Skip to content

feat(tests): private-Sigstore bundle-signing e2e via Helm scaffold#1321

Merged
lockwobr merged 2 commits into
mainfrom
feat/sigstore-scaffolding-e2e
Jun 12, 2026
Merged

feat(tests): private-Sigstore bundle-signing e2e via Helm scaffold#1321
lockwobr merged 2 commits into
mainfrom
feat/sigstore-scaffolding-e2e

Conversation

@lockwobr

Copy link
Copy Markdown
Contributor

Summary

Add an automated keyless-signing e2e for aicr bundle --attest --fulcio-url --rekor-url against a self-hosted Sigstore stack, deployed from the sigstore scaffold Helm chart so it runs identically on macOS (Colima) and Linux CI.

Motivation / Context

PR #408 added --fulcio-url / --rekor-url for private Sigstore; its unit tests stub at the KeylessIdentity seam, so nothing actually issues a Fulcio cert and writes a Rekor proof against a real instance. This is the second integration test for the supply-chain epic (#1149), alongside the KMS MiniStack e2e (#1298).

The earlier sigstore/scaffolding setup-kind.sh approach deploys Knative Services behind MetalLB + Kourier + sslip.io, which are unreachable from a macOS/Colima host (Kind runs in a VM). This PR uses the scaffold Helm chart instead: plain Deployment + ClusterIP, reached via kubectl port-forward to localhost. No MetalLB, Knative, sslip.io, or sudo.

Fixes: #1215
Related: #1149, #408, #1298

Type of Change

  • New feature (non-breaking change that adds functionality)
  • Build/CI/tooling

Component(s) Affected

  • Other: e2e test suite (tests/chainsaw/signing/) + CI workflow + tool-version pins

No product/source code (pkg/, cmd/) is changed.

Implementation Notes

  • run.sh — shared local + CI harness: kind cluster, helm install scaffold, Fulcio OIDC trust, port-forward, TLS proxy, SA token mint, chainsaw, teardown. The CI workflow builds + attests the binary then invokes run.sh, so local == CI.
  • scaffold-values.yaml — (1) Fulcio trusts the in-cluster Kubernetes ServiceAccount OIDC issuer (token minted via kubectl create token --audience sigstore); (2) Trillian's default MySQL image is amd64-only EOL 5.7 and is OOM-killed under emulation on Apple Silicon, so it is overridden to the multi-arch official mysql image (arm64-native), pinned by digest.
  • oidc-discovery-rbac.yaml — grants anonymous access to the cluster OIDC discovery endpoints Fulcio fetches; run.sh also sets SSL_CERT_FILE on the Fulcio deployment so it trusts the apiserver cert during discovery. Neither is expressible as a chart value.
  • tlsproxy/aicr requires https:// signing endpoints; this stdlib TLS-termination proxy fronts the plain-HTTP port-forwards with an mkcert cert. run.sh go builds it at runtime; the compiled binary is not committed.
  • Workflow: id-token: write is scoped to the job; ${{ github.repository }} passed via env (no template injection); actions pinned by SHA.
  • aicr verify cannot yet target the private Rekor, so the verify step asserts only bundle checksums (Phase 2, Integration-test private Sigstore signing via sigstore/scaffolding #1215).

Depends on #1298 for the shared mkcert wiring in .settings.yaml / load-versions; this branch should rebase onto it before merge. Until then, actionlint reports steps.versions.outputs.mkcert* as undefined (expected).

Testing

The full suite was run end-to-end against a fresh Kind cluster on macOS arm64 (Colima):

--- PASS: chainsaw/cli-bundle-attestation-private-sigstore
- Passed  tests 1   - Failed  tests 0
Private Sigstore E2E: PASSED

Static checks: shellcheck (run.sh), yamllint, golangci-lint (tlsproxy, 0 issues), actionlint (clean except the expected mkcert* pending the #1298 rebase), chainsaw parse-check.

Risk Assessment

  • Low — Isolated test/CI-only change, no product code, easy to revert.

Rollout notes: Dedicated workflow gated to same-repo events (fork PRs skip; they lack OIDC). N/A for runtime.

