github · GrantBirki · Oct 21, 2025 · Oct 21, 2025
@@ -14,7 +14,7 @@ group :development do
   gem "rubocop-performance", "~> 1"
   gem "rubocop-rspec", "~> 3"
   gem "rubygems-await", "~> 0.5.4"
-  gem "sigstore-cli", "~> 0.2.1"
+  gem "sigstore-cli", git: "https://github.com/sigstore/sigstore-ruby", ref: "ce93acf7fa7e26ba81ff21820848d7df2273a557"
   gem "simplecov", "~> 0.22"
   gem "simplecov-erb", "~> 1"
   gem "vcr", "~> 6.3", ">= 6.3.1"

@@ -1,3 +1,12 @@
+GIT
+  remote: https://github.com/sigstore/sigstore-ruby
+  revision: ce93acf7fa7e26ba81ff21820848d7df2273a557
+  ref: ce93acf7fa7e26ba81ff21820848d7df2273a557
+  specs:
+    sigstore-cli (0.2.1)
+      sigstore (= 0.2.1)
+      thor
+
 PATH
   remote: .
   specs:
@@ -189,9 +198,6 @@ GEM
       net-http
       protobug_sigstore_protos (~> 0.1.0)
       uri
-    sigstore-cli (0.2.1)
-      sigstore (= 0.2.1)
-      thor
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -232,7 +238,7 @@ DEPENDENCIES
   rubocop-performance (~> 1)
   rubocop-rspec (~> 3)
   rubygems-await (~> 0.5.4)
-  sigstore-cli (~> 0.2.1)
+  sigstore-cli!
   simplecov (~> 0.22)
   simplecov-erb (~> 1)
   vcr (~> 6.3, >= 6.3.1)

@@ -0,0 +1,29 @@
+version: 2
+
+updates:
+  - package-ecosystem: bundler
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 99
+    rebase-strategy: "disabled"
+    groups:
+      actions:
+        patterns:
+          - "*"
+
+  - package-ecosystem: github-actions
+    directory: .github/actions/upload-coverage/
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 99
+    rebase-strategy: "disabled"
+    groups:
+      actions:
+        patterns:
+          - "*"
@@ -0,0 +1,265 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    - cron: "0 12 * * *"
+
+permissions: {}
+
+jobs:
+  ruby-versions:
+    uses: ruby/actions/.github/workflows/ruby_versions.yml@3fbf038d6f0d8043b914f923764c61bc2a114a77
+    with:
+      engine: all
+      min_version: 3.2
+
+  test:
+    needs: ruby-versions
+    runs-on: ${{ matrix.os }}
+    name: Test Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        os: [ubuntu-latest]
+        # os: [ ubuntu-latest, macos-latest, windows-latest ]
+        # include:
+        #   - { os: windows-latest, ruby: ucrt }
+        #   - { os: windows-latest, ruby: mingw }
+        #   - { os: windows-latest, ruby: mswin }
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Run the tests
+        run: bin/rake test
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: sigstore/sigstore-ruby
+
+  sigstore-conformance:
+    needs: ruby-versions
+    runs-on: ${{ matrix.os }}
+    name: Sigstore Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        os: [ubuntu-latest]
+        # os: [ ubuntu-latest, macos-latest, windows-latest ]
+        # include:
+        #   - { os: windows-latest, ruby: ucrt }
+        #   - { os: windows-latest, ruby: mingw }
+        #   - { os: windows-latest, ruby: mswin }
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Run the conformance tests
+        uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
+        with:
+          entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
+          xfail: "${{ matrix.ruby != 'head' && matrix.ruby != '3.4' && 'test_verify_rejects_bad_tsa_timestamp' }}"
+        if: ${{ matrix.os }} == "ubuntu-latest"
+      - name: Run the conformance tests against staging
+        uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
+        with:
+          entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
+          xfail: "${{ matrix.ruby != 'head' && matrix.ruby != '3.4' && 'test_verify_rejects_bad_tsa_timestamp' }}"
+          environment: staging
+        if: ${{ matrix.os }} == "ubuntu-latest"
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: sigstore/sigstore-ruby
+
+  tuf-conformance:
+    needs: ruby-versions
+    runs-on: ${{ matrix.os }}
+    name: TUF Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        os: [ubuntu-latest]
+        # os: [ ubuntu-latest, macos-latest, windows-latest ]
+        # include:
+        #   - { os: windows-latest, ruby: ucrt }
+        #   - { os: windows-latest, ruby: mingw }
+        #   - { os: windows-latest, ruby: mswin }
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Touch requirements.txt
+        run: touch requirements.txt
+
+      - name: Write xfails
+        run: bin/rake bin/tuf-conformance-entrypoint.xfails
+
+      - name: Run the TUF conformance tests
+        uses: theupdateframework/tuf-conformance@9bfc222a371e30ad5511eb17449f68f855fb9d8f # v2.3.0
+        with:
+          entrypoint: ${{ github.workspace }}/bin/tuf-conformance-entrypoint
+          artifact-name: "test repositories ${{ matrix.ruby }} ${{ matrix.os }}"
+        if: |
+          ${{ matrix.os }} == "ubuntu-latest"
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: sigstore/sigstore-ruby
+
+  smoketest:
+    needs: ruby-versions
+    runs-on: ubuntu-latest
+    name: Smoketest
+    permissions:
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        os: [ubuntu-latest]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
+        with:
+          ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
+          bundler-cache: true
+      - name: Build the gem
+        run: bin/rake build
+      - name: List built gems
+        id: list-gems
+        run: |
+          echo "gems=$(find pkg -type f -name '*.gem' -print0 | xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT
+      - name: Run the smoketest
+        run: |
+          ./bin/smoketest ${BUILT_GEMS}
+        env:
+          BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}
+          WORKFLOW_NAME: ci
+
+  all-tests-pass:
+    if: always()
+
+    needs:
+      - test
+      - sigstore-conformance
+      - tuf-conformance
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+
+      - name: check test jobs
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}
+
+  lint:
+    needs: ruby-versions
+    runs-on: ubuntu-latest
+    name: Lint
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
+        with:
+          ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
+          bundler-cache: true
+      - name: Run the linter
+        run: bin/rubocop
+
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@180f8b44399608a850e1db031fa65c77746566d3 # v5.0.1
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: results.sarif
+          category: zizmor