From dcd3e9c8c186629c3d4510a0b041a64d950ae427 Mon Sep 17 00:00:00 2001
From: Billy Lynch <billy@chainguard.dev>
Date: Mon, 29 Jul 2024 16:41:53 -0400
Subject: [PATCH] e2e tests: Use beacon token.

We've been getting a few security reports complaining about the use of
pull_request_target. For the record, this token was only ever used for
testing, and was not an actual security vulnerability. That said, we
don't particularly enjoy having to explain this again and again, so move
to the beacon token to hopefully quell these reports.

The beacon token unfortunately does not support staging, so removing
that e2e test for the time being.
---
 .github/workflows/e2e.yaml | 49 ++++++++++----------------------------
 1 file changed, 12 insertions(+), 37 deletions(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 10577589..86923f9d 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -2,8 +2,7 @@ name: E2E
 
 on:
   push:
-  pull_request_target:
-    branches: ["main"]
+  pull_request:
   workflow_dispatch:
 
 jobs:
@@ -49,6 +48,13 @@ jobs:
           go-version: "1.22"
           check-latest: true
 
+      - name: Get test OIDC token
+        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main
+
+      - name: export OIDC token
+        run: |
+          echo "SIGSTORE_OIDC_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV
+
       - name: e2e unit tests
         run: |
           set -e
@@ -87,10 +93,9 @@ jobs:
 
           echo "========== gitsign verify =========="
           gitsign verify \
-            --certificate-github-workflow-repository=${{ github.repository }} \
-            --certificate-github-workflow-sha=${{ github.sha }} \
+            --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \
             --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-            --certificate-identity="https://github.com/${{ github.workflow_ref }}"
+            --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main"
 
           # Extra debug info
           git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
@@ -109,39 +114,9 @@ jobs:
 
           echo "========== gitsign verify =========="
           gitsign verify \
-            --certificate-github-workflow-repository=${{ github.repository }} \
-            --certificate-github-workflow-sha=${{ github.sha }} \
-            --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-            --certificate-identity="https://github.com/${{ github.workflow_ref }}"
-
-          # Extra debug info
-          git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
-      - name: Test Sign and Verify commit - staging
-        env:
-          GITSIGN_OIDC_ISSUER: "https://oauth2.sigstage.dev/auth"
-          GITSIGN_FULCIO_URL: "https://fulcio.sigstage.dev"
-          GITSIGN_REKOR_URL: "https://rekor.sigstage.dev"
-        run: |
-          set -e
-
-          # Initialize with staging TUF root - https://github.com/sigstore/root-signing-staging
-          rm -rf ~/.sigstore
-          wget -O root.json -U "gitsign e2e test" https://tuf-repo-cdn.sigstage.dev/4.root.json
-          gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json
-
-          # Sign commit
-          git commit --allow-empty -S --message="Signed commit"
-
-          # Verify commit
-          echo "========== git verify-commit =========="
-          git verify-commit HEAD
-
-          echo "========== gitsign verify =========="
-          gitsign verify \
-            --certificate-github-workflow-repository=${{ github.repository }} \
-            --certificate-github-workflow-sha=${{ github.sha }} \
+            --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \
             --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-            --certificate-identity="https://github.com/${{ github.workflow_ref }}"
+            --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main"
 
           # Extra debug info
           git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text