workflows: various CQA fixes (#1140)

* workflows: various CQA fixes

* README: fix minor doc errors

Author: woodruffw

.github/workflows/ci.yml

@@ -31,6 +31,8 @@ jobs:
     runs-on: ${{ matrix.conf.os }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
@@ -88,6 +90,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:

.github/workflows/conformance.yml

@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:

.github/workflows/docs.yml

@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:

.github/workflows/lint.yml

@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
@@ -28,6 +30,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       # NOTE: We intentionally check `--help` rendering against our minimum Python,
       # since it changes slightly between Python versions.
@@ -47,6 +51,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+
       # adapted from Warehouse's bin/licenses
       - run: |
           for fn in $(find . -type f -name "*.py"); do
@@ -60,6 +67,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       # NOTE: We intentionally check test certificates against our minimum supported Python.
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0

.github/workflows/pin-requirements.yml

@@ -36,6 +36,8 @@ jobs:
           # NOTE: Needed for `git describe` below.
           fetch-depth: 0
           fetch-tags: true
+          # NOTE: Needed to push back to the repo.
+          persist-credentials: true
 
       - name: Get latest tag
         run: |
@@ -118,6 +120,8 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ env.SIGSTORE_PIN_REQUIREMENTS_BRANCH }}
+          # NOTE: Needed to push back to the repo.
+          persist-credentials: true
 
       - name: Reset remote PR branch
         run: |

.github/workflows/release.yml

@@ -18,6 +18,8 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:

.github/workflows/requirements.yml

@@ -29,11 +29,12 @@ jobs:
       - name: Populate reference from context
         if: ${{ env.SIGSTORE_REF == '' }}
         run: |
-          echo "SIGSTORE_REF=${{ github.ref }}" >> "${GITHUB_ENV}"
+          echo "SIGSTORE_REF=${GITHUB_REF}" >> "${GITHUB_ENV}"
 
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ env.SIGSTORE_REF }}
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         name: Install Python ${{ matrix.python_version }}

.github/workflows/scorecards-analysis.yml

@@ -8,8 +8,8 @@ on:
   push:
     branches: [ main ]
 
-# Declare default permissions as read only.
-permissions: read-all
+# Clear default permissions.
+permissions: {}
 
 jobs:
   analysis:

.github/workflows/staging-tests.yml

@@ -1,12 +1,5 @@
 name: Staging Instance Tests
 
-permissions:
-  # Needed to access the workflow's OIDC identity.
-  id-token: write
-
-  # Needed to create an issue, on failure.
-  issues: write
-
 on:
   push:
     branches:
@@ -17,8 +10,16 @@ on:
 jobs:
   staging-tests:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to access the workflow's OIDC identity.
+      id-token: write
+
+      # Needed to create an issue, on failure.
+      issues: write
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:

README.md

@@ -358,12 +358,12 @@ provided below.
 
 ### Signing with ambient credentials
 
-For environments that support OpenID Connect, natively `sigstore` supports ambient credential
+For environments that support OpenID Connect, `sigstore` supports ambient credential
 detection. This includes many popular CI platforms and cloud providers. See the full list of
 supported environments [here](https://github.com/di/id#supported-environments).
 
 Sign a single file (`foo.txt`) using an ambient OpenID Connect credential,
-saving the bundle to `foo.txt.sigstore`:
+saving the bundle to `foo.txt.sigstore.json`:
 
 ```console
 $ python -m sigstore sign foo.txt
@@ -376,7 +376,7 @@ allowing you to request signing certificates that attest to control over
 that email.
 
 Sign a single file (`foo.txt`) using the OAuth2 flow, saving the
-bundle to `foo.txt.sigstore`:
+bundle to `foo.txt.sigstore.json`:
 
 ```console
 $ python -m sigstore sign foo.txt
@@ -404,11 +404,11 @@ namely the Fulcio's supported identity providers and the claims expected within
 
 ### Verifying against a signature and certificate
 
-By default, `sigstore verify identity` will attempt to find a `<filename>.sigstore` in the
-same directory as the file being verified:
+By default, `sigstore verify identity` will attempt to find a `<filename>.sigstore.json`
+or `<filename>.sigstore` in the same directory as the file being verified:
 
 ```console
-# looks for foo.txt.sigstore
+# looks for foo.txt.sigstore.json
 $ python -m sigstore verify identity foo.txt \
     --cert-identity 'hamilcar@example.com' \
     --cert-oidc-issuer 'https://github.com/login/oauth'
@@ -417,7 +417,7 @@ $ python -m sigstore verify identity foo.txt \
 Multiple files can be verified at once:
 
 ```console
-# looks for {foo,bar}.txt.sigstore
+# looks for {foo,bar}.txt.sigstore.json
 $ python -m sigstore verify identity foo.txt bar.txt \
     --cert-identity 'hamilcar@example.com' \
     --cert-oidc-issuer 'https://github.com/login/oauth'