✨ Allow main branch only for trusted builder and e2e tests repos #63
Conversation
|
In order to fix the unit tests, we need to merge slsa-framework/slsa-github-generator#86 and generate the provenance with the trusted builder pinned with a tag. This is because starting with this PR, we only accept tagged's trusted builders (except for the old ones which we're going to deprecate as well once we fix the other unit tests) |
laurentsimon
force-pushed
the
feat/fastbuilds
branch
from
01a3588 to
242e8af
Compare
|
Ready for review, PTAL |
laurentsimon
changed the title
| @@ -31,259 +32,260 @@ func Test_runVerify(t *testing.T) { | |||
| { | |||
| name: "valid main branch default", | |||
| artifact: "./testdata/binary-linux-amd64-workflow_dispatch", | |||
| source: "github.com/asraa/slsa-on-github-test", | |||
| source: "github.com/laurentsimon/slsa-verifier-test-gen", | |||
There was a problem hiding this comment.
Was changing this necessary for some reason?
There was a problem hiding this comment.
just because I don't have access to Asra's repo so I could not re-generate the binaries under metadata/. In the future, I think we may want to create a repo just for that. I can create a repo under https://github.com/ossf-tests/, ilke https://github.com/ossf-tests/slsa-test-generators, or we create a new repo under slsa-framework
There was a problem hiding this comment.
I see. We need to re-generate them by building in a github action but I guess doing it in this repo is problematic? Maybe a workflow that is only triggered by workflow_dispatch would work?
We probably want to have a readme in the testdata directory to document how to regenerate it.
There was a problem hiding this comment.
Agreed on all these steps. What repo name shall we create?
There was a problem hiding this comment.
Under ossf-tests is fine probably
laurentsimon
force-pushed
the
feat/fastbuilds
branch
from
fac8643 to
31a6e41
Compare
…a-framework#63) * updates * updates * updates * updates * updates * updates * updates * updates * updates * updates * Fix unit tests * unit tests * updates * updates * updates * updates * updates
This is part of trying to reduce the time of compilation slsa-framework/slsa-github-generator#74
This PR allows the trusted builder and e2e repos to build using a trusted builder referenced at
@main. This is an exception that is needed to use the builder binary generated during a release: the builder needs to build itself from main. For the e2e tests,, we also want to tests at main.For any other repos, this is not allowed, and trusted builder referenced at a version/tag is required.