refactor! remove pkg directory (#145)

* refactor!: remove pkg directory * chore: include breaking changes in draft
2024-09-02 16:17:50 +01:00
parent 23849c1c2e
commit 8982778507
103 changed files with 152 additions and 142 deletions
--- a/.github/release-drafter-config.yml
+++ b/.github/release-drafter-config.yml
@@ -14,6 +14,9 @@ categories:
  - title: "🧰 Maintenance"
    labels:
      - "chore"
+  - title: "💥 Breaking Changes"
+    labels:
+      - "breaking"

 change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
 change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
@@ -21,6 +24,7 @@ version-resolver:
  major:
    labels:
      - "major"
+      - "breaking"
  minor:
    labels:
      - "minor"
@@ -40,11 +44,13 @@ autolabeler:
    branch:
      - '/docs{0,1}\/.+/'
      - '/tests{0,1}\/.+/'
-      - '/chore{0,1}\/.+/'
+      - '/chore\/.+/'
+      - '/refactor\/.+/'
    title:
      - "/docs/i"
      - "/test/i"
      - "/chore/i"
+      - "/refactor/i"
  - label: "bug"
    branch:
      - '/fix\/.+/'
@@ -60,3 +66,6 @@ autolabeler:
    title:
      - "/feat/i"
      - "/add/i"
+  - label: "breaking"
+    title:
+      - "/.*!/i"
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ See [Policy Mapping](#policy-mapping) for more details.

 The `attest.Verify` function returns a `VerificationSummary` object, which contains the results of the policy evaluation.

-See [example_verify_test.go](./pkg/attest/example_verify_test.go) for an example of how to verify an image against a policy.
+See [example_verify_test.go](./example_verify_test.go) for an example of how to verify an image against a policy.

 ## Signing Attestations

@@ -76,7 +76,7 @@ This function takes a statement and DSSE signer, and returns a signed DSSE envel
 For the common use case of signing a statement and adding it to a manifest, e.g. for pushing to a registry as a referrer to the image being attested, the `attestation.AttestationManifest` type can be used.
 See [example_attestation_manifest_test.go](./pkg/attestation/example_attestation_manifest_test.go)

-See also [example_sign_test.go](./pkg/attest/example_sign_test.go) for an example of how to sign all attached in-toto statements on an image, e.g. those produced by buildkit.
+See also [example_sign_test.go](./example_sign_test.go) for an example of how to sign all attached in-toto statements on an image, e.g. those produced by buildkit.

 # Rego Policy

--- a/pkg/attestation/README.md
+++ b/pkg/attestation/README.md
--- a/pkg/attestation/attestation.go
+++ b/pkg/attestation/attestation.go
@@ -8,7 +8,7 @@ import (
 	"maps"
 	"strings"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
--- a/pkg/attestation/attestation_test.go
+++ b/pkg/attestation/attestation_test.go
@@ -3,8 +3,8 @@ package attestation_test
 import (
 	"testing"

+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/stretchr/testify/assert"
 )
@@ -12,7 +12,7 @@ import (
 const ExpectedStatements = 4

 func TestExtractAnnotatedStatements(t *testing.T) {
-	statements, err := attestation.ExtractAnnotatedStatements(test.UnsignedTestImage, intoto.PayloadType)
+	statements, err := attestation.ExtractAnnotatedStatements(test.UnsignedTestImage(".."), intoto.PayloadType)
 	assert.NoError(t, err)
 	assert.Equalf(t, len(statements), ExpectedStatements, "expected %d statement, got %d", ExpectedStatements, len(statements))
 }
--- a/pkg/attestation/example_attestation_manifest_test.go
+++ b/pkg/attestation/example_attestation_manifest_test.go
@@ -4,9 +4,9 @@ import (
 	"context"
 	"time"

-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/signerverifier"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
--- a/pkg/attestation/layout.go
+++ b/pkg/attestation/layout.go
@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 )
--- a/pkg/attestation/layout_test.go
+++ b/pkg/attestation/layout_test.go
@@ -4,11 +4,11 @@ import (
 	"strings"
 	"testing"

+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -24,7 +24,7 @@ func TestAttestationFromOCILayout(t *testing.T) {
 	}

 	opts := &attestation.SigningOptions{}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 	require.NoError(t, err)
 	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
 	require.NoError(t, err)
--- a/pkg/attestation/mock.go
+++ b/pkg/attestation/mock.go
@@ -3,7 +3,7 @@ package attestation
 import (
 	"context"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )

