From a1dbc27049cf35940ec1658426eaaa95d5d77d92 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 29 Jan 2025 10:51:16 -0500
Subject: [PATCH 1/2] ci: remove dependabot + gomod, always fetch latest

Instead of using Dependabot to test, this always
fetches the latest TSA build.

I'm not positive this is a great idea, however.

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 .github/dependabot.yml   | 11 -----------
 .github/go.mod           | 10 ----------
 .github/go.sum           |  2 --
 .github/workflows/ci.yml | 10 +++++++++-
 4 files changed, 9 insertions(+), 24 deletions(-)
 delete mode 100644 .github/go.mod
 delete mode 100644 .github/go.sum

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 29011578..0f9f7511 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -27,14 +27,3 @@ updates:
       actions:
         patterns:
           - "*"
-
-  - package-ecosystem: gomod
-    directory: "/.github"
-    schedule:
-      interval: daily
-    open-pull-requests-limit: 1
-    rebase-strategy: "disabled"
-    groups:
-      actions:
-        patterns:
-          - "*"
\ No newline at end of file
diff --git a/.github/go.mod b/.github/go.mod
deleted file mode 100644
index 9c70ef9a..00000000
--- a/.github/go.mod
+++ /dev/null
@@ -1,10 +0,0 @@
-module sigstore/sigstore-python
-
-go 1.23.1
-
-toolchain go1.23.5
-
-// We don't have a Go module here but this file is picked up by dependabot
-// and this will automatically update the dependency when needed.
-
-require github.com/sigstore/timestamp-authority v1.2.4
diff --git a/.github/go.sum b/.github/go.sum
deleted file mode 100644
index 42d5069e..00000000
--- a/.github/go.sum
+++ /dev/null
@@ -1,2 +0,0 @@
-github.com/sigstore/timestamp-authority v1.2.4 h1:RjXZxOWorEiem/uSr0pFHVtQpyzpcFxgugo5jVqm3mw=
-github.com/sigstore/timestamp-authority v1.2.4/go.mod h1:ExrbobKdEuwuBptZIiKp1IaVBRiUeKbiuSyZTO8Okik=
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 186c2dd8..bb327357 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -62,19 +62,27 @@ jobs:
       - name: test
         run: make test TEST_ARGS="-vv --showlocals"
 
+      # TODO: Refactor this or remove it entirely once there's
+      # a suitable staging TSA instance.
       - name: test (timestamp-authority)
         if: ${{ matrix.conf.os == 'ubuntu-latest' }}
         run: |
-          SIGSTORE_TIMESTAMP_VERSION=$(grep "github.com/sigstore/timestamp-authority" .github/go.mod | awk '{print $3}')
+          # Fetch the latest sigstore/timestamp-authority build
+          SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/tags --jq '.[0]')
           wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP_VERSION}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
           chmod +x /tmp/timestamp-server
+
           # Run the TSA in background
           /tmp/timestamp-server serve --port 3000 --disable-ntp-monitoring &
           export TEST_SIGSTORE_TIMESTAMP_AUTHORITY_URL="http://localhost:3000/api/v1/timestamp"
+
           # Ensure Timestamp Authority tests are not skipped by
           # having pytest show skipped tests and verifying ours are running
           make test TEST_ARGS="-m timestamp_authority -rs" | tee output
           ! grep -q "skipping test that requires a Timestamp Authority" output || (echo "ERROR: Found skip message" && exit 1)
+        env:
+          # Needed for `gh api` above.
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: test (interactive)
         if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork

From a51f4610b80173bf10e872e6f98015d79db7c5dc Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 29 Jan 2025 10:57:12 -0500
Subject: [PATCH 2/2] ci: fix jq query

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bb327357..1de091e4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -68,7 +68,7 @@ jobs:
         if: ${{ matrix.conf.os == 'ubuntu-latest' }}
         run: |
           # Fetch the latest sigstore/timestamp-authority build
-          SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/tags --jq '.[0]')
+          SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/tags --jq '.[0].name')
           wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP_VERSION}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
           chmod +x /tmp/timestamp-server