TUF-on-CI online signing #1657

	name: TUF-on-CI online signing

	permissions: {}

	on:
	schedule:
	- cron: '17 1,7,13,19 * * *'
	push:
	branches: [ main ]
	paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json']
	workflow_dispatch:

	jobs:
	online-sign:
	runs-on: ubuntu-latest
	permissions:
	id-token: 'write' # for OIDC identity access
	contents: 'write' # for commiting snapshot/timestamp changes
	actions: 'write' # for dispatching publish workflow
	steps:
	- id: online-sign
	uses: theupdateframework/tuf-on-ci/actions/online-sign@fce107eeb8b1887239ca3a694dc250fcabf49c7f # v0.14.0
	with:
	token: ${{ secrets.TUF_ON_CI_TOKEN \|\| secrets.GITHUB_TOKEN }}
	gcp_workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
	gcp_service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}


	update-issue:
	runs-on: ubuntu-latest
	needs: [online-sign]
	if: always() && !cancelled()
	permissions:
	issues: 'write' # for modifying Issues
	steps:
	- name: Update the issue for the workflow
	uses: theupdateframework/tuf-on-ci/actions/update-issue@fce107eeb8b1887239ca3a694dc250fcabf49c7f # v0.14.0
	with:
	token: ${{ secrets.TUF_ON_CI_TOKEN \|\| secrets.GITHUB_TOKEN }}
	success: ${{ !contains(needs.*.result, 'failure') }}

Provide feedback