STACKITGit/cli - Git hosting by STACKIT

Author	SHA1	Message	Date
Zach Steindler	f972050dc9	gh attestation trusted-root subcommand (#9206 ) Adds `trusted-root` subcommand to `gh attestation`. For use in upcoming docs on how to do offline verification with artifact attestations. --------- Signed-off-by: Zach Steindler <steiza@github.com> Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>	2024-07-01 11:50:39 -04:00
Phill MV	c9f9fac7dc	Update pkg/cmd/attestation/verify/verify.go Co-authored-by: Andy Feller <andyfeller@github.com>	2024-06-24 13:33:10 -04:00
Phill MV	c25dacc33e	Update pkg/cmd/attestation/verify/verify.go Co-authored-by: Andy Feller <andyfeller@github.com>	2024-06-24 13:32:51 -04:00
Phill MV	06607d3e95	s/originated/caller/ workflow	2024-06-24 10:05:58 -04:00
William Martin	d7c56bfb13	Remove beta note from attestation top level command	2024-06-24 15:46:00 +02:00
William Martin	846b6ec20b	Fix whitespacing	2024-06-24 15:41:22 +02:00
Phill MV	8318e7a1de	Actually, let's keep `download` in beta for now.	2024-06-24 09:32:32 -04:00
Phill MV	40abc9a785	Removed beta note from `gh at download`.	2024-06-23 21:54:01 -04:00
Phill MV	152607e0e8	Removed beta note from `gh at verify`, clarified reusable workflows use case.	2024-06-23 21:53:09 -04:00
Forrin	c572383bda	Attestation Verification - Buffer Fix (#9198 ) * swap scanner to readline for attestations * replace readLine with readBytes	2024-06-14 13:55:58 -04:00
Phill MV	e8a13cfed3	replaced deprecated --json-result flag with --format=json in the gh at docstring.	2024-06-04 15:52:54 -04:00
Meredith Lancaster	cd5562f5ac	Add `signer-repo` and `signer-workflow` flags to `gh attestation verify` (#9137 ) * add signer-repo and signer-workflow flags Signed-off-by: Meredith Lancaster <malancas@github.com> * add check for SignerRepo option Signed-off-by: Meredith Lancaster <malancas@github.com> * add helper function and comment for clarity Signed-off-by: Meredith Lancaster <malancas@github.com> * update flag comment Signed-off-by: Meredith Lancaster <malancas@github.com> * reference correct field Signed-off-by: Meredith Lancaster <malancas@github.com> * move function to more relevant file Signed-off-by: Meredith Lancaster <malancas@github.com> * Update pkg/cmd/attestation/verify/verify.go Co-authored-by: Zach Steindler <steiza@github.com> * Update pkg/cmd/attestation/verify/verify.go Co-authored-by: Zach Steindler <steiza@github.com> * make all reusable workflow flags mutually exclusive Signed-off-by: Meredith Lancaster <malancas@github.com> * accept signer workflow without host Signed-off-by: Meredith Lancaster <malancas@github.com> * support client optionally providing host with signer workflow flag Signed-off-by: Meredith Lancaster <malancas@github.com> * comment Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for parsing signer workflow Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Zach Steindler <steiza@github.com>	2024-05-30 07:40:55 -06:00
Meredith Lancaster	8d0518645f	Add integration tests for `gh attestation verify` shared workflow use case (#9107 ) * add initial shared workflow use case tests and test data Signed-off-by: Meredith Lancaster <malancas@github.com> * add more shared workflow tests Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup tests Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback, replace shared with reusable Signed-off-by: Meredith Lancaster <malancas@github.com> * use demo repository with reusable workflow tests Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-05-28 07:13:34 -06:00
Viktor Szépe	6d9dd57774	Fix typos	2024-05-09 20:15:27 +00:00
Meredith Lancaster	c9e8fd6c64	Fix `attestation verify` source repository check bug (#9053 ) * add build source repo URI extension when repo is provided, add integration tests for this change Signed-off-by: Meredith Lancaster <malancas@github.com> * add initial docs on specifying cert identity Signed-off-by: Meredith Lancaster <malancas@github.com> * wording Signed-off-by: Meredith Lancaster <malancas@github.com> * add reusable workflow example Signed-off-by: Meredith Lancaster <malancas@github.com> * add more test cases Signed-off-by: Meredith Lancaster <malancas@github.com> * tweak to verify docs --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Phill MV <phillmv@github.com>	2024-05-08 07:44:52 -06:00
Meredith Lancaster	6f350827d2	Run `attestation` command set integration tests separately (#9035 ) * rename and add integration build tag Signed-off-by: Meredith Lancaster <malancas@github.com> * run tests that include integration build tag in workflow Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-05-02 08:07:44 -06:00
