Skip to content
Cross-version verify

build(deps-dev): update ruff requirement from <0.15.11 to <0.15.12 (#… #356

Sign in to view logs

build(deps-dev): update ruff requirement from <0.15.11 to <0.15.12 (#…

build(deps-dev): update ruff requirement from <0.15.11 to <0.15.12 (#… #356

Workflow file for this run

.github/workflows/cross-version-verify.yaml at 9f40685
# Copyright 2025 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Cross-version verify
on:
push:
branches:
- main
- series/*
pull_request:
workflow_dispatch:
permissions: {}
jobs:
sign:
name: Sign
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.x"
cache: "pip"
cache-dependency-path: pyproject.toml
- run: pip install .
- name: Fetch testing oidc token
uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
- name: Sign
run: |
touch artifact
python -m sigstore --staging sign --bundle artifact-staging-rekor2.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=2 artifact
python -m sigstore --staging sign --bundle artifact-staging-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 artifact
python -m sigstore sign --bundle artifact-prod-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 artifact
- name: upload signature bundle
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: bundle
path: artifact*.sigstore.json
if-no-files-found: error
retention-days: 1
verify:
name: Verify with ${{ matrix.version }} on ${{ matrix.env }}
needs: [sign]
runs-on: ubuntu-latest
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
# hand crafted list of old versions we care about
version: [3.5.6, 3.6.7, 4.0.0, 4.1.0, 4.2.0]
env: [staging, prod]
exclude:
# exclude staging for versions with https://github.com/sigstore/sigstore-python/issues/1656
- env: staging
version: 3.5.6
- env: staging
version: 4.0.0
- env: staging
version: 4.1.0
steps:
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.x"
- run: pip install sigstore==${{ matrix.version }}
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: bundle
- run: touch artifact
- name: Verify (Rekor v2)
# Rekor v2 is currently only available on staging, and only supported on sigstore-python 4.x
if: startsWith(matrix.version, '3.') != true && matrix.env == 'staging'
env:
ENV_OPT: ${{ matrix.env == 'staging' && '--staging' || '' }}
BUNDLE: artifact-${{matrix.env}}-rekor2.sigstore.json
run: |
python -m sigstore $ENV_OPT verify github --verbose \
--cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \
--bundle $BUNDLE \
artifact
- name: Verify (Rekor v1)
env:
ENV_OPT: ${{ matrix.env == 'staging' && '--staging' || '' }}
BUNDLE: artifact-${{matrix.env}}-rekor1.sigstore.json
run: |
python -m sigstore $ENV_OPT verify github --verbose \
--cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \
--bundle $BUNDLE \
artifact