build(deps): bump the actions group with 2 updates (#1537)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jussi Kukkonen <[email protected]>

Author: dependabot[bot]

.github/workflows/conformance.yml

@@ -26,7 +26,7 @@ jobs:
       - name: install sigstore-python
         run: python -m pip install .
 
-      - uses: sigstore/sigstore-conformance@a7ac671d8e55553de127c8b1ad96d8d416315e83 # v0.0.19
+      - uses: sigstore/sigstore-conformance@1d8b0cdd88fa7fb5a8510e51faf6ccad8c96f10a # v0.0.20
         with:
           entrypoint: ${{ github.workspace }}/test/integration/sigstore-python-conformance
           xfail: "test_verify*intoto-with-custom-trust-root]" # see issue 1442

.github/workflows/release.yml

@@ -129,7 +129,7 @@ jobs:
         # Confusingly, this action also supports updating releases, not
         # just creating them. This is what we want here, since we've manually
         # created the release that triggered the action.
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
         with:
           # smoketest-artifacts/ contains the signatures and certificates.
           files: |

test/integration/sigstore-python-conformance

@@ -59,20 +59,34 @@ if "--staging" in fixed_args:
     command.append("--staging")
     fixed_args.remove("--staging")
 
-# We may get "--trusted-root" as argument but sigstore-python wants "--trust-config":
+# We may get "--trusted-root" and "--signing-config" as argument but sigstore-python
+# wants "--trust-config":
 trusted_root_path = None
 with suppress(ValueError):
     i = fixed_args.index("--trusted-root")
     trusted_root_path = fixed_args[i + 1]
     fixed_args.pop(i)
     fixed_args.pop(i)
 
+signing_config_path = None
+with suppress(ValueError):
+    i = fixed_args.index("--signing-config")
+    signing_config_path = fixed_args[i + 1]
+    fixed_args.pop(i)
+    fixed_args.pop(i)
+
+
 # If we did get a trustedroot, write a matching trustconfig into a temp file
+# Use given signingconfig if possible, otherwise use the fake one in template
 with NamedTemporaryFile(mode="wt") as temp_file:
     if trusted_root_path is not None:
         with open(trusted_root_path) as f:
             trusted_root = json.load(f)
         trust_config["trustedRoot"] = trusted_root
+        if signing_config_path is not None:
+            with open(signing_config_path) as f:
+                signing_config = json.load(f)
+            trust_config["signingConfig"] = signing_config
 
         json.dump(trust_config, temp_file)
         temp_file.flush()