diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 10577589..6a252dea 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -2,16 +2,13 @@ name: E2E on: push: - pull_request_target: - branches: ["main"] + pull_request: workflow_dispatch: jobs: e2e: runs-on: ubuntu-latest permissions: - id-token: write # Enable OIDC - # The rest of these are sanity-check settings, since I'm not sure if the # org default is permissive or restricted. # See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token @@ -20,6 +17,7 @@ jobs: checks: none contents: read deployments: none + id-token: none issues: none packages: none pages: none @@ -49,6 +47,13 @@ jobs: go-version: "1.22" check-latest: true + - name: Get test OIDC token + uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main + + - name: export OIDC token + run: | + echo "SIGSTORE_ID_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV + - name: e2e unit tests run: | set -e @@ -87,10 +92,9 @@ jobs: echo "========== gitsign verify ==========" gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ + --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" + --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" # Extra debug info git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text @@ -109,39 +113,9 @@ jobs: echo "========== gitsign verify ==========" gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" - - # Extra debug info - git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text - - name: Test Sign and Verify commit - staging - env: - GITSIGN_OIDC_ISSUER: "https://oauth2.sigstage.dev/auth" - GITSIGN_FULCIO_URL: "https://fulcio.sigstage.dev" - GITSIGN_REKOR_URL: "https://rekor.sigstage.dev" - run: | - set -e - - # Initialize with staging TUF root - https://github.com/sigstore/root-signing-staging - rm -rf ~/.sigstore - wget -O root.json -U "gitsign e2e test" https://tuf-repo-cdn.sigstage.dev/4.root.json - gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json - - # Sign commit - git commit --allow-empty -S --message="Signed commit" - - # Verify commit - echo "========== git verify-commit ==========" - git verify-commit HEAD - - echo "========== gitsign verify ==========" - gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ + --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" + --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" # Extra debug info git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text