--- a/pkg/attestation/referrers.go
+++ b/pkg/attestation/referrers.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"strings"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )
--- a/pkg/attestation/referrers_test.go
+++ b/pkg/attestation/referrers_test.go
@@ -7,12 +7,12 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/config"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -21,12 +21,12 @@ import (
 )

 var (
-	NoProvenanceImage   = filepath.Join("..", "..", "test", "testdata", "no-provenance-image")
-	PassPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-pass")
-	LocalPolicy         = filepath.Join("..", "..", "test", "testdata", "local-policy")
-	LocalPolicyAttached = filepath.Join("..", "..", "test", "testdata", "local-policy-attached")
-	PassNoTLPolicyDir   = filepath.Join("..", "..", "test", "testdata", "local-policy-no-tl")
-	FailPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-fail")
+	NoProvenanceImage   = filepath.Join("..", "test", "testdata", "no-provenance-image")
+	PassPolicyDir       = filepath.Join("..", "test", "testdata", "local-policy-pass")
+	LocalPolicy         = filepath.Join("..", "test", "testdata", "local-policy")
+	LocalPolicyAttached = filepath.Join("..", "test", "testdata", "local-policy-attached")
+	PassNoTLPolicyDir   = filepath.Join("..", "test", "testdata", "local-policy-no-tl")
+	FailPolicyDir       = filepath.Join("..", "test", "testdata", "local-policy-fail")
 	TestTempDir         = "attest-sign-test"
 )

@@ -90,7 +90,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			opts := &attestation.SigningOptions{
 				SkipTL: true,
 			}
-			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 			require.NoError(t, err)

 			indexName := fmt.Sprintf("%s/repo:root", u.Host)
@@ -212,7 +212,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 		opts := &attestation.SigningOptions{
 			SkipTL: true,
 		}
-		attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+		attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 		require.NoError(t, err)

 		indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
@@ -238,7 +238,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 			opts := &attestation.SigningOptions{
 				SkipTL: true,
 			}
-			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 			require.NoError(t, err)

 			indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
@@ -294,7 +294,7 @@ func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
 	opts := &attestation.SigningOptions{
 		SkipTL: true,
 	}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 	require.NoError(t, err)

 	indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
--- a/pkg/attestation/registry.go
+++ b/pkg/attestation/registry.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
--- a/pkg/attestation/registry_test.go
+++ b/pkg/attestation/registry_test.go
@@ -7,11 +7,11 @@ import (
 	"strings"
 	"testing"

+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
 	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -25,7 +25,7 @@ func TestRegistry(t *testing.T) {
 	require.NoError(t, err)

 	opts := &attestation.SigningOptions{}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 	require.NoError(t, err)
 	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
 	require.NoError(t, err)
--- a/pkg/attestation/resolver.go
+++ b/pkg/attestation/resolver.go
@@ -3,7 +3,7 @@ package attestation
 import (
 	"context"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 )

 type Resolver interface {
--- a/pkg/attestation/sign.go
+++ b/pkg/attestation/sign.go
@@ -5,7 +5,7 @@ import (
 	"fmt"

 	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/tlog"
+	"github.com/docker/attest/tlog"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
--- a/pkg/attestation/sign_test.go
+++ b/pkg/attestation/sign_test.go
@@ -11,10 +11,10 @@ import (
 	"testing"
 	"time"

+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/signerverifier"
 	"github.com/google/go-containerregistry/pkg/registry"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/static"
--- a/pkg/attestation/types.go
+++ b/pkg/attestation/types.go
--- a/pkg/attestation/verify.go
+++ b/pkg/attestation/verify.go
@@ -10,8 +10,8 @@ import (
 	"time"

 	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/signerverifier"
-	"github.com/docker/attest/pkg/tlog"
+	"github.com/docker/attest/signerverifier"
+	"github.com/docker/attest/tlog"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
--- a/pkg/attestation/verify_test.go
+++ b/pkg/attestation/verify_test.go
@@ -4,8 +4,8 @@ import (
 	"encoding/base64"
 	"testing"

+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/assert"
--- a/pkg/attestation/vsa.go
+++ b/pkg/attestation/vsa.go
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"regexp"

-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 	"sigs.k8s.io/yaml"
 )