Checklist

  • Tests pass locally (e2e suite passes end-to-end; no Go unit tests in scope)
  • Linter passes (make lint equivalents: shellcheck/yamllint/golangci-lint/actionlint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality (this IS the test)
  • I updated docs if user-facing behavior changed (suite README added)
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

@lockwobr lockwobr requested review from a team as code owners June 11, 2026 19:32
@lockwobr lockwobr added area/ci area/tests theme/ci-dx CI pipelines, developer experience, and build tooling labels Jun 11, 2026
@lockwobr lockwobr self-assigned this Jun 11, 2026
@lockwobr lockwobr force-pushed the feat/sigstore-scaffolding-e2e branch from 16cef8f to 90dd801 Compare June 11, 2026 19:36
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds a private-Sigstore end-to-end test: pins and exposes a scaffold Helm chart version via the load-versions composite action and .settings.yaml, a new GitHub Actions workflow that builds/artifact-checks and invokes a shared E2E harness, Chainsaw test definition and README, Helm override values and RBAC manifest for OIDC discovery, a Bash orchestration script to provision Kind and run the test, and a small TLS-terminating reverse proxy (Go) plus .gitignore entry.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

theme/supply-chain

Suggested reviewers

  • mchmarny
  • njhensley
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title 'feat(tests): private-Sigstore bundle-signing e2e via Helm scaffold' clearly and concisely describes the main change: adding an e2e test for private-Sigstore keyless signing using Helm scaffold.
Description check ✅ Passed The PR description provides comprehensive context covering motivation, implementation details, testing results, and risk assessment, all directly related to the changeset's e2e test infrastructure for private-Sigstore signing.
Linked Issues check ✅ Passed The PR fully meets #1215 Phase 1 objectives: deploys sigstore/scaffolding via Helm chart, runs keyless signing against local Fulcio/Rekor, and asserts bundle structure with certificate and Rekor proof. Local run instructions are documented.
Out of Scope Changes check ✅ Passed All changes are scoped to e2e tests, CI workflows, version pins, and supporting infrastructure; no product code (pkg/, cmd/) is modified, keeping changes within the stated objectives.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/sigstore-scaffolding-e2e

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/sigstore-scaffolding-e2e.yaml:
- Around line 133-137: The workflow step consumes outputs
steps.versions.outputs.mkcert and
steps.versions.outputs.mkcert_sha256_linux_amd64 that are not defined; add those
outputs to the version-loading action and ensure the source settings include
corresponding keys (e.g., mkcert and mkcert_sha256_linux_amd64) so they
populate, or alternatively hardcode/derive MKCERT_VERSION and MKCERT_SHA256 in
the workflow; update the load-versions action (declare outputs with those names)
and the settings data source (add mkcert and mkcert_sha256_linux_amd64 entries)
so the Install mkcert step receives non-empty values.

In
`@tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml`:
- Around line 128-135: Replace brittle grep string checks in the test that
inspect "${BUNDLE}" with semantic JSON assertions using jq: instead of grep for
"verificationMaterial", "certificate", and "rawBytes" validate that
.verificationMaterial.certificate.rawBytes exists and is a non-empty string,
assert that .verificationMaterial.publicKey is absent for the keyless path, and
for checksum results assert .checksumsPassed is the boolean true (not a
whitespace-sensitive string match). Locate usages of the BUNDLE variable and the
checks around verificationMaterial.certificate.rawBytes and checksumsPassed in
the chainsaw-test.yaml and change them to jq-based queries that fail the test if
the field is missing, empty, or not the expected type/value.

In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh`:
- Around line 158-167: The wait_url function can hang because curl calls lack
per-request timeouts; update the curl invocations inside wait_url to include
connection and total time limits (e.g., --connect-timeout 5 and --max-time 10)
so each poll attempt is bounded, and use the same timeout flags when capturing
the final failing output (the last="$(curl ... || true)") so the error message
reflects a timed-out attempt rather than a stuck TCP connect; modify the curl
usages within wait_url (the loop check and the final diagnostic curl)
accordingly.

In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go`:
- Around line 100-107: The server is currently bound to all interfaces via Addr:
":" + listen in the srv := &http.Server {...} block; change Addr to bind to
loopback only (e.g. "127.0.0.1:"+listen or use net.JoinHostPort("127.0.0.1",
listen)) so the TLS proxy only listens on localhost. Update the same pattern for
the other server instance(s) referenced in the file (the similar Addr
assignments around lines 112-113) to ensure both proxies are loopback-only;
leave all other fields (Handler, TLSConfig, ReadHeaderTimeout) unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 29084d79-93ce-4548-84f6-5a3b93bf4378

📥 Commits

Reviewing files that changed from the base of the PR and between 8d17940 and 16cef8f.

📒 Files selected for processing (10)
  • .github/actions/load-versions/action.yml
  • .github/workflows/sigstore-scaffolding-e2e.yaml
  • .gitignore
  • .settings.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/README.md
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/oidc-discovery-rbac.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/scaffold-values.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go

Comment thread .github/workflows/sigstore-scaffolding-e2e.yaml
Comment thread tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml Outdated
Comment thread tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh Outdated
@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 77.1%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-77.1%25-green)

Coverage unchanged by this PR.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (2)
tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go (1)

100-113: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Bind the TLS proxy to loopback only.

Line 101 currently listens on all interfaces (:port), while this helper is explicitly localhost-only. That unnecessarily exposes the proxy outside the host.

