only write attestation for non-private repos

This commit is contained in:
Conor Sloan
2024-04-15 12:26:26 +01:00
parent 6dc0f68595
commit 507635d01b
7 changed files with 149 additions and 41 deletions
+35 -2
View File
@@ -162,6 +162,34 @@ describe('config.resolvePublishActionOptions', () => {
)
})
it('throws an error when returned repository id does not match env var', async () => {
getInputMock.mockReturnValueOnce('token')
getContainerRegistryURLMock.mockResolvedValue(ghcrUrl)
getRepositoryMetadataMock.mockResolvedValue({
visibility: 'public',
ownerId: '12345',
repoId: '54321'
})
await expect(cfg.resolvePublishActionOptions()).rejects.toThrow(
'Repository ID mismatch.'
)
})
it('throws an error when returned repository owner id does not match env var', async () => {
getInputMock.mockReturnValueOnce('token')
getContainerRegistryURLMock.mockResolvedValue(ghcrUrl)
getRepositoryMetadataMock.mockResolvedValue({
visibility: 'public',
ownerId: '123124',
repoId: 'repositoryId'
})
await expect(cfg.resolvePublishActionOptions()).rejects.toThrow(
'Repository Owner ID mismatch.'
)
})
it('returns options when all values are present', async () => {
getInputMock.mockImplementation((name: string) => {
expect(name).toBe('github-token')
@@ -170,7 +198,9 @@ describe('config.resolvePublishActionOptions', () => {
getContainerRegistryURLMock.mockResolvedValue(ghcrUrl)
getRepositoryMetadataMock.mockResolvedValue({
visibility: 'public'
visibility: 'public',
repoId: 'repositoryId',
ownerId: 'repositoryOwnerId'
})
const options = await cfg.resolvePublishActionOptions()
@@ -198,8 +228,11 @@ describe('config.resolvePublishActionOptions', () => {
return 'token'
})
getContainerRegistryURLMock.mockResolvedValue(ghcrUrl)
getRepositoryMetadataMock.mockResolvedValue({
visibility: 'public'
visibility: 'public',
repoId: 'repositoryId',
ownerId: 'repositoryOwnerId'
})
process.env.GITHUB_SERVER_URL = 'https://github-enterprise.com'
+86 -3
View File
@@ -241,7 +241,7 @@ describe('run', () => {
expect(setFailedMock).toHaveBeenCalledWith('Something went wrong')
})
it('uploads the artifact, returns package metadata from GHCR, and creates an attestation in enterprise', async () => {
it('uploads the artifact, returns package metadata from GHCR, and skips writing attestation in enterprise', async () => {
const options = baseOptions()
options.isEnterprise = true
resolvePublishActionOptionsMock.mockReturnValue(options)
@@ -299,7 +299,7 @@ describe('run', () => {
)
})
it('uploads the artifact, returns package metadata from GHCR, and creates an attestation in non-enterprise', async () => {
it('uploads the artifact, returns package metadata from GHCR, and creates an attestation in non-enterprise for public repo', async () => {
resolvePublishActionOptionsMock.mockReturnValue(baseOptions())
createTempDirMock.mockImplementation(() => {
@@ -330,7 +330,90 @@ describe('run', () => {
}
})
generateAttestationMock.mockImplementation(async () => {
generateAttestationMock.mockImplementation(async options => {
expect(options).toHaveProperty('skipWrite', false)
return {
attestationID: 'test-attestation-id',
certificate: 'test',
bundle: {
mediaType: 'application/vnd.cncf.notary.v2+jwt',
verificationMaterial: {
publicKey: {
hint: 'test-hint'
}
}
}
}
})
// Run the action
await main.run()
// Check the results
expect(publishOCIArtifactMock).toHaveBeenCalledTimes(1)
// Check outputs
expect(setOutputMock).toHaveBeenCalledTimes(4)
expect(setOutputMock).toHaveBeenCalledWith(
'package-url',
'https://ghcr.io/v2/test-org/test-repo:1.2.3'
)
expect(setOutputMock).toHaveBeenCalledWith(
'package-manifest',
expect.any(String)
)
expect(setOutputMock).toHaveBeenCalledWith(
'package-manifest-sha',
'sha256:my-test-digest'
)
expect(setOutputMock).toHaveBeenCalledWith(
'attestation-id',
'test-attestation-id'
)
})
it('uploads the artifact, returns package metadata from GHCR, and creates an attestation but skips storing it in non-enterprise for private repo', async () => {
const opts = baseOptions()
opts.repositoryVisibility = 'private'
resolvePublishActionOptionsMock.mockReturnValue(opts)
createTempDirMock.mockImplementation(() => {
return 'stagingOrArchivesDir'
})
stageActionFilesMock.mockImplementation(() => {})
createArchivesMock.mockImplementation(() => {
return {
zipFile: {
path: 'test',
size: 5,
sha256: '123'
},
tarFile: {
path: 'test2',
size: 52,
sha256: '1234'
}
}
})
publishOCIArtifactMock.mockImplementation(() => {
return {
packageURL: 'https://ghcr.io/v2/test-org/test-repo:1.2.3',
manifestDigest: 'sha256:my-test-digest'
}
})
generateAttestationMock.mockImplementation(async options => {
expect(options).toHaveProperty('skipWrite', true)
return {
attestationID: 'test-attestation-id',
certificate: 'test',