Bundle signing using TSA #353
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- series/* | |
pull_request: | |
schedule: | |
- cron: '0 12 * * *' | |
jobs: | |
test: | |
permissions: | |
# Needed to access the workflow's OIDC identity. | |
id-token: write | |
strategy: | |
matrix: | |
conf: | |
- { py: "3.9", os: "ubuntu-latest" } | |
- { py: "3.10", os: "ubuntu-latest" } | |
- { py: "3.11", os: "ubuntu-latest" } | |
- { py: "3.12", os: "ubuntu-latest" } | |
- { py: "3.13", os: "ubuntu-latest" } | |
# NOTE: We only test Windows and macOS on the latest Python; | |
# these primarily exist to ensure that we don't accidentally | |
# introduce Linux-isms into the development tooling. | |
- { py: "3.13", os: "windows-latest" } | |
- { py: "3.13", os: "macos-latest" } | |
runs-on: ${{ matrix.conf.os }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
with: | |
python-version: ${{ matrix.conf.py }} | |
allow-prereleases: true | |
cache: "pip" | |
cache-dependency-path: pyproject.toml | |
- name: deps | |
run: make dev SIGSTORE_EXTRA=test | |
- name: test (offline) | |
if: matrix.conf.os == 'ubuntu-latest' | |
run: | | |
# We use `unshare` to "un-share" the default networking namespace, | |
# in effect running the tests as if the host is offline. | |
# This in turn effectively exercises the correctness of our | |
# "online-only" test markers, since any test that's online | |
# but not marked as such will fail. | |
# We also explicitly exclude the intergration tests, since these are | |
# always online. | |
unshare --map-root-user --net make test T="test/unit" TEST_ARGS="--skip-online -vv --showlocals" | |
- name: test | |
run: make test TEST_ARGS="-vv --showlocals" | |
- name: test (timestamp-authority) | |
if: ${{ matrix.conf.os == 'ubuntu-latest' }} | |
run: | | |
wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP}/timestamp-server-linux-amd64 -O /tmp/timestamp-server | |
chmod +x /tmp/timestamp-server | |
# Run the TSA in background | |
/tmp/timestamp-server serve --port 3000 --disable-ntp-monitoring & | |
export SIGSTORE_TIMESTAMP_AUTHORITY_URL="http://localhost:3000/api/v1/timestamp" | |
make test TEST_ARGS="-m timestamp_authority" | |
env: | |
SIGSTORE_TIMESTAMP: "v1.2.3" | |
- name: test (interactive) | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
run: make test-interactive TEST_ARGS="-vv --showlocals" | |
- uses: ./.github/actions/upload-coverage | |
# only aggregate test coverage over linux-based tests to avoid any OS-specific filesystem information stored in | |
# coverage metadata. | |
if: ${{ matrix.conf.os == 'ubuntu-latest' }} | |
all-tests-pass: | |
if: always() | |
needs: | |
- test | |
runs-on: ubuntu-latest | |
steps: | |
- name: check test jobs | |
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 | |
with: | |
jobs: ${{ toJSON(needs) }} | |
coverage: | |
needs: | |
- test | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
with: | |
python-version: '3.x' | |
- run: pip install coverage[toml] | |
- name: download coverage data | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
path: all-artifacts/ | |
- name: combine coverage data | |
id: combinecoverage | |
run: | | |
set +e | |
python -m coverage combine all-artifacts/coverage-data-* | |
echo "## python coverage" >> $GITHUB_STEP_SUMMARY | |
python -m coverage report -m --format=markdown >> $GITHUB_STEP_SUMMARY |