alitheg commented on issue #676: URL: https://github.com/apache/tooling-trusted-releases/issues/676#issuecomment-4054568311
Here's the path of that data through the application. I think we should potentially be using the model at the earlier stages rather than keeping it generic - and maybe `attestable.py` should have a method to get and save that model rather than just returning the path in the later stages? If we don't go the route of removing the dated claims when we're dong with them, then that would mean attestable could opt out of validating dates by not calling the helper function that others do call ### Creation: `distribute_*` -> _entry_ -> _store_ `publisher/*` -> `trusted_jwt` -> _entry_ -> _store_ *entry*: `trusted_jwt_for_dist` -> `validate_trusted_jwt` -> `verify_github_oidc` (validates with model but returns dict[str,Any]) *store* `publisher/ssh_register` / `distribute_ssh_register` -> `add_workflow_key` (creates *custom* expiry for our workflow key - gh key is now done with aside from metadata) ### Usage: SSH (if github is username)-> `validate_public_key` -> `store payload on connection` -> `store in attestable data` _<< later >>_ Compare Paths check: `_load_tp_payload` / `_resolve_github_tp_sha` load from attestable data -> validate against model (returns model class) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
