Add support for verifying digests to CLI verify commands (#1125) #3642
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Staging Instance Tests | |
| permissions: | |
| # Needed to access the workflow's OIDC identity. | |
| id-token: write | |
| # Needed to create an issue, on failure. | |
| issues: write | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '0 */8 * * *' | |
| jobs: | |
| staging-tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: "3.x" | |
| cache: "pip" | |
| cache-dependency-path: pyproject.toml | |
| - name: staging tests | |
| env: | |
| SIGSTORE_LOGLEVEL: DEBUG | |
| run: | | |
| # This is similar to the "smoketest" that we run during the | |
| # release workflow, except that we run against Sigstore's | |
| # staging instances instead. | |
| # We also don't bother to build distributions. | |
| python -m venv staging-env | |
| ./staging-env/bin/python -m pip install . | |
| # Our signing target is not important here, so we just sign | |
| # the README in the repository. | |
| ./staging-env/bin/python -m sigstore --verbose --staging sign README.md | |
| # Verification also requires a different Rekor instance, so we | |
| # also test it. | |
| ./staging-env/bin/python -m sigstore --verbose --staging verify identity \ | |
| --cert-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --cert-identity ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/staging-tests.yml@${GITHUB_REF} \ | |
| README.md | |
| - name: generate an issue if staging tests fail | |
| if: failure() | |
| run: | | |
| cat <<- EOF > /tmp/staging-instance-issue.md | |
| ## Staging instance failure | |
| A scheduled test against Sigstore's staging instance has failed. | |
| This suggests one of three conditions: | |
| * A backwards-incompatible change in a Sigstore component; | |
| * A regression in \`sigstore-python\`; | |
| * A transient error. | |
| The full CI failure can be found here: | |
| ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/$GITHUB_RUN_ID | |
| EOF | |
| - name: open an issue if the staging tests fail | |
| if: failure() | |
| uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0 | |
| with: | |
| title: "[CI] Integration failure: staging instance" | |
| # created in the previous step | |
| content-filepath: /tmp/staging-instance-issue.md | |
| labels: bug,component:cicd,component:tests | |
| assignees: woodruffw,di,tetsuo-cpp |