workflows: Expect longer timestamp validity

* We have been signing timestamp every day for  while now
* expiry-period is 7 days so that's how far the new expiry is set
* signing-period is 6 days so timestamp is signed 7-6 = 1 day after
  previous signing (in practice because of workflow scheduling it may be
  30 hours)

Let's start requiring that timestamp is valid for 5 days when the test
workflows run. This will increase the amount of time we have to solve
any issues with online signing, because we will find out about them
earlier.

Documenting the strange syntax here for convenience:
    ${{ github.event_name == 'workflow_call' && 0 || 5 }}
This means that during publish we only require that the metadata is not
expired at the moment but when the workflow runs via other means
(e.g. cron), we require that it is also not expired in 5 days.

This is for sigstore/root-signing#1415

Signed-off-by: Jussi Kukkonen <[email protected]>

.github/workflows/test-gcs.yml

@@ -17,7 +17,7 @@ jobs:
         with:
           metadata_url: https://tuf-repo-cdn.sigstage.dev/
           # when workflow is reused in publish.yml, do not require future validity
-          valid_days:  ${{ github.event_name == 'workflow_call' && 0 || 3 }}
+          valid_days:  ${{ github.event_name == 'workflow_call' && 0 || 5 }}
           offline_valid_days: ${{ github.event_name == 'workflow_call' && 0 || 16 }}
 
   custom-smoke-test:

.github/workflows/test.yml

@@ -18,7 +18,7 @@ jobs:
           metadata_url: https://sigstore.github.io/root-signing-staging/
           update_base_url: https://tuf-repo-cdn.sigstage.dev/
           # when workflow is reused in publish.yml, do not require future validity
-          valid_days:  ${{ github.event_name == 'workflow_call' && 0 || 3 }}
+          valid_days:  ${{ github.event_name == 'workflow_call' && 0 || 5 }}
           offline_valid_days: ${{ github.event_name == 'workflow_call' && 0 || 16 }}
 
   custom-smoke-test: