sbp commented on issue #86: URL: https://github.com/apache/tooling-trusted-release/issues/86#issuecomment-3211040275
The way that this works currently in a GHA workflow is to: * Request an OIDC JWT from `ACTIONS_ID_TOKEN_REQUEST_URL` * Generate an SSH key pair * Send the GitHub OIDC JWT and SSH public key to ATR * Wait for ATR to register the SSH key (if the user, repository, and workflow are known) * Upload the files with rsync using the registered SSH key The SSH key is registered at the ATR for 20 minutes, and then it expires. These steps are a few dozen lines in the workflow, which isn't too bad, but writing our own GitHub Action might make it even more user friendly. **Caveats and TODO items**: * We don't yet have a list of approved projects from Security. * We don't have an implemention of the workflow in the ATR client, and it may not be useful to put it in the client. * We only allow uploading during compose, not during finish. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For additional commands, e-mail: dev-h...@tooling.apache.org
