add integration test

Signed-off-by: Meredith Lancaster <malancas@github.com>

.github/workflows/go.yml

@@ -37,3 +37,6 @@ jobs:
 
       - name: Build
         run: go build -v ./cmd/gh
+
+      - name: Run attestation command integration Tests
+        run: ./test/integration/attestation-cmd/test/download-and-verify-package-attestation.sh

test/integration/attestation-cmd/download-and-verify-package-attestation.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+# Compute the package and attestation URLs
+labRatPackageName="sigstore"
+latestPackageVersion=$(npm -s info $labRatPackageName dist-tags.latest | tr -d '\n')
+packageFile="$labRatPackageName-$latestPackageVersion.tgz"
+packageURL="https://registry.npmjs.org/$labRatPackageName/-/$packageFile"
+attestationFile="$labRatPackageName-$latestPackageVersion.json"
+attestationURL="https://registry.npmjs.org/-/npm/v1/attestations/$labRatPackageName@$latestPackageVersion"
+
+echo "Testing with package $packageFile and attestation $attestationFile"
+
+curl -s $packageURL -o $packageFile
+curl -s $attestationURL | jq '.attestations[1].bundle' > $attestationFile
+
+# Verify the package with the --owner flag
+$ghVerifyBuildPath $packageFile -b $attestationFile --digest-alg=sha512 --owner=sigstore
+if [ $? -ne 0 ]; then
+    # cleanup test data
+    rm $packageFile $attestationFile
+    exit 1
+fi
+
+$ghVerifyBuildPath $packageFile -b $attestationFile --digest-alg=sha512 --repo=sigstore-js
+if [ $? -ne 0 ]; then
+    # cleanup test data
+    rm $packageFile $attestationFile
+    exit 1
+fi
+
+# cleanup test data
+rm $packageFile $attestationFile