-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathcreate_signing_events.py
77 lines (61 loc) · 2.48 KB
/
create_signing_events.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Copyright 2023 Google LLC
"""Command line tool to create signing events for roles that are about to expire"""
import logging
import subprocess
from glob import glob
import click
from tuf_on_ci._repository import CIRepository
logger = logging.getLogger(__name__)
def _git(cmd: list[str]) -> subprocess.CompletedProcess:
cmd = [
"git",
"-c",
"user.name=TUF-on-CI",
"-c",
"user.email=41898282+github-actions[bot]@users.noreply.github.com",
*cmd,
]
proc = subprocess.run(cmd, check=True, capture_output=True, text=True)
logger.debug("%s:\n%s", cmd, proc.stdout)
return proc
@click.command() # type: ignore[arg-type]
@click.option("-v", "--verbose", count=True, default=0)
@click.option("--push/--no-push", default=False)
def create_signing_events(verbose: int, push: bool) -> None:
"""Create new branches with version bump commits for expiring offline roles
Note that these offline role versions will not be signed yet.
If --push, the branches are pushed to origin. Otherwise local branches are
created.
"""
logging.basicConfig(level=logging.WARNING - verbose * 10)
repo = CIRepository("metadata")
events = []
for filename in glob("*.json", root_dir="metadata"):
if filename in ["timestamp.json", "snapshot.json"]:
continue
rolename = filename[: -len(".json")]
version = repo.bump_expiring(rolename)
if version is None:
logger.debug("No version bump needed for %s", rolename)
continue
msg = f"Periodic version bump: {rolename} v{version}"
event = f"sign/{rolename}-v{version}"
ref = f"refs/remotes/origin/{event}" if push else f"refs/heads/{event}"
files = [f"metadata/{rolename}.json"]
if rolename == "root":
files.append(f"metadata/root_history/{version}.root.json")
_git(["add", "--", *files])
_git(["commit", "-m", msg, "--signoff"])
try:
_git(["show-ref", "--quiet", "--verify", ref])
logger.debug("Signing event branch %s already exists", event)
except subprocess.CalledProcessError:
events.append(event)
if push:
_git(["push", "origin", f"HEAD:{event}"])
else:
_git(["branch", event])
# get back to original HEAD (before we commited)
_git(["reset", "--hard", "HEAD^"])
# print out list of created event branches
click.echo(" ".join(events))