--- a/pkg/config/types.go
+++ b/pkg/config/types.go
--- a/pkg/attest/example_sign_test.go
+++ b/pkg/attest/example_sign_test.go
@@ -3,10 +3,10 @@ package attest_test
 import (
 	"context"

-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/signerverifier"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
--- a/pkg/attest/example_verify_test.go
+++ b/pkg/attest/example_verify_test.go
@@ -6,10 +6,10 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
+	"github.com/docker/attest/tuf"
 )

 func ExampleVerify_remote() {
--- a/internal/test/test-signing-key.pem
+++ b/internal/test/test-signing-key.pem
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -2,12 +2,13 @@ package test

 import (
 	"context"
+	_ "embed"
 	"os"
 	"path/filepath"
 	"testing"

-	"github.com/docker/attest/pkg/signerverifier"
-	"github.com/docker/attest/pkg/tlog"
+	"github.com/docker/attest/signerverifier"
+	"github.com/docker/attest/tlog"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )

@@ -19,7 +20,10 @@ const (
 	AWSKMSKeyARN = "arn:aws:kms:us-east-1:175142243308:alias/doi-signing" // sandbox
 )

-var UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+func UnsignedTestImage(rel ...string) string {
+	rel = append(rel, "test", "testdata", "unsigned-test-image")
+	return filepath.Join(rel...)
+}

 func CreateTempDir(t *testing.T, dir, pattern string) string {
 	// Create a temporary directory for output oci layout
@@ -37,12 +41,11 @@ func CreateTempDir(t *testing.T, dir, pattern string) string {
 	return tempDir
 }

+//go:embed test-signing-key.pem
+var signingKey []byte
+
 func GetMockSigner(_ context.Context) (dsse.SignerVerifier, error) {
-	priv, err := os.ReadFile(filepath.Join("..", "..", "test", "testdata", "test-signing-key.pem"))
-	if err != nil {
-		return nil, err
-	}
-	return signerverifier.LoadKeyPair(priv)
+	return signerverifier.LoadKeyPair(signingKey)
 }

 func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
--- a/pkg/mirror/README.md
+++ b/pkg/mirror/README.md
--- a/pkg/mirror/example_mirror_test.go
+++ b/pkg/mirror/example_mirror_test.go
@@ -6,9 +6,9 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/docker/attest/pkg/mirror"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/mirror"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/tuf"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )

--- a/pkg/mirror/metadata.go
+++ b/pkg/mirror/metadata.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strconv"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
--- a/pkg/mirror/metadata_test.go
+++ b/pkg/mirror/metadata_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"

 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 	"github.com/stretchr/testify/assert"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
 )
@@ -21,7 +21,7 @@ const (
 )

 func TestGetTufMetadataMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -39,7 +39,7 @@ func TestGetTufMetadataMirror(t *testing.T) {
 }

 func TestGetMetadataManifest(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -78,7 +78,7 @@ func TestGetMetadataManifest(t *testing.T) {
 }

 func TestGetDelegatedMetadataMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
--- a/pkg/mirror/mirror.go
+++ b/pkg/mirror/mirror.go
@@ -3,7 +3,7 @@ package mirror
 import (
 	"fmt"

-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 )

 func NewTUFMirror(root []byte, tufPath, metadataURL, targetsURL string, versionChecker tuf.VersionChecker) (*TUFMirror, error) {
--- a/pkg/mirror/targets.go
+++ b/pkg/mirror/targets.go
@@ -5,7 +5,7 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
--- a/pkg/mirror/targets_test.go
+++ b/pkg/mirror/targets_test.go
@@ -9,7 +9,7 @@ import (
 	"testing"

 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 	"github.com/stretchr/testify/assert"
 )

@@ -22,7 +22,7 @@ type Layers struct {
 }

 func TestGetTufTargetsMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -56,7 +56,7 @@ func TestGetTufTargetsMirror(t *testing.T) {
 }

 func TestTargetDelegationMetadata(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -69,7 +69,7 @@ func TestTargetDelegationMetadata(t *testing.T) {
 }

 func TestGetDelegatedTargetMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
--- a/pkg/mirror/types.go
+++ b/pkg/mirror/types.go
@@ -1,8 +1,8 @@
 package mirror

 import (
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/tuf"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
 )
--- a/pkg/oci/README.md
+++ b/pkg/oci/README.md
--- a/pkg/oci/authn.go
+++ b/pkg/oci/authn.go
--- a/pkg/oci/authn_test.go
+++ b/pkg/oci/authn_test.go
@@ -6,12 +6,12 @@ import (
 	"testing"

