Skip to content

CI

CI #622

Workflow file for this run

name: CI
on:
push:
branches:
- main
pull_request:
schedule:
- cron: "0 12 * * *"
permissions: {}
jobs:
ruby-versions:
uses: ruby/actions/.github/workflows/ruby_versions.yml@3fbf038d6f0d8043b914f923764c61bc2a114a77
with:
engine: cruby-truffleruby
min_version: 3.1
test:
needs: ruby-versions
runs-on: ${{ matrix.os }}
name: Test Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
os: [ubuntu-latest]
# os: [ ubuntu-latest, macos-latest, windows-latest ]
# include:
# - { os: windows-latest, ruby: ucrt }
# - { os: windows-latest, ruby: mingw }
# - { os: windows-latest, ruby: mswin }
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Ruby
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true
- name: Run the tests
run: bin/rake test
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: sigstore/sigstore-ruby
sigstore-conformance:
needs: ruby-versions
runs-on: ${{ matrix.os }}
name: Sigstore Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
os: [ubuntu-latest]
# os: [ ubuntu-latest, macos-latest, windows-latest ]
# include:
# - { os: windows-latest, ruby: ucrt }
# - { os: windows-latest, ruby: mingw }
# - { os: windows-latest, ruby: mswin }
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Ruby
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true
- name: Run the conformance tests
uses: sigstore/sigstore-conformance@d93d46c0e864084fbb78015a5b7d4f5b1d7e641d
with:
entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
xfail: "${{ matrix.ruby != 'head' && 'test_verify_rejects_bad_tsa_timestamp' }}"
if: ${{ matrix.os }} == "ubuntu-latest"
- name: Run the conformance tests against staging
uses: sigstore/sigstore-conformance@d93d46c0e864084fbb78015a5b7d4f5b1d7e641d
with:
entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
xfail: "${{ matrix.ruby != 'head' && 'test_verify_rejects_bad_tsa_timestamp' }}"
environment: staging
if: ${{ matrix.os }} == "ubuntu-latest"
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: sigstore/sigstore-ruby
tuf-conformance:
needs: ruby-versions
runs-on: ${{ matrix.os }}
name: TUF Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
os: [ubuntu-latest]
# os: [ ubuntu-latest, macos-latest, windows-latest ]
# include:
# - { os: windows-latest, ruby: ucrt }
# - { os: windows-latest, ruby: mingw }
# - { os: windows-latest, ruby: mswin }
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Ruby
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true
- name: Touch requirements.txt
run: touch requirements.txt
- name: Run the TUF conformance tests
uses: theupdateframework/tuf-conformance@ad0e8bef1a9a1c7af993c3d56376ce624a0f10f2
with:
entrypoint: ${{ github.workspace }}/bin/tuf-conformance-entrypoint
artifact-name: "test repositories ${{ matrix.ruby }} ${{ matrix.os }}"
if: |
${{ matrix.os }} == "ubuntu-latest"
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: sigstore/sigstore-ruby
smoketest:
needs: ruby-versions
runs-on: ubuntu-latest
name: Smoketest
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
os: [ubuntu-latest]
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Ruby
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
bundler-cache: true
- name: Build the gem
run: bin/rake build
- name: Run the smoketest
run: |
# we smoke-test sigstore by installing each of the distributions
# we've built in a fresh environment and using each to sign and
# verify for itself, using the ambient OIDC identity
for dist in pkg/*; do
./bin/smoketest "${dist}"
done
env:
WORKFLOW_NAME: ci
all-tests-pass:
if: always()
needs:
- test
- sigstore-conformance
- tuf-conformance
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: check test jobs
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
lint:
needs: ruby-versions
runs-on: ubuntu-latest
name: Lint
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Ruby
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
bundler-cache: true
- name: Run the linter
run: bin/rubocop