workflows: Switch test token source (#1756)

jku · web-flow · commit ec6e833ee368 · 2026-04-28T18:16:51.000+03:00
"extremely-dangerous-public-oidc-beacon" has been very unreliable:
switch it to the new Google Cloud Run conformance testing token publisher.
* token should be updated more reliably
* token is valid for at least 45 minutes

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/.github/workflows/cross-os.yml b/.github/workflows/cross-os.yml
@@ -46,7 +46,9 @@ jobs:
           cache-dependency-path: pyproject.toml
       - run: pip install .
       - name: Fetch testing oidc token
-        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
+        run: |
+          curl --fail --retry 3 --output oidc-token.txt \
+            https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt
       - name: Sign 
         run: python -m sigstore --staging sign --identity-token $(cat oidc-token.txt) test/assets/a.txt
       - name: upload signature bundle
@@ -81,7 +83,8 @@ jobs:
           name: ${{ matrix.signed-with-os }}-bundle
       - name: Verify
         run: |
-          python -m sigstore --staging verify github --verbose \
-            --cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \
+          python -m sigstore --staging verify identity --verbose \
+            --cert-identity "untrusted-sa@sigstore-conformance.iam.gserviceaccount.com" \
+            --cert-oidc-issuer "https://accounts.google.com" \
             --bundle a.txt.sigstore.json \
             test/assets/a.txt
diff --git a/.github/workflows/cross-version-verify.yaml b/.github/workflows/cross-version-verify.yaml
@@ -38,7 +38,9 @@ jobs:
           cache-dependency-path: pyproject.toml
       - run: pip install .
       - name: Fetch testing oidc token
-        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
+        run: |
+          curl --fail --retry 3 --output oidc-token.txt \
+            https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt
       - name: Sign 
         run: |
           touch artifact
@@ -87,16 +89,18 @@ jobs:
           ENV_OPT: ${{ matrix.env == 'staging' && '--staging' || '' }}
           BUNDLE: artifact-${{matrix.env}}-rekor2.sigstore.json
         run: |
-          python -m sigstore $ENV_OPT verify github --verbose \
-            --cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \
+          python -m sigstore $ENV_OPT verify identity --verbose \
+            --cert-identity "untrusted-sa@sigstore-conformance.iam.gserviceaccount.com" \
+            --cert-oidc-issuer "https://accounts.google.com" \
             --bundle $BUNDLE \
             artifact
       - name: Verify (Rekor v1)
         env:
           ENV_OPT: ${{ matrix.env == 'staging' && '--staging' || '' }}
           BUNDLE: artifact-${{matrix.env}}-rekor1.sigstore.json
         run: |
-          python -m sigstore $ENV_OPT verify github --verbose \
-            --cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \
+          python -m sigstore $ENV_OPT verify identity --verbose \
+            --cert-identity "untrusted-sa@sigstore-conformance.iam.gserviceaccount.com" \
+            --cert-oidc-issuer "https://accounts.google.com" \
             --bundle $BUNDLE \
             artifact
