Add a new project root-signing-staging (#351)

Fixes #345 (although further tweaks may be required: we'll see how the bot permissions match what tuf-on-ci expects, and what is needed to configure Pages publishing from GH actions). Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
sigstore · Oct 25, 2023 · 0d7cb9c · 0d7cb9c
1 parent 374cfa1
commit 0d7cb9c
Showing 1 changed file with 61 additions and 0 deletions.
diff --git a/github-sync/github-data/sigstore/repositories.yaml b/github-sync/github-data/sigstore/repositories.yaml
@@ -1410,6 +1410,67 @@ repositories:
         dismissalRestrictions:
           - tuf-root-signing-codeowners
           - sigstore-keyholders
+  - name: root-signing-staging
+    owner: sigstore
+    description: "Staging TUF repository for Sigstore trust root"
+    homepageUrl: ""
+    defaultBranch: main
+    allowAutoMerge: false
+    allowMergeCommit: true
+    allowRebaseMerge: false
+    allowSquashMerge: false
+    archived: false
+    autoInit: false
+    deleteBranchOnMerge: false
+    hasDownloads: false
+    hasIssues: true
+    hasProjects: false
+    hasWiki: false
+    vulnerabilityAlerts: true
+    visibility: public
+    licenseTemplate: ""
+    topics: []
+    collaborators:
+      - username: sigstore-bot
+        permission: push
+      - username: sigstore-review-bot
+        permission: push
+    teams:
+      - name: tuf-root-signing-staging-codeowners
+        id: 8790813
+        permission: maintain
+      - name: triage
+        id: 5643322
+        permission: triage
+      - name: sigstore-oncall
+        id: 6693572
+        permission: push
+    branchesProtection:
+      - pattern: main
+        enforceAdmins: true
+        allowsDeletions: false
+        allowsForcePushes: false
+        requiredLinearHistory: true
+        dismissStaleReviews: true
+        requiredApprovingReviewCount: 1
+        requireLastPushApproval: true
+        restrictDismissals: true
+        pushRestrictions:
+          - tuf-root-signing-staging-codeowners
+          - sigstore-bot
+        dismissalRestrictions:
+          - tuf-root-signing-staging-codeowners
+      - pattern: publish
+        enforceAdmins: true
+        allowsDeletions: false
+        allowsForcePushes: false
+        requiredLinearHistory: true
+        dismissStaleReviews: true
+        requiredApprovingReviewCount: 1
+        requireLastPushApproval: true
+        restrictDismissals: true
+        pushRestrictions:
+          - sigstore-bot
   - name: ruby-sigstore
     owner: sigstore
     description: Rubygems sigstore signing plugin