Add Pre submit client tests iwth local trusted root and signing config #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test with PR trusted root and singing config. | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| permissions: {} | |
| env: | |
| UPLOAD_ARTIFACT_NAME: trust-config-files | |
| TRUST_CONFIG_V01: ./trust_config.v0.1.json | |
| SIGNING_CONFIG_V01: ./targets/signing_config.json | |
| SIGNING_CONFIG_V02: ./targets/signing_config.v0.2.json | |
| TRUSTED_ROOT_V01: ./targets/trusted_root.json | |
| IDENTITY: ${{ github.server_url }}/${{ github.workflow_ref }} | |
| ISSUER: https://token.actions.githubusercontent.com | |
| TEST_ARTIFACT: ./hello.txt | |
| jobs: | |
| trust-config: | |
| outputs: | |
| trust-config-artifact-id: ${{ steps.upload.outputs.artifact-id }} | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: create config files | |
| env: | |
| MEDIA_TYPE: application/vnd.dev.sigstore.clienttrustconfig.v0.1+json | |
| run: | | |
| jq -n '{trustedRoot: input, signingConfig: input}' ${{ env.TRUSTED_ROOT_V01 }} ${{ env.SIGNING_CONFIG_V02 }} | jq '.+ {"mediaType": "${{ env.MEDIA_TYPE }}"}' > ${{ env.TRUST_CONFIG_V01 }} | |
| - name: create test artifact | |
| run: echo "hi" > ${{ env.TEST_ARTIFACT }} | |
| - id: upload | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: ${{ env.UPLOAD_ARTIFACT_NAME }} | |
| if-no-files-found: error | |
| path: | | |
| ${{ env.SIGNING_CONFIG_V01 }} | |
| ${{ env.SIGNING_CONFIG_V02 }} | |
| ${{ env.TRUSTED_ROOT_V01 }} | |
| ${{ env.TRUST_CONFIG_V01 }} | |
| ${{ env.TEST_ARTIFACT }} | |
| sigstore-python: | |
| needs: trust-config | |
| permissions: | |
| id-token: write # For signing with the GitHub workflow identity | |
| contents: read | |
| runs-on: ubuntu-latest | |
| env: | |
| SIGSTORE_PYTHON_TRUST_CONFIG: ./trust_config.json | |
| defaults: | |
| run: | |
| working-directory: ${{ env.UPLOAD_ARTIFACT_NAME }} | |
| steps: | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| artifact-ids: ${{ needs.trust-config.outputs.trust-config-artifact-id }} | |
| - name: build sigstore-python trust-config | |
| # sigstore-python currently uses a non-standard "trust_config" with the older signing_config format. | |
| env: | |
| MEDIA_TYPE: application/vnd.dev.sigstore.clienttrustconfig.v0.1+json | |
| run: | | |
| jq -n '{trustedRoot: input, signingConfig: input}' ${{ env.TRUSTED_ROOT_V01 }} ${{ env.SIGNING_CONFIG_V01 }} | jq '.+ {"mediaType": "${{ env.MEDIA_TYPE }}"}' > ${{ env.SIGSTORE_PYTHON_TRUST_CONFIG }} | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| - run: pip install sigstore | |
| - name: sign | |
| run: | | |
| # sign, then verify using this workflows oidc identity | |
| python -m sigstore --trust-config ${{ env.SIGSTORE_PYTHON_TRUST_CONFIG }} sign --bundle artifact.sigstore.json ${{ env.TEST_ARTIFACT }} -v | |
| - name: verify | |
| run: | | |
| python -m sigstore --trust-config ${{ env.SIGSTORE_PYTHON_TRUST_CONFIG }} verify github --cert-identity ${{ env.IDENTITY }} --bundle artifact.sigstore.json ${{ env.TEST_ARTIFACT }} -v | |
| sigstore-go: | |
| needs: trust-config | |
| permissions: | |
| id-token: write # For signing with the GitHub workflow identity | |
| contents: read | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ${{ env.UPLOAD_ARTIFACT_NAME }} | |
| env: | |
| TEST_BUNDLE: ./test-bundle.sigstore.json | |
| steps: | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| artifact-ids: ${{ needs.trust-config.outputs.trust-config-artifact-id }} | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| - name: Install sigstore-go | |
| run: | | |
| go install github.com/sigstore/sigstore-go/examples/sigstore-go-verification@latest | |
| go install github.com/sigstore/sigstore-go/examples/sigstore-go-signing@latest | |
| - name: sign | |
| run: | | |
| ~/go/bin/sigstore-go-signing \ | |
| -signing-config ${{ env.SIGNING_CONFIG_V02 }} \ | |
| -trusted-root ${{ env.TRUSTED_ROOT_V01 }} \ | |
| ${{ env.TEST_ARTIFACT }} > ${{ env.TEST_BUNDLE }} | |
| - name: verify | |
| run: | | |
| ~/go/bin/sigstore-go-verification \ | |
| -tufTrustedRoot ${{ env.TRUSTED_ROOT_V01 }} \ | |
| -expectedSAN ${{ env.IDENTITY }} \ | |
| -expectedIssuer ${{ env.ISSUER }} \ | |
| -artifact ${{ env.TEST_ARTIFACT }} \ | |
| ${{ env.TEST_BUNDLE }} |