Merge pull request #10020 from malancas/attestation-fetch-integration-tests

pkg/cmd/attestation/verify/verify_integration_test.go

@@ -111,6 +111,25 @@ func TestVerifyIntegration(t *testing.T) {
 		require.Error(t, err)
 		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\"")
 	})
+
+	t.Run("with bundle from OCI registry", func(t *testing.T) {
+		opts := Options{
+			APIClient:             api.NewLiveClient(hc, host, logger),
+			ArtifactPath:          "oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9",
+			UseBundleFromRegistry: true,
+			DigestAlgorithm:       "sha256",
+			Logger:                logger,
+			OCIClient:             oci.NewLiveClient(),
+			OIDCIssuer:            verification.GitHubOIDCIssuer,
+			Owner:                 "github",
+			PredicateType:         verification.SLSAPredicateV1,
+			SANRegex:              "^https://github.com/github/",
+			SigstoreVerifier:      verification.NewLiveSigstoreVerifier(sigstoreConfig),
+		}
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
 }
 
 func TestVerifyIntegrationCustomIssuer(t *testing.T) {

test/integration/attestation-cmd/verify-oci-bundle.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+# Verify an OCI artifact with bundles stored on the GHCR OCI registry
+echo "Testing with OCI image ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9 with the --bundle-from-oci flag"
+if ! $ghBuildPath attestation verify oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9 --owner=github --bundle-from-oci; then
+    echo "Failed to verify oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9 with bundles from the GHCR OCI registry"
+    exit 1
+fi