e2e: reorder oidc token export #1609
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: E2E | |
on: | |
push: | |
branches: ["main"] | |
pull_request: | |
branches: ["main"] | |
workflow_dispatch: | |
jobs: | |
e2e: | |
runs-on: ubuntu-latest | |
permissions: | |
# The rest of these are sanity-check settings, since I'm not sure if the | |
# org default is permissive or restricted. | |
# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
# for more details. | |
actions: none | |
checks: none | |
contents: read | |
deployments: none | |
id-token: none | |
issues: none | |
packages: none | |
pages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
steps: | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- name: Set up Go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: "1.23" | |
check-latest: true | |
- name: e2e unit tests | |
run: | | |
set -e | |
make e2e-test | |
- name: Install Gitsign | |
run: | | |
set -e | |
# Setup repo + tool | |
make install-gitsign | |
export PATH="$PATH:$GOPATH/bin" | |
echo "PATH=${PATH}" | |
whereis gitsign | |
mkdir /tmp/git | |
cd /tmp/git | |
git init -b main . | |
git config --global user.email "[email protected]" | |
git config --global user.name "gitsign" | |
git config --global gpg.x509.program gitsign | |
git config --global gpg.format x509 | |
git config --global commit.gpgsign true | |
# Verify tool is on our path | |
gitsign -h | |
# Fetch OIDC token as close to the test as possible to avoid it expiring. | |
- name: Get test OIDC token | |
uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main | |
- name: export OIDC token | |
run: | | |
echo "SIGSTORE_ID_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV | |
- name: Test Sign and Verify commit | |
run: | | |
set -e | |
# Sign commit | |
git commit --allow-empty -S --message="Signed commit" | |
# Verify commit | |
echo "========== git verify-commit ==========" | |
git verify-commit HEAD | |
echo "========== gitsign verify ==========" | |
gitsign verify \ | |
--certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ | |
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ | |
--certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" | |
# Extra debug info | |
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text | |
- name: Test Sign and Verify commit - offline verification | |
env: | |
GITSIGN_REKOR_MODE: "offline" | |
run: | | |
set -e | |
# Sign commit | |
git commit --allow-empty -S --message="Signed commit" | |
# Verify commit | |
echo "========== git verify-commit ==========" | |
git verify-commit HEAD | |
echo "========== gitsign verify ==========" | |
gitsign verify \ | |
--certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ | |
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ | |
--certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" | |
# Extra debug info | |
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text | |
- name: Debug log | |
if: failure() | |
run: cat "${GITSIGN_LOG}" |