-
Notifications
You must be signed in to change notification settings - Fork 8
198 lines (183 loc) · 7.5 KB
/
e2e-test-sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# Copyright The Notary Project Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: e2e-test-sign
on:
push:
pull_request:
env:
E2E_KEY: /home/runner/.config/notation/localkeys/e2e-test.key
E2E_CERT: /home/runner/.config/notation/localkeys/e2e-test.crt
jobs:
e2e-test-sign:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Build and push to local registry
id: prepare
uses: docker/build-push-action@v4
with:
context: ./tests/e2e
push: true
tags: localhost:5000/e2e:latest
- name: Retrieve digest
run: |
echo "target_artifact_reference=localhost:5000/e2e@${{ steps.prepare.outputs.digest }}" >> "$GITHUB_ENV"
# Setting up Notation CLI on the runner
- name: Setup Notation
uses: ./setup
# Generate test
- name: Notation generate-test
run: |
notation cert generate-test "e2e-test"
# E2E test cases on Notation Sign
- name: Sign artifact using notation plugin
uses: ./sign
with:
plugin_name: e2e-test-plugin
plugin_url: https://github.com/notaryproject/notation-action/raw/e2e-test-plugin/tests/plugin_binaries/notation-e2e-test-plugin_0.1.0_linux_amd64.tar.gz
plugin_checksum: be8d035024d3a96afb4118af32f2e201f126c7254b02f7bcffb3e3149d744fd2
key_id: ${{ env.E2E_CERT }}
target_artifact_reference: ${{ env.target_artifact_reference }}
signature_format: cose
plugin_config: |-
keyFile=${{ env.E2E_KEY }}
- name: Sign artifact with multiple plugin_config
uses: ./sign
env:
E2E_SIGNING_KEY: ${{ secrets.E2E_SIGNING_KEY }}
with:
plugin_name: e2e-test-plugin
plugin_url: https://github.com/notaryproject/notation-action/raw/e2e-test-plugin/tests/plugin_binaries/notation-e2e-test-plugin_0.1.0_linux_amd64.tar.gz
plugin_checksum: be8d035024d3a96afb4118af32f2e201f126c7254b02f7bcffb3e3149d744fd2
key_id: ${{ env.E2E_CERT }}
target_artifact_reference: ${{ env.target_artifact_reference }}
signature_format: cose
plugin_config: |-
keyFile=${{ env.E2E_KEY }}
key=val
foo=bar
- name: Sign artifact with invalid plugin name
continue-on-error: true
id: invalid-plugin-name
uses: ./sign
env:
E2E_SIGNING_KEY: ${{ secrets.E2E_SIGNING_KEY }}
with:
plugin_name: invalid-plugin
plugin_url: https://github.com/notaryproject/notation-action/raw/e2e-test-plugin/tests/plugin_binaries/notation-e2e-test-plugin_0.1.0_linux_amd64.tar.gz
plugin_checksum: be8d035024d3a96afb4118af32f2e201f126c7254b02f7bcffb3e3149d744fd2
key_id: ${{ env.E2E_CERT }}
target_artifact_reference: ${{ env.target_artifact_reference }}
signature_format: cose
plugin_config: |-
keyFile=${{ env.E2E_KEY }}
- name: 'Should Fail: Sign artifact with invalid plugin name'
if: steps.invalid-plugin-name.outcome != 'failure'
run: |
echo "Sign artifact with invalid plugin name should fail, but succeeded."
exit 1
- name: Sign artifact with invalid plugin url
continue-on-error: true
id: invalid-plugin-url
uses: ./sign
env:
E2E_SIGNING_KEY: ${{ secrets.E2E_SIGNING_KEY }}
with:
plugin_name: test
plugin_url: invalid-url
plugin_checksum: test
key_id: ${{ env.E2E_CERT }}
target_artifact_reference: ${{ env.target_artifact_reference }}
signature_format: cose
plugin_config: |-
keyFile=${{ env.E2E_KEY }}
- name: 'Should Fail: Sign artifact with invalid plugin url'
if: steps.invalid-plugin-url.outcome != 'failure'
run: |
echo "Sign artifact with invalid plugin url should fail, but succeeded."
exit 1
- name: Sign artifact missing plugin checksum
continue-on-error: true
id: missing-plugin-checksum
uses: ./sign
with:
plugin_name: test
plugin_url: https://github.com/notaryproject/notation-action/raw/e2e-test-plugin/tests/plugin_binaries/notation-e2e-test-plugin_0.1.0_linux_amd64.tar.gz
key_id: ${{ env.E2E_CERT }}
target_artifact_reference: ${{ env.target_artifact_reference }}
signature_format: cose
plugin_config: |-
keyFile=${{ env.E2E_KEY }}
- name: 'Should Fail: Sign artifact missing plugin checksum'
if: steps.missing-plugin-checksum.outcome != 'failure'
run: |
echo "Sign artifact missing plugin checksum should fail, but succeeded."
exit 1
- name: Sign artifact with invalid plugin checksum
continue-on-error: true
id: invalid-plugin-checksum
uses: ./sign
env:
E2E_SIGNING_KEY: ${{ secrets.E2E_SIGNING_KEY }}
with:
plugin_name: test
plugin_url: https://github.com/notaryproject/notation-action/raw/e2e-test-plugin/tests/plugin_binaries/notation-e2e-test-plugin_0.1.0_linux_amd64.tar.gz
plugin_checksum: abcdef
key_id: ${{ env.E2E_CERT }}
target_artifact_reference: ${{ env.target_artifact_reference }}
signature_format: cose
plugin_config: |-
keyFile=${{ env.E2E_KEY }}
- name: 'Should Fail: Sign artifact with invalid plugin checksum'
if: steps.invalid-plugin-checksum.outcome != 'failure'
run: |
echo "Sign artifact with invalid plugin checksum should fail, but succeeded."
exit 1
- name: Sign artifact missing key id
continue-on-error: true
id: missing-key-id
uses: ./sign
env:
E2E_SIGNING_KEY: ${{ secrets.E2E_SIGNING_KEY }}
with:
plugin_name: test
plugin_url: https://test
plugin_checksum: abcdef
target_artifact_reference: test
- name: 'Should Fail: Sign artifact missing key id'
if: steps.missing-key-id.outcome != 'failure'
run: |
echo "Sign artifact missing key id should fail, but succeeded."
exit 1
- name: Sign artifact missing target artifact reference
continue-on-error: true
id: missing-artifact-reference
uses: notaryproject/notation-action/sign@main
env:
E2E_SIGNING_KEY: ${{ secrets.E2E_SIGNING_KEY }}
with:
plugin_name: test
plugin_url: https://test
plugin_checksum: abcdef
key_id: test
- name: 'Should Fail: Sign artifact missing target artifact reference'
if: steps.missing-artifact-reference.outcome != 'failure'
run: |
echo "Sign artifact missing target artifact reference should fail, but succeeded."
exit 1