Skip to content

default to generating dsse rekor entries #2265

default to generating dsse rekor entries

default to generating dsse rekor entries #2265

Workflow file for this run

name: Smoke test
on:
workflow_dispatch:
push:
branches: ['main']
pull_request:
branches: ['main']
permissions:
contents: read
jobs:
sign-verify:
name: Sign/Verify Artifact
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout source
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Setup node
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci
- name: Build sigstore-js
run: |
npm run build
- name: Create artifact to sign
run: |
echo -n "hello world" > artifact
- name: Sign artifact
run: |
./packages/cli/bin/run attest --type "text/plain" --out bundle.json artifact
- name: Verify bundle
run: |
./packages/cli/bin/run verify bundle.json
- name: Archive bundle
if: success() || failure()
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bundle.public-good.json
path: bundle.json
sign-verify-mock:
name: Sign/Verify Artifact (Mock Stack)
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
DEBUG: "tuf:*"
SIGSTORE_URL: "http://localhost:8000"
steps:
- name: Checkout source
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Setup node
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci
- name: Build sigstore-js
run: |
npm run build
- name: Start mock server (background)
run: |
npm run start --workspace packages/mock-server &
- name: Retrieve TUF trusted root
run: |
wget "${SIGSTORE_URL}/1.root.json"
- name: Create artifact to sign
run: |
echo -n "hello world" > artifact
- name: Sign artifact
run: |
./packages/cli/bin/run attest \
--fulcio-url ${SIGSTORE_URL} \
--rekor-url ${SIGSTORE_URL} \
--tsa-server-url ${SIGSTORE_URL} \
--type "text/plain" \
--out bundle.json \
artifact
- name: Verify bundle
run: |
./packages/cli/bin/run verify \
--tuf-mirror-url ${SIGSTORE_URL} \
--tuf-root-path ./1.root.json \
bundle.json
- name: Archive bundle
if: success() || failure()
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bundle.mock.json
path: bundle.json
sign-verify-staging:
name: Sign/Verify Artifact (Staging)
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
DEBUG: "tuf:*"
TUF_MIRROR_URL: https://tuf-repo-cdn.sigstage.dev
steps:
- name: Checkout source
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Setup node
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci
- name: Build sigstore-js
run: |
npm run build
- name: Retrieve TUF trusted root
run: |
wget ${TUF_MIRROR_URL}/1.root.json
- name: Create artifact to sign
run: |
echo -n "hello world" > artifact
- name: Sign artifact
run: |
./packages/cli/bin/run attest \
--fulcio-url https://fulcio.sigstage.dev \
--rekor-url https://rekor.sigstage.dev \
--type "text/plain" \
--out bundle.json \
artifact
- name: Verify bundle
run: |
./packages/cli/bin/run verify \
--tuf-mirror-url ${TUF_MIRROR_URL} \
--tuf-root-path ./1.root.json \
bundle.json
- name: Archive bundle
if: success() || failure()
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bundle.staging.json
path: bundle.json