Suggested fix
-		Addr: ":" + listen,
+		Addr: "127.0.0.1:" + listen,
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go`
around lines 100 - 113, The server is currently bound to all interfaces via Addr
":" + listen in the srv http.Server, which exposes the test TLS proxy
externally; change the binding to loopback-only (e.g. "127.0.0.1:"+listen or
"localhost:"+listen) in the srv initialization where Addr is set (and update the
log message using the same listen binding if needed) so the proxy only listens
on the local host; update references to listen/targetURL in that block (srv,
listen, targetURL, and the slog.Info call) to reflect the loopback binding.
tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh (1)

156-167: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

wait_url is not time-bounded per curl attempt.

Line 161 and Line 166 call curl without --connect-timeout/--max-time; one hung request can exceed the intended 90s window and stall the harness.

Suggested fix
-    if curl -fsS -o /dev/null "${url}" 2>/dev/null; then
+    if curl --connect-timeout 2 --max-time 4 -fsS -o /dev/null "${url}" 2>/dev/null; then
       return 0
     fi
@@
-  last="$(curl -sS -o /dev/null "${url}" 2>&1 || true)"
+  last="$(curl --connect-timeout 2 --max-time 4 -sS -o /dev/null "${url}" 2>&1 || true)"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh` around
lines 156 - 167, The wait_url function uses curl without per-attempt timeouts,
so a single hung request can exceed the intended ~90s polling window; update the
curl invocations inside wait_url (both the success-check curl and the final
diagnostic curl stored in last) to include sensible timeouts (e.g.,
--connect-timeout and --max-time) so each attempt is bounded, and ensure the
diagnostic curl uses the same timeouts when capturing the last error; adjust the
timeout values to keep total polling duration ≈90s given 45 attempts with 2s
sleeps.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/sigstore-scaffolding-e2e.yaml:
- Around line 133-145: The inline shell step "Install mkcert" (and similarly the
steps "Build aicr binary", "Locate binary and detect attestation", and "Run
private-sigstore e2e") must either be moved into a Layer-2 composite action or
be annotated with a one-line rationale above the run: block explaining why the
inline implementation is intentional (e.g., "inline by design / single-use: this
step contains short, non-reusable orchestration specific to this workflow and
extracting a composite would add indirection without reuse"). Update each
retained inline run to include that exact brief justification comment or
refactor the logic into a composite action to comply with the three-layer
composite actions architecture.

In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/README.md`:
- Around line 3-52: The README uses the acronyms "OIDC" and "SA" without
defining them; update README.md to define these on first use (replace "OIDC"
with "OpenID Connect (OIDC)" and "SA" with "ServiceAccount (SA)" where they
first appear) and/or add a short "Terminology" section near the top defining
OIDC and SA (and optionally Fulcio and Rekor) so readers see full terms before
acronyms are reused.

---

Duplicate comments:
In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh`:
- Around line 156-167: The wait_url function uses curl without per-attempt
timeouts, so a single hung request can exceed the intended ~90s polling window;
update the curl invocations inside wait_url (both the success-check curl and the
final diagnostic curl stored in last) to include sensible timeouts (e.g.,
--connect-timeout and --max-time) so each attempt is bounded, and ensure the
diagnostic curl uses the same timeouts when capturing the last error; adjust the
timeout values to keep total polling duration ≈90s given 45 attempts with 2s
sleeps.

In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go`:
- Around line 100-113: The server is currently bound to all interfaces via Addr
":" + listen in the srv http.Server, which exposes the test TLS proxy
externally; change the binding to loopback-only (e.g. "127.0.0.1:"+listen or
"localhost:"+listen) in the srv initialization where Addr is set (and update the
log message using the same listen binding if needed) so the proxy only listens
on the local host; update references to listen/targetURL in that block (srv,
listen, targetURL, and the slog.Info call) to reflect the loopback binding.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 40b48d1e-163f-476d-aedb-78892157f049

📥 Commits

Reviewing files that changed from the base of the PR and between 16cef8f and 90dd801.

📒 Files selected for processing (10)
  • .github/actions/load-versions/action.yml
  • .github/workflows/sigstore-scaffolding-e2e.yaml
  • .gitignore
  • .settings.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/README.md
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/oidc-discovery-rbac.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/scaffold-values.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go

Comment thread .github/workflows/sigstore-scaffolding-e2e.yaml
@lockwobr lockwobr force-pushed the feat/sigstore-scaffolding-e2e branch from 90dd801 to e979436 Compare June 11, 2026 19:48

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml`:
- Around line 183-185: Update the stale comment that references "grep" to
reflect the current `yq` JSON evaluation: replace the phrase "The grep above
fails (non-zero) on a checksum mismatch" with something like "The yq assertion
above fails (non-zero) on a checksum mismatch" so the comment next to the
checksum check (the comment describing why the checksum check is independent of
verify's exit code and the expected private-Rekor attestation failure)
accurately describes the `yq` assertion being used.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 94a08af0-be34-4600-866a-a795218be714

📥 Commits

Reviewing files that changed from the base of the PR and between 90dd801 and e979436.

