Add model signing unit test GitHub Actions #41
Conversation
mihaimaruseac
requested review from
smeiklej,
haydentherapper and
laurentsimon
|
The token doesn't seem to be available when creating the PR to add the workflow, so that's why the CI fails. https://github.com/mihaimaruseac/model-transparency/actions/runs/6628201742/job/18004764703 is the equivalent of this on my own fork (mihaimaruseac#2) |
|
Correct. We need to check how sigstore-python did it. iirc, they pre-generate some tokens every 15mn or so and put them in a bucket; then use these for the pre-submits. There's a lot of pre-submits we can add without signing zo, like unit tests for hashing, etc. Also, we will eventually need regression tests that ensure that previously-generated signatures can be verified by new versions of the verifier |
|
Yeah, I tried this as a quick way to check the dependabot PRs without needing to run manually or write longer unit tests. But probably it's better to revert to writing unit tests and running those instead. |
|
If we want to get something out, what about just having the tests run on merging to main and on demand so we can at least detect regressions? |
|
Can probably store a few signed models under a testdata folder and verify them on new PRs. At east that's test (1) the build / installation and (2) the verification. |
|
That was my reasoning for sending the PR. We can also run locally (test model signing locally, run SLSA on own fork), but we'd probably still need a CI for dependency resolution to prevent #43 |
|
So let's just test the installation then? Can be a pre-submit and is not throwaway work? |
Yeah, that's my impression after #43, we can just make a CI that tries to install the deps and if we think something might break further try to debug locally (like I just did for #37 and #32) |
Yup, working on a PR for that |
Signed-off-by: Mihai Maruseac <[email protected]>
Signed-off-by: Mihai Maruseac <[email protected]>
No description provided.