e2e tests: Use beacon token.

We've been getting a few security reports complaining about the use of pull_request_target. For the record, this token was only ever used for testing, and was not an actual security vulnerability. That said, we don't particularly enjoy having to explain this again and again, so move to the beacon token to hopefully quell these reports. The beacon token unfortunately does not support staging, so removing that e2e test for the time being.
wlynch · Jul 29, 2024 · dcd3e9c · dcd3e9c
1 parent 6ba65fc
commit dcd3e9c
Showing 1 changed file with 12 additions and 37 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -2,8 +2,7 @@ name: E2E
 
 on:
   push:
-  pull_request_target:
-    branches: ["main"]
+  pull_request:
   workflow_dispatch:
 
 jobs:
@@ -49,6 +48,13 @@ jobs:
           go-version: "1.22"
           check-latest: true
 
+      - name: Get test OIDC token
+        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main
+
+      - name: export OIDC token
+        run: |
+          echo "SIGSTORE_OIDC_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV
+
       - name: e2e unit tests
         run: |
           set -e
@@ -87,10 +93,9 @@ jobs:
 
           echo "========== gitsign verify =========="
           gitsign verify \
-            --certificate-github-workflow-repository=${{ github.repository }} \
-            --certificate-github-workflow-sha=${{ github.sha }} \
+            --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \
             --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-            --certificate-identity="https://github.com/${{ github.workflow_ref }}"
+            --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main"
 
           # Extra debug info
           git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
@@ -109,39 +114,9 @@ jobs:
 
           echo "========== gitsign verify =========="
           gitsign verify \
-            --certificate-github-workflow-repository=${{ github.repository }} \
-            --certificate-github-workflow-sha=${{ github.sha }} \
-            --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-            --certificate-identity="https://github.com/${{ github.workflow_ref }}"
-
-          # Extra debug info
-          git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
-      - name: Test Sign and Verify commit - staging
-        env:
-          GITSIGN_OIDC_ISSUER: "https://oauth2.sigstage.dev/auth"
-          GITSIGN_FULCIO_URL: "https://fulcio.sigstage.dev"
-          GITSIGN_REKOR_URL: "https://rekor.sigstage.dev"
-        run: |
-          set -e
-
-          # Initialize with staging TUF root - https://github.com/sigstore/root-signing-staging
-          rm -rf ~/.sigstore
-          wget -O root.json -U "gitsign e2e test" https://tuf-repo-cdn.sigstage.dev/4.root.json
-          gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json
-
-          # Sign commit
-          git commit --allow-empty -S --message="Signed commit"
-
-          # Verify commit
-          echo "========== git verify-commit =========="
-          git verify-commit HEAD
-
-          echo "========== gitsign verify =========="
-          gitsign verify \
-            --certificate-github-workflow-repository=${{ github.repository }} \
-            --certificate-github-workflow-sha=${{ github.sha }} \
+            --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \
             --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-            --certificate-identity="https://github.com/${{ github.workflow_ref }}"
+            --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main"
 
           # Extra debug info
           git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text