-
Notifications
You must be signed in to change notification settings - Fork 8
215 lines (196 loc) · 8.87 KB
/
e2e-test-verify.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
# Copyright The Notary Project Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: e2e-test-verify
on:
push:
pull_request:
env:
E2E_KEY: /home/runner/.config/notation/localkeys/e2e-test.key
E2E_CERT: /home/runner/.config/notation/localkeys/e2e-test.crt
jobs:
e2e-test-verify:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and push to local registry
id: image1
uses: docker/build-push-action@v6
with:
context: ./tests/e2e
push: true
tags: localhost:5000/image1:latest
- name: Build and push to local registry
id: image2
uses: docker/build-push-action@v6
with:
context: ./tests/e2e
push: true
tags: localhost:5000/image2:latest
- name: Retrieve digest
run: |
echo "target_artifact_reference=localhost:5000/image1@${{ steps.image1.outputs.digest }}" >> "$GITHUB_ENV"
echo "target_artifact_reference2=localhost:5000/image2@${{ steps.image2.outputs.digest }}" >> "$GITHUB_ENV"
# Setting up Notation CLI on the runner
- name: Setup Notation
uses: ./setup
# Generate test
- name: Notation generate-test
run: |
notation cert generate-test "e2e-test"
notation cert delete --type ca --store e2e-test -y --all
mkdir -p ${GITHUB_WORKSPACE}/tests/e2e/verify/truststore/x509/ca/e2e-test
cp ${{ env.E2E_CERT }} ${GITHUB_WORKSPACE}/tests/e2e/verify/truststore/x509/ca/e2e-test/e2e-test.crt
# Sign artifact
- name: Sign multiple artifacts using notation plugin
uses: ./sign
with:
plugin_name: e2e-test-plugin
plugin_url: https://github.com/notaryproject/notation-action/raw/e2e-test-plugin/tests/plugin_binaries/notation-e2e-test-plugin_0.1.0_linux_amd64.tar.gz
plugin_checksum: be8d035024d3a96afb4118af32f2e201f126c7254b02f7bcffb3e3149d744fd2
key_id: ${{ env.E2E_CERT }}
target_artifact_reference: |-
${{ env.target_artifact_reference }}
${{ env.target_artifact_reference2 }}
signature_format: cose
plugin_config: |-
keyFile=${{ env.E2E_KEY }}
timestamp_url: http://timestamp.digicert.com
timestamp_root_cert: ./tests/e2e/sign/tsaRootCert/DigiCertTSARootSHA384.cer
force_referrers_tag: 'false'
# E2E test cases on Notation Verify
- name: Verify released artifact
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
trust_store: ./tests/e2e/verify/truststore
- name: Verify released artifact again with the same notation configuration
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
trust_store: ./tests/e2e/verify/truststore
- name: Verify released artifact with timestamp verification enabled
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_policy: ./tests/e2e/verify/trustpolicy/timestampVerificationEnabled.json
trust_store: ./tests/e2e/verify/truststore
- name: Verify multiple released artifacts
uses: ./verify
with:
target_artifact_reference: |-
${{ env.target_artifact_reference }}
${{ env.target_artifact_reference2 }}
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
trust_store: ./tests/e2e/verify/truststore
- name: Verify with allow_referrers_api set to true
uses: ./verify
env:
NOTATION_EXPERIMENTAL: 1
with:
target_artifact_reference: |-
${{ env.target_artifact_reference }}
${{ env.target_artifact_reference2 }}
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
trust_store: ./tests/e2e/verify/truststore
allow_referrers_api: 'true'
- name: Verify multiple released artifacts with timestamp verification enabled
uses: ./verify
with:
target_artifact_reference: |-
${{ env.target_artifact_reference }}
${{ env.target_artifact_reference2 }}
trust_policy: ./tests/e2e/verify/trustpolicy/timestampVerificationEnabled.json
trust_store: ./tests/e2e/verify/truststore
- name: Verify released artifact missing target artifact reference
continue-on-error: true
id: missing-artifact-reference
uses: ./verify
with:
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
trust_store: ./tests/e2e/verify/truststore
- name: 'Should Fail: Verify released artifact missing target artifact reference'
if: steps.missing-artifact-reference.outcome != 'failure'
run: |
echo "Verify released artifact missing target artifact reference should fail, but succeeded."
exit 1
- name: Verify released artifact missing trust policy
continue-on-error: true
id: missing-trust-policy
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_store: ./tests/e2e/verify/truststore
- name: 'Should Fail: Verify released artifact missing trust policy'
if: steps.missing-trust-policy.outcome != 'failure'
run: |
echo "Verify released artifact missing trust policy should fail, but succeeded."
exit 1
- name: Verify released artifact with invalid trust policy
continue-on-error: true
id: invalid-trust-policy
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_policy: ./tests/e2e/verify/trustpolicy/invalid-trustpolicy.json
trust_store: ./tests/e2e/verify/truststore
- name: 'Should Fail: Verify released artifact with invalid trust policy'
if: steps.invalid-trust-policy.outcome != 'failure'
run: |
echo "Verify released artifact with invalid trust policy should fail, but succeeded."
exit 1
- name: Verify released artifact missing trust store
continue-on-error: true
id: missing-trust-store
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
- name: 'Should Fail: Verify released artifact missing trust store'
if: steps.missing-trust-store.outcome != 'failure'
run: |
echo "Verify released artifact missing trust store should fail, but succeeded."
exit 1
- name: Verify released artifact with invalid trust store structure
continue-on-error: true
id: invalid-trust-store
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
trust_store: ./tests/e2e/verify/invalid-trust-store/x509
- name: 'Should Fail: Verify released artifact with invalid trust store structure'
if: steps.invalid-trust-store.outcome != 'failure'
run: |
echo "Verify released artifact with invalid trust store structure should fail, but succeeded."
exit 1
- name: Verify released artifact without valid cert in trust store
continue-on-error: true
id: invalid-cert
uses: ./verify
with:
target_artifact_reference: ${{ env.target_artifact_reference }}
trust_policy: ./tests/e2e/verify/trustpolicy/trustpolicy.json
trust_store: ./tests/e2e/verify/truststore/invalid-trust-store
- name: 'Should Fail: Verify released artifact without valid cert in trust store'
if: steps.invalid-cert.outcome != 'failure'
run: |
echo "Verify released artifact without valid cert in trust store should fail, but succeeded."
exit 1