Phill MV	38ee906acc	whitespace aligment for inspect/inspect.go	2024-04-29 16:40:30 -04:00
Phill MV	9523a99325	whitespace alignment in attestation/attestation.go	2024-04-29 16:38:35 -04:00
Phill MV	ce61fd8a06	Added tweaked note to tuf-root-verify	2024-04-29 16:31:28 -04:00
Phill MV	5619251faa	Tweaked gh attestation help strings to generate nicer cli manual site.	2024-04-29 16:24:54 -04:00
Andy Feller	f5430ced2d	Merge pull request #9022 from cli/andyfeller/attestation-beta-usage Add beta designation on attestation command set	2024-04-29 14:57:56 -04:00
Andy Feller	d51ae5ced9	Update attestation's beta designation	2024-04-29 14:45:20 -04:00
Andy Feller	57ca29b4b8	Merge pull request #9019 from cli/wm/attestation-host-checks Be more general with attestation host checks	2024-04-29 13:44:21 -04:00
Andy Feller	0740c00f0a	Add beta designation on attestation command set With the `gh attestation` command set going into public beta, users should be reminded the feature is in beta and subject to change. Both the short and long help usage are updated for individual command `--help` as well as `gh reference`.	2024-04-29 12:46:01 -04:00
Andy Feller	68dfd87f47	Merge pull request #9000 from cli/andyfeller/flag-level-disableauth proof of concept for flag-level disable auth check	2024-04-29 12:15:49 -04:00
Andy Feller	cc36d32a21	Test `gh at verify -b` does not require auth Thanks to @williammartin, this completes the PR by ensuring the actual feature this new logic was added for actually works as expected :D	2024-04-29 12:02:41 -04:00
William Martin	ef51cad663	Use ghinstance package for attestation host checks	2024-04-29 17:08:22 +02:00
Meredith Lancaster	1a35ce38ad	check for enterprise host Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-04-29 14:06:22 +02:00
William Martin	6d8709bdd7	Merge pull request #8997 from steiza/steiza/attestation-verify-offline Support offline mode for `gh attestation verify`	2024-04-29 12:22:08 +02:00
William Martin	cf2060ce9a	Remove unnecessary defensive check	2024-04-26 17:20:26 +02:00
William Martin	439c95c55e	Test verification failures when attestations are bad	2024-04-26 17:20:04 +02:00
William Martin	a0c06e170e	Rework sigstore tests for easier maintenance	2024-04-26 16:56:13 +02:00
William Martin	054b306d09	Make error more obvious when bundle has wrong extension	2024-04-26 16:23:56 +02:00
Zach Steindler	1aefeec71b	Use cmdutil.ExactArgs instead of MinimumArgs; also add tests Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-25 15:41:49 -04:00
Andy Feller	2d910406c6	proof of concept for flag-level disable auth check Building upon the existing command-level disable auth check logic, this commit adds flag-level disable auth check logic for any flag set with `-b,--bundle` flag of `gh attestation verify` being the first use case. Subsequent commit to build out testing is needed as IsAuthCheckEnabled does not have tests.	2024-04-25 09:28:49 -04:00
Meredith Lancaster	28c4d3075b	remove hidden flag from attestation command (#8998 ) Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-04-25 07:27:00 -06:00
Meredith Lancaster	63640b16a7	Update `gh attestation verify` output (#8991 ) * start updating default verify cmd output Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding support for printing a table of attestation details Signed-off-by: Meredith Lancaster <malancas@github.com> * extract attestation details from verification result Signed-off-by: Meredith Lancaster <malancas@github.com> * condense logging Signed-off-by: Meredith Lancaster <malancas@github.com> * update logging from feedback Signed-off-by: Meredith Lancaster <malancas@github.com> * update error logging Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup more error logging Signed-off-by: Meredith Lancaster <malancas@github.com> * include test data for printing to table in the mock sigstore verifier response Signed-off-by: Meredith Lancaster <malancas@github.com> * fix linter err Signed-off-by: Meredith Lancaster <malancas@github.com> * Update pkg/cmd/attestation/verification/mock_verifier.go Co-authored-by: Phill MV <phillmv@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Phill MV <phillmv@github.com>	2024-04-24 14:03:35 -06:00
Zach Steindler	caf0546a11	Just base verification policy on trusted root, not bundle Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-24 11:02:53 -04:00
