Merge pull request #842 from L77H/sigstore-signer-import-github-actions

jku · web-flow · commit c0c607cd4a51 · 2024-07-11T09:59:02.000+03:00
SigstoreSigner: convenience function for GitHub import
diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py
@@ -268,3 +268,28 @@ def sign(self, payload: bytes) -> Signature:
             bundle_json["messageSignature"]["signature"],
             {"bundle": bundle_json},
         )
+
+    @classmethod
+    def import_github_actions(
+        cls, project: str, workflow_path: str, ref: Optional[str] = "refs/heads/main"
+    ) -> Tuple[str, SigstoreKey]:
+        """Convenience method to build identity and issuer string for import_() from
+        GitHub project and workflow path.
+
+        Args:
+            project: GitHub project name (example:
+               "secure-systems-lab/securesystemslib")
+            workflow_path: GitHub workflow path (example:
+               ".github/workflows/online-sign.yml")
+            ref: optional GitHub ref, defaults to refs/heads/main
+
+        Returns:
+            uri: string
+            key: SigstoreKey
+
+        """
+        identity = f"https://github.com/{project}/{workflow_path}@{ref}"
+        issuer = "https://token.actions.githubusercontent.com"
+        uri, key = cls.import_(identity, issuer)
+
+        return uri, key
