From 74496ab63a7efbe09a6142546f9523b879703515 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Mon, 17 Jun 2024 13:31:45 +0530
Subject: [PATCH] feat: fix custom sigstore conformance tests (#10473) (#10480)

* feat: add custom sigstore conformance tests

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 .github/workflows/conformance.yaml                          | 6 ++----
 .../chainsaw/custom-sigstore/standard/basic/policy.yaml     | 4 ++--
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index fd486833f6e3..4355171e2a85 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -615,8 +615,6 @@ jobs:
               - standard
               - custom-sigstore
         k8s-version:
-          - name: v1.26
-            version: v1.26.x
           - name: v1.27
             version: v1.27.x
           - name: v1.28
@@ -644,7 +642,7 @@ jobs:
         uses: kyverno/action-install-chainsaw@995cddaee7702e849270b84fa44cdcebe7462da8 # v0.1.9
       # create cluster
       - name: Create kind cluster and setup Sigstore Scaffolding
-        uses: sigstore/scaffolding/actions/setup@2d10614e854828e2389881abe6c5cf76240897a7
+        uses: sigstore/scaffolding/actions/setup@d9197cb16e744297de67cfeef8a8e247d31206c4
         with:
           version: main
           k8s-version: ${{ matrix.k8s-version.version }}
@@ -683,7 +681,7 @@ jobs:
           TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h
           crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL
           cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json
-          COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token `curl -s $ISSUER_URL` -y
+          COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y
           echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV
       # run tests
       - name: Test with Chainsaw
diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml
index 5513284a81a3..bbf59ae3110e 100644
--- a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml
+++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml
@@ -27,7 +27,7 @@ spec:
         entries:
         - keyless:
             issuer: "https://kubernetes.default.svc.cluster.local"
-            subject: "*"
+            subject: "https://kubernetes.io/namespaces/default/serviceaccounts/default"
             rekor:
               url: "{{ tufvalues.data.REKOR_URL }}"
-      required: true
\ No newline at end of file
+      required: true