-
Notifications
You must be signed in to change notification settings - Fork 23
150 lines (144 loc) · 4.2 KB
/
smoke-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Smoke test
on:
workflow_dispatch:
push:
branches: ['main']
pull_request:
branches: ['main']
permissions:
contents: read
jobs:
sign-verify:
name: Sign/Verify Artifact
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout source
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup node
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci
- name: Build sigstore-js
run: |
npm run build
- name: Create artifact to sign
run: |
echo -n "hello world" > artifact
- name: Sign artifact
run: |
./packages/cli/bin/run attest --type "text/plain" --out bundle.json artifact
- name: Verify bundle
run: |
./packages/cli/bin/run verify bundle.json
- name: Archive bundle
if: success() || failure()
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bundle.public-good.json
path: bundle.json
sign-verify-mock:
name: Sign/Verify Artifact (Mock Stack)
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
DEBUG: "tuf:*"
SIGSTORE_URL: "http://localhost:8000"
steps:
- name: Checkout source
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup node
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci
- name: Build sigstore-js
run: |
npm run build
- name: Start mock server (background)
run: |
npm run start --workspace packages/mock-server &
- name: Retrieve TUF trusted root
run: |
wget "${SIGSTORE_URL}/1.root.json"
- name: Create artifact to sign
run: |
echo -n "hello world" > artifact
- name: Sign artifact
run: |
./packages/cli/bin/run attest \
--fulcio-url ${SIGSTORE_URL} \
--rekor-url ${SIGSTORE_URL} \
--tsa-server-url ${SIGSTORE_URL} \
--type "text/plain" \
--out bundle.json \
artifact
- name: Verify bundle
run: |
./packages/cli/bin/run verify \
--tuf-mirror-url ${SIGSTORE_URL} \
--tuf-root-path ./1.root.json \
bundle.json
- name: Archive bundle
if: success() || failure()
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bundle.mock.json
path: bundle.json
sign-verify-staging:
name: Sign/Verify Artifact (Staging)
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
DEBUG: "tuf:*"
TUF_MIRROR_URL: https://tuf-repo-cdn.sigstage.dev
steps:
- name: Checkout source
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup node
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci
- name: Build sigstore-js
run: |
npm run build
- name: Retrieve TUF trusted root
run: |
wget ${TUF_MIRROR_URL}/1.root.json
- name: Create artifact to sign
run: |
echo -n "hello world" > artifact
- name: Sign artifact
run: |
./packages/cli/bin/run attest \
--fulcio-url https://fulcio.sigstage.dev \
--rekor-url https://rekor.sigstage.dev \
--type "text/plain" \
--out bundle.json \
artifact
- name: Verify bundle
run: |
./packages/cli/bin/run verify \
--tuf-mirror-url ${TUF_MIRROR_URL} \
--tuf-root-path ./1.root.json \
bundle.json
- name: Archive bundle
if: success() || failure()
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bundle.staging.json
path: bundle.json