-
Notifications
You must be signed in to change notification settings - Fork 58
121 lines (107 loc) · 3.99 KB
/
test-action-tuf.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Test github action with TUF
on:
pull_request:
branches: [ main ]
paths-ignore:
- 'terraform/**'
defaults:
run:
shell: bash
working-directory: ./
concurrency:
group: test-github-action-with-tuf${{ github.head_ref }}
cancel-in-progress: true
jobs:
test-github-action:
name: Test github action with TUF
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.23.x
- v1.24.x
- v1.25.x
# TODO: need release w/ 1.26 support first.
# - v1.26.x
release-version:
- "latest-release" # Test explicitly with latest
go-version:
- 1.20.x
leg:
- test github action with TUF
env:
KO_DOCKER_REPO: registry.local:5000/knative
COSIGN_EXPERIMENTAL: "true"
steps:
- name: Checkout the current action
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Test running the action
uses: ./actions/setup
with:
k8s-version: ${{ matrix.k8s-version }}
version: ${{ matrix.release-version }}
# Install cosign
- name: Install cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
check-latest: true
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Create sample image
run: |
pushd $(mktemp -d)
go mod init example.com/demo-action-with-tuf
cat <<EOF > main.go
package main
import "fmt"
func main() {
fmt.Println("hello world")
}
EOF
demoimage=$(ko publish -B example.com/demo-action-with-tuf)
echo "demoimage=$demoimage" >> $GITHUB_ENV
echo Created image $demoimage
popd
- name: Initialize cosign with TUF root
run: cosign initialize --mirror ${{ env.TUF_MIRROR }} --root ./root.json
- name: Sign with cosign from the action using k8s token
run: |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \
--allow-insecure-registry "${{ env.demoimage }}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
- name: Checkout TSA for testing.
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
repository: sigstore/timestamp-authority
path: ./src/github.com/sigstore/timestamp-authority
- name: Build timestamp-cli
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
go build -o ./timestamp-cli ./cmd/timestamp-cli
- name: Exercise TSA
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
curl ${{ env.TSA_URL }}/api/v1/timestamp/certchain > ts_chain.pem
echo "myblob" > myblob
if ! ./timestamp-cli --timestamp_server ${{ env.TSA_URL }} timestamp --hash sha256 --artifact myblob --out response.tsr ; then
echo "failed to timestamp artifact"
exit -1
fi
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then
echo "failed to verify timestamp"
exit -1
fi
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then
echo "failed to inspect the timestamp"
exit -1
fi
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@main