Skip to content

Add rekor-version argument #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 20, 2025
Merged

Add rekor-version argument #228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ecfa0d7
Add rekor-version argument
jku Oct 17, 2025
c394ac5
Add test for rekor-version argument
jku Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/selftest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,13 @@ jobs:
inputs: ./test/artifact.txt
staging: true
internal-be-careful-debug: true
- name: Sign artifact with non-default rekor-version and publish signature
uses: ./
with:
inputs: ./test/artifact2.txt
staging: true
rekor-version: 1
internal-be-careful-debug: true
- name: Check outputs
run: |
[[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
Expand Down
13 changes: 13 additions & 0 deletions action.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,19 @@ def _fatal_help(msg):

if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
sigstore_global_args.append("--staging")
rekor_version_default = "2"
else:
rekor_version_default = "1"

rekor_version_env = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_VERSION")
if rekor_version_env == "":
rekor_version = rekor_version_default
elif rekor_version_env in ["1", "2"]:
rekor_version = rekor_version_env
else:
_fatal_help(f"'{rekor_version_env}' is not a valid rekor-version")

sigstore_sign_args.extend(["--rekor-version", rekor_version])

verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
if enable_verify and not verify_cert_identity:
Expand Down
9 changes: 9 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,14 @@ inputs:
description: "the custom OpenID Connect client secret to use during OAuth2"
required: false
default: ""
rekor-version:
description: |
The Rekor transparency log instance version used during signing. Valid values are [1, 2].
Verifying clients must be compatible with the used Rekor version.

Default rekor-version is 1, except when `staging` is enabled: then default rekor-version is 2.
required: false
default: ""
staging:
description: "use sigstore's staging instances, instead of the default production instances"
required: false
Expand Down Expand Up @@ -92,6 +100,7 @@ runs:
GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
GHA_SIGSTORE_PYTHON_REKOR_VERSION: "${{ inputs.rekor-version }}"
GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
Expand Down
Loading