-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: testing mode from non-main slsa-framework/slsa-github-generator branches #797
base: main
Are you sure you want to change the base?
feat: testing mode from non-main slsa-framework/slsa-github-generator branches #797
Conversation
…nches in testing mode Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
@@ -330,6 +330,13 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error { | |||
} | |||
} | |||
|
|||
// Exception for slsa-framework/slsa-github-generator branches during testing mode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I would prefer maybe your other suggestion that the user defines the verification repo path in their test rather than modifying the normal behavior of the code conditionally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The alternate suggestion is maybe fine as long as it only works if SLSA_VERIFIER_TESTING
is explicitly enabled. This prints warning messages etc. if IIRC.
Is this to support running slsa-verifier in slsa-github-generator pre-submits? I kind of thought we did this already but maybe I'm misremembering? |
@ianlewis not for pre-submits, or So I might be testing changes on a separate branch "ramoneptgrave64-my-tests" that exists on the slsa-framework/slsa-github-generator repo. |
Additional discussion, considering using an alternative identity token within PRs |
Followup to slsa-framework/slsa-github-generator#3777 This PR adds a missing modification for getting the leaf certificate in the new Bundle format v0.3. In my original experiments, I did have this method in a dev branch, but neglected to include it in the final PR. - main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107 - https://github.com/slsa-framework/slsa-verifier/pull/799/files ## Testing - I re-used the same attestation file from a failing workflow for unit tests and manual invocation. - https://github.com/slsa-framework/example-package/actions/runs/11511156484 ## Followup - Finish finding a way to test changes within PRs. - slsa-framework/slsa-github-generator#3777 (comment) - #797 --------- Signed-off-by: Ramon Petgrave <[email protected]>
Allow verifying provenances from the slsa-framework/slsa-github-generator branches.
This is useful during in development.
We could also allow the tester to customize the repo, to perhaps their own fork. example:
Testing