publish token to GH Pages? #5
Comments
I think this is easiest: token=jwt.decode(cursed_token_data[:-1], options={"verify_signature": False})
expiry=datetime.fromtimestamp(token["exp"])should be trivial to retry if the token is not valid ( or is valid for less than 10 secs or however long we need it for) |
This is a great idea, and should be way less flaky than the current approach! If you have the time to work on this I'd be overjoyed to review and merge it, otherwise I'll try and find the time to do it in the near future 🙂 |
It's on my list of "when I need a break from actual project, try this"... so no promises but I might. I'll leave a note here if I do anything |
|
So... this is easy to do, I have it running in my fork. Unfortunately
Plan:
|
|
That plan SGTM -- I think it's safe to assume that sigstore-conformance is the only current user. |
This is very neat (an abomination but a neat one) , I'm thinking of using this in my own testing as well... The only tricky part seems to be finding a token: see https://github.com/sigstore/sigstore-conformance/blob/6c958ac7c74146cb694b9bdb3f8111c3e447d6cf/test/conftest.py#L75 for an example
What if the workflow published to GitHub Pages with a static filename? That way the newest produced token could always be available at https://sigstore-conformance.github.io/extremely-dangerous-public-oidc-beacon/cursed-token.txt. Am I missing anything?
The downloader would still have to deal with the token being too old (unsure how at this hand waving stage) but all of this would go away:
The text was updated successfully, but these errors were encountered: