Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: testing mode from non-main slsa-framework/slsa-github-generator branches #797

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: testing mode from non-main slsa-framework/slsa-github-generator branches #797

wants to merge 2 commits into from

Conversation

ramonpetgrave64
Copy link
Contributor

Allow verifying provenances from the slsa-framework/slsa-github-generator branches.
This is useful during in development.

We could also allow the tester to customize the repo, to perhaps their own fork. example:

SLSA_VERIFIER_TESTING_ALTERNATE_SOURCE_REPO="ramonpetgrave64/slsa-verifier" \
    go run . verify-artifact ...

Testing

@ramonpetgrave64
allow slsa-framework/slsa-github-generator provenances from other bra…
a702bf7 
…nches in testing mode

Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64
format
76fd86f 
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review August 8, 2024 20:04
@ramonpetgrave64 ramonpetgrave64 requested a review from a team as a code owner August 8, 2024 20:04
@ramonpetgrave64
Copy link
Contributor Author

@ianlewis @laurentsimon

loosebazooka
loosebazooka reviewed Aug 20, 2024
View reviewed changes
verifiers/internal/gha/provenance.go
@@ -330,6 +330,13 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
}
}

// Exception for slsa-framework/slsa-github-generator branches during testing mode
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I would prefer maybe your other suggestion that the user defines the verification repo path in their test rather than modifying the normal behavior of the code conditionally.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The alternate suggestion is maybe fine as long as it only works if SLSA_VERIFIER_TESTING is explicitly enabled. This prints warning messages etc. if IIRC.

@ianlewis
Copy link
Member

Is this to support running slsa-verifier in slsa-github-generator pre-submits? I kind of thought we did this already but maybe I'm misremembering?

@ramonpetgrave64
Copy link
Contributor Author

@ianlewis not for pre-submits, or pull_request events, but for push events, since id-token isn't available for PRs. And so far it seems not yet nresolved.

So I might be testing changes on a separate branch "ramoneptgrave64-my-tests" that exists on the slsa-framework/slsa-github-generator repo.

@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Oct 10, 2024
Merged
5 tasks
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Oct 29, 2024
Merged
@ramonpetgrave64
Copy link
Contributor Author

Additional discussion, considering using an alternative identity token within PRs

ramonpetgrave64 added a commit that referenced this pull request Oct 29, 2024
@ramonpetgrave64
fix: fix method for getting leaf certs in Bundle v0.3 (#813)
17f7958 
Followup to
slsa-framework/slsa-github-generator#3777

This PR adds a missing modification for getting the leaf certificate in
the new Bundle format v0.3.

In my original experiments, I did have this method in a dev branch, but
neglected to include it in the final PR.
-
main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107
 - https://github.com/slsa-framework/slsa-verifier/pull/799/files

## Testing

- I re-used the same attestation file from a failing workflow for unit
tests and manual invocation.
-
https://github.com/slsa-framework/example-package/actions/runs/11511156484

## Followup

- Finish finding a way to test changes within PRs.
-
slsa-framework/slsa-github-generator#3777 (comment)
  - #797

---------

Signed-off-by: Ramon Petgrave <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka left review comments

@ianlewis ianlewis ianlewis left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ramonpetgrave64 @ianlewis @loosebazooka