 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/stretchr/testify/require"
 )

 func TestRegistryAuth(t *testing.T) {
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 	require.NoError(t, err)
 	// test cases for ecr, gcr and dockerhub
 	testCases := []struct {
--- a/pkg/oci/http.go
+++ b/pkg/oci/http.go
--- a/pkg/oci/oci.go
+++ b/pkg/oci/oci.go
--- a/pkg/oci/oci_test.go
+++ b/pkg/oci/oci_test.go
@@ -5,7 +5,7 @@ import (

 	"github.com/distribution/reference"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	"github.com/stretchr/testify/assert"
@@ -67,7 +67,7 @@ func TestRefToPurl(t *testing.T) {

 // Test fix for https://github.com/docker/secure-artifacts-team-issues/issues/202
 func TestImageDigestForPlatform(t *testing.T) {
-	idx, err := layout.ImageIndexFromPath(test.UnsignedTestImage)
+	idx, err := layout.ImageIndexFromPath(test.UnsignedTestImage(".."))
 	assert.NoError(t, err)

 	idxm, err := idx.IndexManifest()
--- a/pkg/oci/output.go
+++ b/pkg/oci/output.go
--- a/pkg/oci/output_test.go
+++ b/pkg/oci/output_test.go
@@ -6,9 +6,9 @@ import (
 	"net/url"
 	"testing"

+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/registry"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
@@ -18,7 +18,7 @@ import (

 func TestSavingIndex(t *testing.T) {
 	outputLayout := test.CreateTempDir(t, "", "mirror-test")
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 	require.NoError(t, err)

 	server := httptest.NewServer(registry.New())
--- a/pkg/oci/registry.go
+++ b/pkg/oci/registry.go
--- a/pkg/oci/resolver.go
+++ b/pkg/oci/resolver.go
--- a/pkg/oci/types.go
+++ b/pkg/oci/types.go
--- a/pkg/oci/types_test.go
+++ b/pkg/oci/types_test.go
--- a/pkg/attest/README.md
+++ b/pkg/attest/README.md
@@ -1,2 +0,0 @@
-## attest
-This package implements the top-level signing and verification methods.
--- a/pkg/policy/README.md
+++ b/pkg/policy/README.md
--- a/pkg/policy/evaluator.go
+++ b/pkg/policy/evaluator.go
@@ -3,7 +3,7 @@ package policy
 import (
 	"context"

-	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/attestation"
 )

 type Evaluator interface {
--- a/pkg/policy/match.go
+++ b/pkg/policy/match.go
@@ -3,7 +3,7 @@ package policy
 import (
 	"fmt"

-	"github.com/docker/attest/pkg/config"
+	"github.com/docker/attest/config"
 )

 type matchType string
--- a/pkg/policy/match_test.go
+++ b/pkg/policy/match_test.go
@@ -4,7 +4,7 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/docker/attest/pkg/config"
+	"github.com/docker/attest/config"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
--- a/pkg/policy/mock.go
+++ b/pkg/policy/mock.go
@@ -3,7 +3,7 @@ package policy
 import (
 	"context"

-	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/attestation"
 )

 type MockPolicyEvaluator struct {
--- a/pkg/policy/policy.go
+++ b/pkg/policy/policy.go
@@ -3,9 +3,9 @@ package policy
 import (
 	"fmt"

-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/config"
+	"github.com/docker/attest/oci"
 )

 func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error) {
--- a/pkg/policy/policy_test.go
+++ b/pkg/policy/policy_test.go
@@ -6,11 +6,11 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/config"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -32,7 +32,7 @@ func loadAttestation(t *testing.T, path string) *attestation.Envelope {
 func TestRegoEvaluator_Evaluate(t *testing.T) {
 	ctx, _ := test.Setup(t)
 	resolveErrorStr := "failed to resolve policy by id: policy with id non-existent-policy-id not found"
-	TestDataPath := filepath.Join("..", "..", "test", "testdata")
+	TestDataPath := filepath.Join("..", "test", "testdata")
 	ExampleAttestation := filepath.Join(TestDataPath, "example_attestation.json")

 	re := policy.NewRegoEvaluator(true)
--- a/pkg/policy/rego.go
+++ b/pkg/policy/rego.go
@@ -7,7 +7,7 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/attestation"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
--- a/pkg/policy/resolver.go
+++ b/pkg/policy/resolver.go
@@ -8,9 +8,9 @@ import (
 	"path/filepath"