Zach Steindler	d9f7b922d0	Support offline mode for `gh attestation verify` The main change is previously we always instantiated a TUF client for the public good and GitHub Sigstore instances. Now we only instantiate the TUF client we need, or no client if we are provided a custom trusted root. Note that `gh attestation verify` still requires authentication, that is being addressed in https://github.com/cli/cli/pull/8995. Some other changes are coming along for the ride: - Set TUF cache validity to 1 day, to help serial verification - Attempt to infer verification policy based on custom trusted root - Make command output more friendly if you leave off required arguments Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-24 10:24:23 -04:00
Meredith Lancaster	e30dd40c9e	`gh attestation tuf-root-verify` offline test fix (#8975 ) * pass TUF client constructor as an arugment for offline unit testing Signed-off-by: Meredith Lancaster <malancas@github.com> * update func name Signed-off-by: Meredith Lancaster <malancas@github.com> * simplify naming Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback, rename type Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-04-23 07:54:45 -06:00
Andy Feller	a42450e9a3	Merge pull request #8949 from steiza/steiza/multi-attestation Add support to `attestation` command for more predicate types.	2024-04-12 11:12:59 -04:00
Meredith Lancaster	02158e896b	Fix `attestation` cmd offline unit test failure (#8933 ) * pass policy to Verify method Signed-off-by: Meredith Lancaster <malancas@github.com> * remove policy argument from SigstoreVerifier constructor Signed-off-by: Meredith Lancaster <malancas@github.com> * add SigstoreVerifier interface and introduce mock SigstoreVerifier struct for unit testing Signed-off-by: Meredith Lancaster <malancas@github.com> * gofmt Signed-off-by: Meredith Lancaster <malancas@github.com> * rename LiveSigstoreVerifier constructor Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback, add todos for tests that need to be reimplemented Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unused import Signed-off-by: Meredith Lancaster <malancas@github.com> * add more missing TODO statements Signed-off-by: Meredith Lancaster <malancas@github.com> * update skipped test Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-04-11 18:09:10 -06:00
Zach Steindler	f0a1e2707c	Change subcommands default to be more user friendly Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-10 10:11:33 -04:00
Zach Steindler	2b293c4840	Add unit test, update naming, ensure DSSE envelope is in-toto Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-10 09:49:34 -04:00
Zach Steindler	c96fb7c553	Updates from linter feedback Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-09 17:34:45 -04:00
Zach Steindler	643f4031b2	Add support to `attestation` command for more predicate types. Before, we required all attestations have predicateType https://slsa.dev/provenance/v1. This allows you to use other predicate types, and adds the ability to filter responses from the API for a particular predicate type. Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-09 17:26:32 -04:00
Meredith Lancaster	90b7bf97c5	gh-attestation cmd integration (#8698 ) * add attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * update args passed to the attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * rename file Signed-off-by: Meredith Lancaster <malancas@github.com> * use gh-attestation branch for passing iostreams from the root Signed-off-by: Meredith Lancaster <malancas@github.com> * add package security team entry to codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * start moving over verify cmd and general verification code Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up common and verify specific policy code Signed-off-by: Meredith Lancaster <malancas@github.com> * move artifact package over Signed-off-by: Meredith Lancaster <malancas@github.com> * start pulling in the github api client wrapper Signed-off-by: Meredith Lancaster <malancas@github.com> * fix imports Signed-off-by: Meredith Lancaster <malancas@github.com> * add logger and test packages Signed-off-by: Meredith Lancaster <malancas@github.com> * add additional packages to support verify command Signed-off-by: Meredith Lancaster <malancas@github.com> * fix mock api client Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up mock api client Signed-off-by: Meredith Lancaster <malancas@github.com> * include missing fields Signed-off-by: Meredith Lancaster <malancas@github.com> * use correct owner Signed-off-by: Meredith Lancaster <malancas@github.com> * add more mock api client options Signed-off-by: Meredith Lancaster <malancas@github.com> * add download cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add inspect cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * pass factory object to inspect cmd, add inspect sub cmd to attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add verify-tuf-root cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * pass iostream struct from command Signed-off-by: Meredith Lancaster <malancas@github.com> * rename logger pkg to logger Signed-off-by: Meredith Lancaster <malancas@github.com> * fix path in codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * formatter Signed-off-by: Meredith Lancaster <malancas@github.com> * go mod tidy Signed-off-by: Meredith Lancaster <malancas@github.com> * fix printf linter issue Signed-off-by: Meredith Lancaster <malancas@github.com> * fix printf linter issue Signed-off-by: Meredith Lancaster <malancas@github.com> * check user's GH host for compatibility Signed-off-by: Meredith Lancaster <malancas@github.com> * pass oci client to commands directly Signed-off-by: Meredith Lancaster <malancas@github.com> * rename command Signed-off-by: Meredith Lancaster <malancas@github.com> * mark tuf-root-verify cmd hidden Signed-off-by: Meredith Lancaster <malancas@github.com> * move client initialization back to subcommands Signed-off-by: Meredith Lancaster <malancas@github.com> * add more verbose options and logging Signed-off-by: Meredith Lancaster <malancas@github.com> * add missing logger Signed-off-by: Meredith Lancaster <malancas@github.com> * add testing around OCI and API client Signed-off-by: Meredith Lancaster <malancas@github.com> * add integration test Signed-off-by: Meredith Lancaster <malancas@github.com> * fix file path Signed-off-by: Meredith Lancaster <malancas@github.com> * fix command Signed-off-by: Meredith Lancaster <malancas@github.com> * build executable before integration test Signed-off-by: Meredith Lancaster <malancas@github.com> * split integration tests Signed-off-by: Meredith Lancaster <malancas@github.com> * remove integration test steps Signed-off-by: Meredith Lancaster <malancas@github.com> * fix flag value Signed-off-by: Meredith Lancaster <malancas@github.com> * run integration tests on ubuntu for now Signed-off-by: Meredith Lancaster <malancas@github.com> * pull over doc updates Signed-off-by: Meredith Lancaster <malancas@github.com> * delete unused test data Signed-off-by: Meredith Lancaster <malancas@github.com> * remove Go patch version Signed-off-by: Meredith Lancaster <malancas@github.com> * switch assert to require Signed-off-by: Meredith Lancaster <malancas@github.com> * rename file Signed-off-by: Meredith Lancaster <malancas@github.com> * move integration tests to prexisting test workflow Signed-off-by: Meredith Lancaster <malancas@github.com> * use platform matrix for integration tests Signed-off-by: Meredith Lancaster <malancas@github.com> * simplify build step Signed-off-by: Meredith Lancaster <malancas@github.com> * use StringEnumFlag handling Signed-off-by: Meredith Lancaster <malancas@github.com> * typo Signed-off-by: Meredith Lancaster <malancas@github.com> * use the iostreams.Test helper func Signed-off-by: Meredith Lancaster <malancas@github.com> * create interface for oci client Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for oci client Signed-off-by: Meredith Lancaster <malancas@github.com> * rename files Signed-off-by: Meredith Lancaster <malancas@github.com> * format file Signed-off-by: Meredith Lancaster <malancas@github.com> * fix shellcheck issues Signed-off-by: Meredith Lancaster <malancas@github.com> * use testing TempDir method Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup unused tempdir handling Signed-off-by: Meredith Lancaster <malancas@github.com> * use table driven tests Signed-off-by: Meredith Lancaster <malancas@github.com> * check correct cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * support repo option in download sub cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * switch over to using RunE Signed-off-by: Meredith Lancaster <malancas@github.com> * unexport top level subcommand funcs Signed-off-by: Meredith Lancaster <malancas@github.com> * add comment around keychain option Signed-off-by: Meredith Lancaster <malancas@github.com> * update comments Signed-off-by: Meredith Lancaster <malancas@github.com> * fix inconsistent naming Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for CLI commands Signed-off-by: Meredith