Skip to content

gittuf/ci-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 

Repository files navigation

gittuf/ci-demo

gittuf Verification

This is a demonstration of using gittuf verification in a CI workflow. This repository has a simple policy protecting the main branch that says all updates to the branch's state must be signed using Sigstore. The expected identity is @adityasaky's and the expected issuer is GitHub.

The folder .keys includes the root and targets keys used to manage the gittuf policy.

Active Policy

The policy on this repository declares the Sigstore identity and a protection rule applicable to the main branch granting permission to that Sigstore identity. To inspect the policy in more detail, use gittuf clone to download the repository with the gittuf namespaces. You can find pre-built (and signed) binaries for gittuf from its latest release. Alternatively, clone the repository using Git and fetch refs/gittuf/reference-state-log and refs/gittuf/policy manually.

{
    "keys": {
        "[email protected]::https://github.com/login/oauth": {
            "keyid_hash_algorithms": null,
            "keytype": "sigstore-oidc",
            "keyval": {
                "identity": "[email protected]",
                "issuer": "https://github.com/login/oauth"
            },
            "scheme": "fulcio",
            "keyid": "[email protected]::https://github.com/login/oauth"
        }
    },
    "roles": [
        {
            "name": "protect-main",
            "paths": [
                "git:refs/heads/main"
            ],
            "terminating": false,
            "keyids": [
                "[email protected]::https://github.com/login/oauth"
            ],
            "threshold": 1
        },
        {
            "name": "gittuf-allow-rule",
            "paths": [
                "*"
            ],
            "terminating": true,
            "keyids": [],
            "threshold": 1
        }
    ]
}