feat: add custom sigstore conformance tests (#10473)

* feat: add custom sigstore conformance tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: debug Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: debug Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: debug Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: debug Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add custom sigstore values back Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove debug Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-28 02:18:15 +00:00 · 2024-06-14 19:23:06 +05:30 · 2024-06-14 19:23:06 +05:30 · c305fbc070
commit c305fbc070
parent 46b9a6e3e2
2 changed files with 7 additions and 4 deletions
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -615,6 +615,7 @@ jobs:
          - name: custom-sigstore
            values:
              - standard
+              - custom-sigstore
        k8s-version:
          - name: v1.27
            version: v1.27.x
@ -645,7 +646,7 @@ jobs:
        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
      # create cluster
      - name: Create kind cluster and setup Sigstore Scaffolding
-        uses: sigstore/scaffolding/actions/setup@19922c022ce4d4d5511e0adcd56df6eb2f41b8a6
+        uses: sigstore/scaffolding/actions/setup@d9197cb16e744297de67cfeef8a8e247d31206c4
        with:
          version: main
          k8s-version: ${{ matrix.k8s-version.version }}
@ -684,7 +685,7 @@ jobs:
          TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h
          crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL
          cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json
-          COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token `curl -s $ISSUER_URL` -y
+          COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y
          echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV
      # run tests
      - name: Test with Chainsaw
@ -1005,6 +1006,7 @@ jobs:
      - k8s-version-specific-tests-above-1-28
      - validatingadmissionpolicies-reports-v1alpha1
      - validatingadmissionpolicies-reports-v1beta1
+      - custom-sigstore
      - default
      - monitor-helm-secret-size
      - check-tests
@ -1023,6 +1025,7 @@ jobs:
      - k8s-version-specific-tests-above-1-28
      - validatingadmissionpolicies-reports-v1alpha1
      - validatingadmissionpolicies-reports-v1beta1
+      - custom-sigstore
      - default
      - monitor-helm-secret-size
      - check-tests
--- a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml
+++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml
@ -27,7 +27,7 @@ spec:
        entries:
        - keyless:
            issuer: "https://kubernetes.default.svc.cluster.local"
-            subject: "*"
+            subject: "https://kubernetes.io/namespaces/default/serviceaccounts/default"
            rekor:
              url: "{{ tufvalues.data.REKOR_URL }}"
-      required: true
+      required: true