 	"github.com/distribution/reference"
+	"github.com/docker/attest/config"
 	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 )

 type Resolver struct {
--- a/pkg/policy/resolver_test.go
+++ b/pkg/policy/resolver_test.go
@@ -5,8 +5,8 @@ import (
 	"testing"

 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/policy"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/policy"
+	"github.com/docker/attest/tuf"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
--- a/pkg/policy/testdata/mappings/doi/mapping.yaml
+++ b/pkg/policy/testdata/mappings/doi/mapping.yaml
--- a/pkg/policy/testdata/mappings/local/mapping.yaml
+++ b/pkg/policy/testdata/mappings/local/mapping.yaml
--- a/pkg/policy/testdata/mappings/rewrite-invalid/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-invalid/mapping.yaml
--- a/pkg/policy/testdata/mappings/rewrite-loop/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-loop/mapping.yaml
--- a/pkg/policy/testdata/mappings/rewrite-multiple/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-multiple/mapping.yaml
--- a/pkg/policy/testdata/mappings/rewrite-to-local/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-to-local/mapping.yaml
--- a/pkg/policy/testdata/mappings/rewrite-to-no-match/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-to-no-match/mapping.yaml
--- a/pkg/policy/testdata/mappings/simple-rewrite/mapping.yaml
+++ b/pkg/policy/testdata/mappings/simple-rewrite/mapping.yaml
--- a/pkg/policy/testdata/policies/allow-canonical/doi/policy.rego
+++ b/pkg/policy/testdata/policies/allow-canonical/doi/policy.rego
--- a/pkg/policy/testdata/policies/allow-canonical/mapping.yaml
+++ b/pkg/policy/testdata/policies/allow-canonical/mapping.yaml
--- a/pkg/policy/testdata/policies/allow/doi/policy.rego
+++ b/pkg/policy/testdata/policies/allow/doi/policy.rego
--- a/pkg/policy/testdata/policies/allow/mapping.yaml
+++ b/pkg/policy/testdata/policies/allow/mapping.yaml
--- a/pkg/policy/testdata/policies/deny/doi/policy.rego
+++ b/pkg/policy/testdata/policies/deny/doi/policy.rego
--- a/pkg/policy/testdata/policies/deny/mapping.yaml
+++ b/pkg/policy/testdata/policies/deny/mapping.yaml
--- a/pkg/policy/testdata/policies/no-policy/mapping.yaml
+++ b/pkg/policy/testdata/policies/no-policy/mapping.yaml
--- a/pkg/policy/testdata/policies/no-rego/doi/policy.yaml
+++ b/pkg/policy/testdata/policies/no-rego/doi/policy.yaml
--- a/pkg/policy/testdata/policies/no-rego/mapping.yaml
+++ b/pkg/policy/testdata/policies/no-rego/mapping.yaml
--- a/pkg/policy/testdata/policies/verify-sig/doi/policy.rego
+++ b/pkg/policy/testdata/policies/verify-sig/doi/policy.rego
--- a/pkg/policy/testdata/policies/verify-sig/mapping.yaml
+++ b/pkg/policy/testdata/policies/verify-sig/mapping.yaml
--- a/pkg/policy/testdata/policies/wrong-key/doi/policy.rego
+++ b/pkg/policy/testdata/policies/wrong-key/doi/policy.rego
--- a/pkg/policy/testdata/policies/wrong-key/mapping.yaml
+++ b/pkg/policy/testdata/policies/wrong-key/mapping.yaml
--- a/pkg/policy/types.go
+++ b/pkg/policy/types.go
@@ -1,8 +1,8 @@
 package policy

 import (
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/config"
+	"github.com/docker/attest/tuf"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 )

--- a/pkg/attest/sign.go
+++ b/pkg/attest/sign.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"

