From 6bc26cfc5e23777f4e24aaf5def813d314ebfd25 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 26 Feb 2026 14:23:01 -0800 Subject: [PATCH] add e2e tests (#368) Signed-off-by: Brian DeHamer --- .github/workflows/prober-github.yml | 18 +++++ .github/workflows/prober-public-good.yml | 18 +++++ .github/workflows/prober.yml | 84 ++++++++++++++++++++++++ 3 files changed, 120 insertions(+) create mode 100644 .github/workflows/prober-github.yml create mode 100644 .github/workflows/prober-public-good.yml create mode 100644 .github/workflows/prober.yml diff --git a/.github/workflows/prober-github.yml b/.github/workflows/prober-github.yml new file mode 100644 index 0000000..ea0b10f --- /dev/null +++ b/.github/workflows/prober-github.yml @@ -0,0 +1,18 @@ +name: GitHub Sigstore Prober + +on: + workflow_dispatch: + schedule: + # run every 5 minutes, as often as Github Actions allows + - cron: '*/5 * * * *' + +jobs: + prober: + if: github.repository_owner == 'actions' + permissions: + attestations: write + id-token: write + secrets: inherit + uses: ./.github/workflows/prober.yml + with: + sigstore: github diff --git a/.github/workflows/prober-public-good.yml b/.github/workflows/prober-public-good.yml new file mode 100644 index 0000000..d8efefd --- /dev/null +++ b/.github/workflows/prober-public-good.yml @@ -0,0 +1,18 @@ +name: Public-Good Sigstore Prober + +on: + workflow_dispatch: + schedule: + # run every 5 minutes, as often as Github Actions allows + - cron: '*/5 * * * *' + +jobs: + prober: + if: github.repository_owner == 'actions' + permissions: + attestations: write + id-token: write + secrets: inherit + uses: ./.github/workflows/prober.yml + with: + sigstore: public-good diff --git a/.github/workflows/prober.yml b/.github/workflows/prober.yml new file mode 100644 index 0000000..3bc22d8 --- /dev/null +++ b/.github/workflows/prober.yml @@ -0,0 +1,84 @@ +name: Prober Workflow + +on: + workflow_call: + inputs: + sigstore: + description: 'Which Sigstore instance to use for signing' + required: true + type: string + +jobs: + probe: + runs-on: ubuntu-latest + permissions: + attestations: write + id-token: write + + steps: + - name: Request OIDC Token + run: | + curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \ + -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ + -H "Accept: application/json; api-version=2.0" \ + -H "Content-Type: application/json" \ + --silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' + + - name: Create artifact + run: | + date > artifact + + - name: Attest build provenance + uses: actions/attest@main + env: + INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }} + with: + subject-path: artifact + + - name: Verify build artifact + env: + GH_TOKEN: ${{ github.token }} + run: | + gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER" + + - name: Upload build artifact + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + path: "artifact" + + - name: Report attestation prober success + if: ${{ success() }} + uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3 + with: + api-key: "${{ secrets.DATADOG_API_KEY }}" + service-checks: | + - check: "attestation-integration.actions.prober" + status: 0 + host_name: github.com + tags: + - "catalog_service:${{ secrets.CATALOG_SERVICE }}" + - "service:${{ secrets.CATALOG_SERVICE }}" + - "stamp:${{ secrets.STAMP }}" + - "env:production" + - "repo:${{ github.repository }}" + - "team:${{ secrets.TEAM }}" + - "sigstore:${{ inputs.sigstore }}" + + - name: Report attestation prober failure + if: ${{ failure() }} + uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3 + with: + api-key: "${{ secrets.DATADOG_API_KEY }}" + service-checks: | + - check: "attestation-integration.actions.prober" + message: "${{ github.repository_owner }} failed prober check" + status: 2 + host_name: github.com + tags: + - "catalog_service:${{ secrets.CATALOG_SERVICE }}" + - "service:${{ secrets.CATALOG_SERVICE }}" + - "stamp:${{ secrets.STAMP }}" + - "env:production" + - "repo:${{ github.repository }}" + - "team:${{ secrets.TEAM }}" + - "sigstore:${{ inputs.sigstore }}"