default to generating dsse rekor entries #2265
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Smoke test | |
on: | |
workflow_dispatch: | |
push: | |
branches: ['main'] | |
pull_request: | |
branches: ['main'] | |
permissions: | |
contents: read | |
jobs: | |
sign-verify: | |
name: Sign/Verify Artifact | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout source | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Setup node | |
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 | |
with: | |
node-version: 18 | |
cache: npm | |
- name: Install dependencies | |
run: npm ci | |
- name: Build sigstore-js | |
run: | | |
npm run build | |
- name: Create artifact to sign | |
run: | | |
echo -n "hello world" > artifact | |
- name: Sign artifact | |
run: | | |
./packages/cli/bin/run attest --type "text/plain" --out bundle.json artifact | |
- name: Verify bundle | |
run: | | |
./packages/cli/bin/run verify bundle.json | |
- name: Archive bundle | |
if: success() || failure() | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: bundle.public-good.json | |
path: bundle.json | |
sign-verify-mock: | |
name: Sign/Verify Artifact (Mock Stack) | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
env: | |
DEBUG: "tuf:*" | |
SIGSTORE_URL: "http://localhost:8000" | |
steps: | |
- name: Checkout source | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Setup node | |
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 | |
with: | |
node-version: 18 | |
cache: npm | |
- name: Install dependencies | |
run: npm ci | |
- name: Build sigstore-js | |
run: | | |
npm run build | |
- name: Start mock server (background) | |
run: | | |
npm run start --workspace packages/mock-server & | |
- name: Retrieve TUF trusted root | |
run: | | |
wget "${SIGSTORE_URL}/1.root.json" | |
- name: Create artifact to sign | |
run: | | |
echo -n "hello world" > artifact | |
- name: Sign artifact | |
run: | | |
./packages/cli/bin/run attest \ | |
--fulcio-url ${SIGSTORE_URL} \ | |
--rekor-url ${SIGSTORE_URL} \ | |
--tsa-server-url ${SIGSTORE_URL} \ | |
--type "text/plain" \ | |
--out bundle.json \ | |
artifact | |
- name: Verify bundle | |
run: | | |
./packages/cli/bin/run verify \ | |
--tuf-mirror-url ${SIGSTORE_URL} \ | |
--tuf-root-path ./1.root.json \ | |
bundle.json | |
- name: Archive bundle | |
if: success() || failure() | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: bundle.mock.json | |
path: bundle.json | |
sign-verify-staging: | |
name: Sign/Verify Artifact (Staging) | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
env: | |
DEBUG: "tuf:*" | |
TUF_MIRROR_URL: https://tuf-repo-cdn.sigstage.dev | |
steps: | |
- name: Checkout source | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Setup node | |
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 | |
with: | |
node-version: 18 | |
cache: npm | |
- name: Install dependencies | |
run: npm ci | |
- name: Build sigstore-js | |
run: | | |
npm run build | |
- name: Retrieve TUF trusted root | |
run: | | |
wget ${TUF_MIRROR_URL}/1.root.json | |
- name: Create artifact to sign | |
run: | | |
echo -n "hello world" > artifact | |
- name: Sign artifact | |
run: | | |
./packages/cli/bin/run attest \ | |
--fulcio-url https://fulcio.sigstage.dev \ | |
--rekor-url https://rekor.sigstage.dev \ | |
--type "text/plain" \ | |
--out bundle.json \ | |
artifact | |
- name: Verify bundle | |
run: | | |
./packages/cli/bin/run verify \ | |
--tuf-mirror-url ${TUF_MIRROR_URL} \ | |
--tuf-root-path ./1.root.json \ | |
bundle.json | |
- name: Archive bundle | |
if: success() || failure() | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: bundle.staging.json | |
path: bundle.json | |