Skip to content

Commit ecfa0d7

Browse files
jkujku
committed
Add rekor-version argument
* Argument is optional, valid values [1,2] * Default is 1, except on staging where it's 2 * Plan is to change default to 2 in a major release as soon as Rekor v2 is available in production Signed-off-by: Jussi Kukkonen <[email protected]>
1 parent 72e7431 commit ecfa0d7

File tree

2 files changed

+22
-0
lines changed

2 files changed

+22
-0
lines changed

action.py

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,19 @@ def _fatal_help(msg):
151151

152152
if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
153153
sigstore_global_args.append("--staging")
154+
rekor_version_default = "2"
155+
else:
156+
rekor_version_default = "1"
157+
158+
rekor_version_env = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_VERSION")
159+
if rekor_version_env == "":
160+
rekor_version = rekor_version_default
161+
elif rekor_version_env in ["1", "2"]:
162+
rekor_version = rekor_version_env
163+
else:
164+
_fatal_help(f"'{rekor_version_env}' is not a valid rekor-version")
165+
166+
sigstore_sign_args.extend(["--rekor-version", rekor_version])
154167

155168
verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
156169
if enable_verify and not verify_cert_identity:

action.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,14 @@ inputs:
3232
description: "the custom OpenID Connect client secret to use during OAuth2"
3333
required: false
3434
default: ""
35+
rekor-version:
36+
description: |
37+
The Rekor transparency log instance version used during signing. Valid values are [1, 2].
38+
Verifying clients must be compatible with the used Rekor version.
39+
40+
Default rekor-version is 1, except when `staging` is enabled: then default rekor-version is 2.
41+
required: false
42+
default: ""
3543
staging:
3644
description: "use sigstore's staging instances, instead of the default production instances"
3745
required: false
@@ -92,6 +100,7 @@ runs:
92100
GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
93101
GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
94102
GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
103+
GHA_SIGSTORE_PYTHON_REKOR_VERSION: "${{ inputs.rekor-version }}"
95104
GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
96105
GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
97106
GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"

0 commit comments

Comments
 (0)