Skip to content

Sign Bundle with a Timestamp Authority #4678

Sign Bundle with a Timestamp Authority

Sign Bundle with a Timestamp Authority #4678

Workflow file for this run

name: CI
on:
push:
branches:
- main
- series/*
pull_request:
schedule:
- cron: '0 12 * * *'
jobs:
test:
permissions:
# Needed to access the workflow's OIDC identity.
id-token: write
strategy:
matrix:
conf:
- { py: "3.9", os: "ubuntu-latest" }
- { py: "3.10", os: "ubuntu-latest" }
- { py: "3.11", os: "ubuntu-latest" }
- { py: "3.12", os: "ubuntu-latest" }
- { py: "3.13", os: "ubuntu-latest" }
# NOTE: We only test Windows and macOS on the latest Python;
# these primarily exist to ensure that we don't accidentally
# introduce Linux-isms into the development tooling.
- { py: "3.13", os: "windows-latest" }
- { py: "3.13", os: "macos-latest" }
runs-on: ${{ matrix.conf.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ matrix.conf.py }}
allow-prereleases: true
cache: "pip"
cache-dependency-path: pyproject.toml
- name: deps
run: make dev SIGSTORE_EXTRA=test
- name: test (offline)
if: matrix.conf.os == 'ubuntu-latest'
run: |
# We use `unshare` to "un-share" the default networking namespace,
# in effect running the tests as if the host is offline.
# This in turn effectively exercises the correctness of our
# "online-only" test markers, since any test that's online
# but not marked as such will fail.
# We also explicitly exclude the intergration tests, since these are
# always online.
unshare --map-root-user --net make test T="test/unit" TEST_ARGS="--skip-online -vv --showlocals"
- name: test
run: make test TEST_ARGS="-vv --showlocals"
- name: test (timestamp-authority)
if: ${{ matrix.conf.os == 'ubuntu-latest' }}
run: |
wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
chmod +x /tmp/timestamp-server
# Run the TSA in background
/tmp/timestamp-server serve --port 3000 --disable-ntp-monitoring &
export TEST_SIGSTORE_TIMESTAMP_AUTHORITY_URL="http://localhost:3000/api/v1/timestamp"
make test TEST_ARGS="-m timestamp_authority"
env:
SIGSTORE_TIMESTAMP: "v1.2.3"
- name: test (interactive)
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
run: make test-interactive TEST_ARGS="-vv --showlocals"
- uses: ./.github/actions/upload-coverage
# only aggregate test coverage over linux-based tests to avoid any OS-specific filesystem information stored in
# coverage metadata.
if: ${{ matrix.conf.os == 'ubuntu-latest' }}
all-tests-pass:
if: always()
needs:
- test
runs-on: ubuntu-latest
steps:
- name: check test jobs
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
coverage:
needs:
- test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.x'
- run: pip install coverage[toml]
- name: download coverage data
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: all-artifacts/
- name: combine coverage data
id: combinecoverage
run: |
set +e
python -m coverage combine all-artifacts/coverage-data-*
echo "## python coverage" >> $GITHUB_STEP_SUMMARY
python -m coverage report -m --format=markdown >> $GITHUB_STEP_SUMMARY