Add support for verifying dsse-intoto #2209

	name: Conformance Tests

	on:
	push:
	branches:
	- '**'
	pull_request:
	# TODO: add cron

	jobs:
	conformance:
	strategy:
	max-parallel: 1
	matrix:
	java-version: [11, 17]
	sigstore-env: [production, staging]
	fail-fast: false

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Set up JDK ${{ matrix.java-version }}
	uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
	with:
	java-version: ${{ matrix.java-version }}
	distribution: 'temurin'

	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0

	- name: Build sigstore-java cli
	run: ./gradlew :sigstore-cli:build

	- name: Unpack sigstore-java distribution
	run: tar -xvf ${{ github.workspace }}/sigstore-cli/build/distributions/sigstore-cli-*.tar --strip-components 1

	- uses: sigstore/sigstore-conformance@6bd1c54e236c9517da56f7344ad16cc00439fe19 # v0.0.13
	with:
	entrypoint: ${{ github.workspace }}/bin/sigstore-cli
	environment: ${{ matrix.sigstore-env }}
	xfail: "test_verify_dsse_bundle_with_trust_root"

Provide feedback