Bump github.com/sigstore/rekor from 1.3.2 to 1.3.3 #985
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: E2E | |
on: | |
push: | |
pull_request_target: | |
branches: ['main'] | |
workflow_dispatch: | |
jobs: | |
e2e: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write # Enable OIDC | |
# The rest of these are sanity-check settings, since I'm not sure if the | |
# org default is permissive or restricted. | |
# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
# for more details. | |
actions: none | |
checks: none | |
contents: read | |
deployments: none | |
issues: none | |
packages: none | |
pages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
env: | |
# Output logs to file in case we need to inspect errors. | |
GITSIGN_LOG: "/tmp/gitsign.log" | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
# Use the merge commit if type is pull_request/pull_request_target, | |
# else use the default ref. | |
# By default pull_request_target will use the base branch as the | |
# target since it was originally intended for trusted workloads. | |
# However, we need to use this to have access to the OIDC creds | |
# for the e2e tests, so insert our own logic here. | |
# This is effectively a ternary of the form ${{ <condition> && <true> || <false> }}. | |
# See https://docs.github.com/en/actions/learn-github-actions/expressions for more details. | |
ref: ${{ startsWith(github.event_name, 'pull_request') && format('refs/pull/{0}/merge', github.event.number) || github.ref }} | |
- name: Set up Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: '1.21' | |
check-latest: true | |
- name: Install Gitsign | |
run: | | |
set -e | |
# Setup repo + tool | |
make install-gitsign | |
export PATH="$PATH:$GOPATH/bin" | |
echo "PATH=${PATH}" | |
whereis gitsign | |
mkdir /tmp/git | |
cd /tmp/git | |
git init -b main . | |
git config --global user.email "[email protected]" | |
git config --global user.name "gitsign" | |
git config --global gpg.x509.program gitsign | |
git config --global gpg.format x509 | |
git config --global commit.gpgsign true | |
# Verify tool is on our path | |
gitsign -h | |
- name: Test Sign and Verify commit | |
run: | | |
set -e | |
# Sign commit | |
git commit --allow-empty -S --message="Signed commit" | |
# Verify commit | |
echo "========== git verify-commit ==========" | |
git verify-commit HEAD | |
echo "========== gitsign verify ==========" | |
gitsign verify \ | |
--certificate-github-workflow-repository=${{ github.repository }} \ | |
--certificate-github-workflow-sha=${{ github.sha }} \ | |
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ | |
--certificate-identity="https://github.com/${{ github.workflow_ref }}" | |
# Extra debug info | |
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text | |
- name: Test Sign and Verify commit - offline verification | |
env: | |
GITSIGN_REKOR_MODE: "offline" | |
run: | | |
set -e | |
# Sign commit | |
git commit --allow-empty -S --message="Signed commit" | |
# Verify commit | |
echo "========== git verify-commit ==========" | |
git verify-commit HEAD | |
echo "========== gitsign verify ==========" | |
gitsign verify \ | |
--certificate-github-workflow-repository=${{ github.repository }} \ | |
--certificate-github-workflow-sha=${{ github.sha }} \ | |
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ | |
--certificate-identity="https://github.com/${{ github.workflow_ref }}" | |
# Extra debug info | |
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text | |
- name: Test Sign and Verify commit - staging | |
env: | |
GITSIGN_OIDC_ISSUER: "https://oauth2.sigstage.dev/auth" | |
GITSIGN_FULCIO_URL: "https://fulcio.sigstage.dev" | |
GITSIGN_REKOR_URL: "https://rekor.sigstage.dev" | |
run: | | |
set -e | |
# Setup staging TUF root - https://github.com/sigstore/public-good-instance/blob/1023ed05b7a8cf28e6a7de73bf98dd5075d97858/playbooks/tuf.md#updating-tuf-metadata-for-staging | |
rm -rf ~/.sigstore | |
wget https://tuf-repo-cdn.sigstage.dev/root.json | |
gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json | |
# Sign commit | |
git commit --allow-empty -S --message="Signed commit" | |
# Verify commit | |
echo "========== git verify-commit ==========" | |
git verify-commit HEAD | |
echo "========== gitsign verify ==========" | |
gitsign verify \ | |
--certificate-github-workflow-repository=${{ github.repository }} \ | |
--certificate-github-workflow-sha=${{ github.sha }} \ | |
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ | |
--certificate-identity="https://github.com/${{ github.workflow_ref }}" | |
# Extra debug info | |
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text | |
- name: Debug log | |
if: failure() | |
run: cat "${GITSIGN_LOG}" |