diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 10577589..86923f9d 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -2,8 +2,7 @@ name: E2E on: push: - pull_request_target: - branches: ["main"] + pull_request: workflow_dispatch: jobs: @@ -49,6 +48,13 @@ jobs: go-version: "1.22" check-latest: true + - name: Get test OIDC token + uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main + + - name: export OIDC token + run: | + echo "SIGSTORE_OIDC_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV + - name: e2e unit tests run: | set -e @@ -87,10 +93,9 @@ jobs: echo "========== gitsign verify ==========" gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ + --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" + --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" # Extra debug info git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text @@ -109,39 +114,9 @@ jobs: echo "========== gitsign verify ==========" gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" - - # Extra debug info - git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text - - name: Test Sign and Verify commit - staging - env: - GITSIGN_OIDC_ISSUER: "https://oauth2.sigstage.dev/auth" - GITSIGN_FULCIO_URL: "https://fulcio.sigstage.dev" - GITSIGN_REKOR_URL: "https://rekor.sigstage.dev" - run: | - set -e - - # Initialize with staging TUF root - https://github.com/sigstore/root-signing-staging - rm -rf ~/.sigstore - wget -O root.json -U "gitsign e2e test" https://tuf-repo-cdn.sigstage.dev/4.root.json - gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json - - # Sign commit - git commit --allow-empty -S --message="Signed commit" - - # Verify commit - echo "========== git verify-commit ==========" - git verify-commit HEAD - - echo "========== gitsign verify ==========" - gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ + --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" + --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" # Extra debug info git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text