Lancaster <malancas@github.com> * check for noattestationsfound err Signed-off-by: Meredith Lancaster <malancas@github.com> * try out metadata abstraction instead Signed-off-by: Meredith Lancaster <malancas@github.com> * switch to using MetadataStore abstraction Signed-off-by: Meredith Lancaster <malancas@github.com> * include test case with failing metadata store Signed-off-by: Meredith Lancaster <malancas@github.com> * look for err specific to file write Signed-off-by: Meredith Lancaster <malancas@github.com> * unexport fields Signed-off-by: Meredith Lancaster <malancas@github.com> * return err when an unsupported hash alg is provided Signed-off-by: Meredith Lancaster <malancas@github.com> * PrintTableToStdOut returns err when rendering fails Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding sigstore verifier unit tests Signed-off-by: Meredith Lancaster <malancas@github.com> * add more sigstore verifier specific tests Signed-off-by: Meredith Lancaster <malancas@github.com> * use cli table printer Signed-off-by: Meredith Lancaster <malancas@github.com> * return JSON results in slice instead of table Signed-off-by: Meredith Lancaster <malancas@github.com> * move mock client to test file Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded table printer method Signed-off-by: Meredith Lancaster <malancas@github.com> * add initial tests for tufrootverify cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * formatting Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup method Signed-off-by: Meredith Lancaster <malancas@github.com> * close file in error handling branch Signed-off-by: Meredith Lancaster <malancas@github.com> * normalize artifact path Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded embedded file system Signed-off-by: Meredith Lancaster <malancas@github.com> * include image name reference err Signed-off-by: Meredith Lancaster <malancas@github.com> * use GH_DEBUG value for io handling Signed-off-by: Meredith Lancaster <malancas@github.com> * remove quiet and verbose flags Signed-off-by: Meredith Lancaster <malancas@github.com> * add more tufrootveriify tests Signed-off-by: Meredith Lancaster <malancas@github.com> * GitHubTUFOptions no longer needs to return error Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded slice Signed-off-by: Meredith Lancaster <malancas@github.com> * normalize all relative paths Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up nil client checks Signed-off-by: Meredith Lancaster <malancas@github.com> * set api server based on host Signed-off-by: Meredith Lancaster <malancas@github.com> * add comment about http client Signed-off-by: Meredith Lancaster <malancas@github.com> * use format flag to handle json output in verify cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * use format flag to handle json output Signed-off-by: Meredith Lancaster <malancas@github.com> * use normalized path for cli test arg Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for json output Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup error wrapping Signed-off-by: Meredith Lancaster <malancas@github.com> * use test fixtures correctly by normalizing path Signed-off-by: Meredith Lancaster <malancas@github.com> * dont clean Signed-off-by: Meredith Lancaster <malancas@github.com> * escape backwards slash for windows files with replace Signed-off-by: Meredith Lancaster <malancas@github.com> * use strings.Split func Signed-off-by: Meredith Lancaster <malancas@github.com> * use strings.Replace for all command tests Signed-off-by: Meredith Lancaster <malancas@github.com> * use CLI cache dir to store tuf metadata Signed-off-by: Meredith Lancaster <malancas@github.com> * Tweaked docstrings for gh attestation download * Tweaked docstrings for gh attestation verify * Fix for bug in gh attestation where the wrong hostname was being passed to the API client. * lets hide tuf-root-verify eh? * Forgot verify's short str. * add remote verification test Signed-off-by: Meredith Lancaster <malancas@github.com> * Revert "add remote verification test" This reverts commit `c0ceb99ca8`. * update json result handling Signed-off-by: Meredith Lancaster <malancas@github.com> * add json tags to struct returned by command Signed-off-by: Meredith Lancaster <malancas@github.com> * fix how json results are handled Signed-off-by: Meredith Lancaster <malancas@github.com> * add test to ensure JSON output is valid Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Phill MV <phillmv@github.com>	2024-04-01 11:13:47 -06:00

47 commits