud storage cp --cache-control=no-store repository/timestamp.json $BUCKET