Add integration tests for gh attestation verify shared workflow use case (#9107)

* add initial shared workflow use case tests and test data Signed-off-by: Meredith Lancaster <malancas@github.com> * add more shared workflow tests Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup tests Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback, replace shared with reusable Signed-off-by: Meredith Lancaster <malancas@github.com> * use demo repository with reusable workflow tests Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-05-28 07:13:34 -06:00 · 2024-05-28 07:13:34 -06:00 · 8d0518645f
commit 8d0518645f
parent 1bc3cfa460
3 changed files with 130 additions and 0 deletions
--- a/pkg/cmd/attestation/test/data/reusable-workflow-artifact
+++ b/pkg/cmd/attestation/test/data/reusable-workflow-artifact
--- a/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json
+++ b/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json
--- a/pkg/cmd/attestation/verify/verify_integration_test.go
+++ b/pkg/cmd/attestation/verify/verify_integration_test.go
@ -8,6 +8,7 @@ import (
 	"github.com/cli/cli/v2/pkg/cmd/attestation/api"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/io"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/test"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
 	"github.com/cli/cli/v2/pkg/cmd/factory"
 	"github.com/stretchr/testify/require"
@ -80,3 +81,70 @@ func TestVerifyIntegration(t *testing.T) {
 		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
 	})
 }
+
+func TestVerifyIntegrationReusableWorkflow(t *testing.T) {
+	artifactPath := test.NormalizeRelativePath("../test/data/reusable-workflow-artifact")
+	bundlePath := test.NormalizeRelativePath("../test/data/reusable-workflow-attestation.sigstore.json")
+
+	logger := io.NewTestHandler()
+
+	sigstoreConfig := verification.SigstoreConfig{
+		Logger: logger,
+	}
+
+	cmdFactory := factory.New("test")
+
+	hc, err := cmdFactory.HttpClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	baseOpts := Options{
+		APIClient:        api.NewLiveClient(hc, logger),
+		ArtifactPath:     artifactPath,
+		BundlePath:       bundlePath,
+		DigestAlgorithm:  "sha256",
+		Logger:           logger,
+		OCIClient:        oci.NewLiveClient(),
+		OIDCIssuer:       GitHubOIDCIssuer,
+		SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig),
+	}
+
+	t.Run("with owner and valid reusable workflow SAN", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with owner and valid reusable workflow SAN regex", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with repo and valid reusable workflow SAN", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.Repo = "malancas/attest-demo"
+		opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with repo and valid reusable workflow SAN regex", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.Repo = "malancas/attest-demo"
+		opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+}