-	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/attestation"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
--- a/pkg/attest/sign_test.go
+++ b/pkg/attest/sign_test.go
@@ -4,10 +4,10 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 	"github.com/stretchr/testify/assert"
@@ -15,13 +15,13 @@ import (
 )

 var (
-	NoProvenanceImage   = filepath.Join("..", "..", "test", "testdata", "no-provenance-image")
-	PassPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-pass")
-	PassMirrorPolicyDir = filepath.Join("..", "..", "test", "testdata", "local-policy-mirror")
-	PassNoTLPolicyDir   = filepath.Join("..", "..", "test", "testdata", "local-policy-no-tl")
-	FailPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-fail")
-	InputsPolicyDir     = filepath.Join("..", "..", "test", "testdata", "local-policy-inputs")
-	EmptyPolicyDir      = filepath.Join("..", "..", "test", "testdata", "local-policy-no-policies")
+	NoProvenanceImage   = filepath.Join("test", "testdata", "no-provenance-image")
+	PassPolicyDir       = filepath.Join("test", "testdata", "local-policy-pass")
+	PassMirrorPolicyDir = filepath.Join("test", "testdata", "local-policy-mirror")
+	PassNoTLPolicyDir   = filepath.Join("test", "testdata", "local-policy-no-tl")
+	FailPolicyDir       = filepath.Join("test", "testdata", "local-policy-fail")
+	InputsPolicyDir     = filepath.Join("test", "testdata", "local-policy-inputs")
+	EmptyPolicyDir      = filepath.Join("test", "testdata", "local-policy-no-policies")
 	TestTempDir         = "attest-sign-test"
 )

@@ -35,8 +35,8 @@ func TestSignVerifyOCILayout(t *testing.T) {
 		expectedAttestations int
 		replace              bool
 	}{
-		{"signed replaced", test.UnsignedTestImage, 0, 4, true},
-		{"without replace", test.UnsignedTestImage, 4, 4, false},
+		{"signed replaced", test.UnsignedTestImage(), 0, 4, true},
+		{"without replace", test.UnsignedTestImage(), 4, 4, false},
 		// image without provenance doesn't fail
 		{"no provenance (replace)", NoProvenanceImage, 0, 2, true},
 		{"no provenance (no replace)", NoProvenanceImage, 2, 2, false},
--- a/pkg/signerverifier/README.md
+++ b/pkg/signerverifier/README.md
--- a/pkg/signerverifier/aws.go
+++ b/pkg/signerverifier/aws.go
--- a/pkg/signerverifier/common.go
+++ b/pkg/signerverifier/common.go
--- a/pkg/signerverifier/gcp.go
+++ b/pkg/signerverifier/gcp.go
--- a/pkg/signerverifier/gcp_test.go
+++ b/pkg/signerverifier/gcp_test.go
--- a/pkg/signerverifier/keyid.go
+++ b/pkg/signerverifier/keyid.go
--- a/pkg/signerverifier/parse.go
+++ b/pkg/signerverifier/parse.go
--- a/pkg/tlog/README.md
+++ b/pkg/tlog/README.md
--- a/pkg/tlog/mock.go
+++ b/pkg/tlog/mock.go
--- a/pkg/tlog/tl.go
+++ b/pkg/tlog/tl.go
@@ -15,7 +15,7 @@ import (
 	"time"

 	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/signerverifier"
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
--- a/pkg/tlog/tl_test.go
+++ b/pkg/tlog/tl_test.go
@@ -8,7 +8,7 @@ import (
 	"time"

 	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/signerverifier"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/stretchr/testify/assert"
 )
--- a/pkg/tuf/README.md
+++ b/pkg/tuf/README.md
--- a/pkg/tuf/example_registry_test.go
+++ b/pkg/tuf/example_registry_test.go
@@ -4,7 +4,7 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
 )

--- a/pkg/tuf/mock.go
+++ b/pkg/tuf/mock.go
--- a/pkg/tuf/registry.go
+++ b/pkg/tuf/registry.go
@@ -11,7 +11,7 @@ import (
 	"time"

 	"github.com/distribution/reference"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/crane"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
--- a/pkg/tuf/registry_test.go
+++ b/pkg/tuf/registry_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"

 	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
--- a/pkg/tuf/tuf.go
+++ b/pkg/tuf/tuf.go
--- a/pkg/tuf/tuf_test.go
+++ b/pkg/tuf/tuf_test.go
@@ -15,8 +15,8 @@ import (
 )

 var (
-	HTTPTUFTestDataPath = filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo")
-	OCITUFTestDataPath  = filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo-oci")
+	HTTPTUFTestDataPath = filepath.Join("..", "test", "testdata", "tuf", "test-repo")
+	OCITUFTestDataPath  = filepath.Join("..", "test", "testdata", "tuf", "test-repo-oci")
 )

 func CreateTempDir(t *testing.T, dir, pattern string) string {
--- a/pkg/tuf/version.go
+++ b/pkg/tuf/version.go
--- a/Show More
+++ b/Show More