Add more self tests to CI (#23)

* Add a few more selftests * Add selftest to verify OIDC issuer * Fill in the expected OIDC issuer * Fill in expected SAN * Correct SAN * Comment out verify SAN test * Add selftest to exercise `identity-token` setting * Update .github/workflows/selftest.yml Co-authored-by: William Woodruff <william@trailofbits.com>
sigstore · Aug 5, 2022 · b7a8a48 · b7a8a48
1 parent 451c0b8
commit b7a8a48
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
@@ -41,6 +41,7 @@ jobs:
         id: sigstore-python
         with:
           inputs: ./test/*.txt
+          staging: true
 
   selftest-upload-artifacts:
     runs-on: ubuntu-latest
@@ -53,3 +54,64 @@ jobs:
           inputs: ./test/artifact.txt
           staging: true
           upload-signing-artifacts: true
+
+  selftest-custom-paths:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          signature: ./test/custom_signature.sig
+          certificate: ./test/custom_certificate.crt
+          staging: true
+
+  # NOTE(alex): `sigstore-python` doesn't support verifying URI SANs yet.
+  # selftest-verify-san:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #     - name: Sign artifact and publish signature
+  #       uses: ./
+  #       id: sigstore-python
+  #       with:
+  #         inputs: ./test/artifact.txt
+  #         verify-cert-email: https://github.com/trailofbits/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
+  #         staging: true
+
+  selftest-verify-issuer:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          verify-oidc-issuer: https://token.actions.githubusercontent.com
+          staging: true
+
+  selftest-identity-token:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Get OIDC token
+        id: get-oidc-token
+        run: |
+          identity_token=$( \
+            curl -H \
+              "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+              "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" \
+            | jq -r .value \
+          )
+          echo "::set-output name=identity-token::$identity_token"
+        shell: bash
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          identity-token: ${{ steps.get-oidc-token.outputs.identity-token }}
+          staging: true