Skip to content

adds tsa cert chain check for env var or tuf targets. #2754

adds tsa cert chain check for env var or tuf targets.

adds tsa cert chain check for env var or tuf targets. #2754

Workflow file for this run

#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: e2e-tests
# Run on every push, and allow it to be run manually.
on:
push:
paths:
- '**'
- '!**.md'
- '!doc/**'
- '!**.txt'
- '!images/**'
- '!LICENSE'
- 'test/**'
branches:
- "main"
pull_request:
workflow_dispatch:
jobs:
e2e-cross:
strategy:
matrix:
os: [macos-latest, ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.21'
check-latest: true
- name: Run cross platform e2e tests
run: go test -tags=e2e,cross -v ./test/...
e2e-test-pkcs11:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.21'
check-latest: true
- name: Run pkcs11 end-to-end tests
shell: bash
run: ./test/e2e_test_pkcs11.sh
e2e-kms:
runs-on: ubuntu-latest
services:
vault:
image: hashicorp/vault:latest
env:
VAULT_DEV_ROOT_TOKEN_ID: root
options: >-
--health-cmd "VAULT_ADDR=http://127.0.0.1:8200 vault status"
--health-interval 1s
--health-timeout 5s
--health-retries 5
--restart always
ports:
- 8200:8200
env:
VAULT_TOKEN: "root"
VAULT_ADDR: "http://localhost:8200"
COSIGN_YES: "true"
SCAFFOLDING_RELEASE_VERSION: "v0.7.2"
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: cpanato/vault-installer@ac6d910a90d64f78ef773afe83887a35c95245c6 # v1.0.3
with:
vault-release: '1.14.1'
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.21'
check-latest: true
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
with:
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
- name: enable vault transit
run: vault secrets enable transit
- name: Acceptance Tests
run: go test -tags=e2e,kms -v ./test/...
e2e-registry:
runs-on: ubuntu-latest
env:
SCAFFOLDING_RELEASE_VERSION: "v0.7.2"
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.21'
check-latest: true
- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@main
with:
mirror: mirror.gcr.io
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
with:
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
- name: Setup local insecure registry
run: |
# Create a self-signed SSL cert
mkdir -p insecure-certs
openssl req \
-subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/[email protected]" \
-newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
-x509 -days 365 -out insecure-certs/domain.crt
# Run a registry.
docker run -d --restart=always \
--name $INSECURE_REGISTRY_NAME \
-v "$(pwd)"/insecure-certs:/insecure-certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:$INSECURE_REGISTRY_PORT \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/insecure-certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/insecure-certs/domain.key \
-p $INSECURE_REGISTRY_PORT:$INSECURE_REGISTRY_PORT \
registry:2
sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames.
INSECURE_REGISTRY_NAME: insecure-registry.notlocal
INSECURE_REGISTRY_PORT: 5001
- name: Run Insecure Registry Tests
run: go test -tags=e2e,registry -v ./test/...
env:
COSIGN_TEST_REPO: insecure-registry.notlocal:5001
- name: Setup local insecure OCI 1.1 registry
run: |
# Create a self-signed SSL cert
mkdir -p insecure-certs
openssl req \
-subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/[email protected]" \
-newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
-x509 -days 365 -out insecure-certs/domain.crt
cat > config.json << EOF
{
"distSpecVersion": "1.1.0-dev",
"storage": {
"rootDirectory": "/tmp/zot"
},
"http": {
"address": "0.0.0.0",
"port": "5002",
"realm": "zot",
"tls": {
"cert": "/insecure-certs/domain.crt",
"key": "/insecure-certs/domain.key"
}
},
"log": {
"level": "debug"
}
}
EOF
# Run a registry.
docker run -d --restart=always \
--name $INSECURE_OCI_REGISTRY_NAME \
-v "$(pwd)"/insecure-certs:/insecure-certs \
-v "$(pwd)"/config.json:/etc/zot/config.json \
-p $INSECURE_OCI_REGISTRY_PORT:$INSECURE_OCI_REGISTRY_PORT \
ghcr.io/project-zot/zot-minimal-linux-amd64:$ZOT_VERSION
sudo echo "127.0.0.1 $INSECURE_OCI_REGISTRY_NAME" | sudo tee -a /etc/hosts
env:
ZOT_VERSION: v2.0.0-rc6
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames.
INSECURE_OCI_REGISTRY_NAME: insecure-oci-registry.notlocal
INSECURE_OCI_REGISTRY_PORT: 5002
- name: Run Insecure OCI 1.1 Registry Tests
run: go test -tags=e2e,registry -v ./test/...
env:
OCI11: yes
COSIGN_TEST_REPO: insecure-oci-registry.notlocal:5002
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main