📒 Files selected for processing (10)
  • .github/actions/load-versions/action.yml
  • .github/workflows/sigstore-scaffolding-e2e.yaml
  • .gitignore
  • .settings.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/README.md
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/oidc-discovery-rbac.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/scaffold-values.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go

Comment thread tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml Outdated
@lockwobr lockwobr force-pushed the feat/sigstore-scaffolding-e2e branch 2 times, most recently from 8999c66 to ed8d0b5 Compare June 11, 2026 22:52

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/load-versions/action.yml:
- Around line 94-105: The composite action duplicates outputs named mkcert,
mkcert_sha256_linux_amd64, and mkcert_sha256_linux_arm64 (and their
corresponding echo assignments), which breaks action parsing; remove the
duplicated output entries and the duplicate echo/set-output assignments so each
output (scaffold_chart, mkcert, mkcert_sha256_linux_amd64,
mkcert_sha256_linux_arm64) is defined only once and populated only once from
steps.versions.outputs. Locate the repeated definitions of the mkcert* outputs
in the outputs block and the repeated echo lines (the second set around the
195-206/204-206 region) and delete the redundant entries to restore a single
canonical output assignment for each mkcert* symbol.

In `@tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh`:
- Around line 53-55: The script currently assumes goreleaser is present when
AICR_BIN is unset; update the build fallback to match the stated prerequisites
by checking for goreleaser and falling back to go build when goreleaser is
missing (or alternatively add a preflight check that ensures goreleaser is
installed before using it). Concretely, in the AICR_BIN unset branch (the block
that invokes goreleaser), replace the hard dependency with a conditional: if
command -v goreleaser >/dev/null then run goreleaser, else run go build (or set
an error with a clear message prompting installation), and also add a
corresponding preflight check for goreleaser where environment/tools are
verified so the script behavior and the “goreleaser or go” prereq list stay
aligned.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 8d003088-e487-4e32-af99-fc88ac79fac8

📥 Commits

Reviewing files that changed from the base of the PR and between 8999c66 and ed8d0b5.

📒 Files selected for processing (10)
  • .github/actions/load-versions/action.yml
  • .github/workflows/sigstore-scaffolding-e2e.yaml
  • .gitignore
  • .settings.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/README.md
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/chainsaw-test.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/oidc-discovery-rbac.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/scaffold-values.yaml
  • tests/chainsaw/signing/bundle-attestation-private-sigstore/tlsproxy/main.go

Comment thread .github/actions/load-versions/action.yml Outdated
Comment thread tests/chainsaw/signing/bundle-attestation-private-sigstore/run.sh
@lockwobr lockwobr force-pushed the feat/sigstore-scaffolding-e2e branch from ed8d0b5 to a3756ac Compare June 11, 2026 23:48
Add an automated keyless-signing e2e for `aicr bundle --attest --fulcio-url
--rekor-url` against a self-hosted Sigstore stack, the second integration
test for the supply-chain epic (#1149). Resolves #1215.

Deploys the stack from the sigstore `scaffold` Helm chart (Fulcio + Rekor +
CTLog + Trillian) instead of sigstore/scaffolding's Knative + MetalLB + sslip.io
scripts, which are unreachable from a macOS/Colima host. The chart's plain
Deployment + ClusterIP services are reached via `kubectl port-forward`, so the
suite runs identically on macOS arm64 and Linux CI.

- run.sh: shared local+CI harness (kind, helm install, Fulcio OIDC trust,
  port-forward, TLS proxy, SA token mint, chainsaw, teardown).
- scaffold-values.yaml: trust the in-cluster Kubernetes ServiceAccount OIDC
  issuer; replace Trillian's EOL amd64-only MySQL 5.7 with the multi-arch
  official mysql image so the stack runs arm64-native (no OOM under emulation).
- oidc-discovery-rbac.yaml: grant anonymous access to the OIDC discovery
  endpoints Fulcio fetches.
- tlsproxy/: localhost TLS termination (aicr requires https:// endpoints);
  run.sh `go build`s it at runtime, the binary is not committed.
- sigstore-scaffolding-e2e.yaml: build + attest the binary, then invoke run.sh
  (id-token scoped to the job).
- Pin the scaffold chart in .settings.yaml and wire it through load-versions.

aicr verify cannot yet target the private Rekor (deferred to Phase 2, #1215),
so the verify step asserts only bundle checksums.
@lockwobr lockwobr force-pushed the feat/sigstore-scaffolding-e2e branch from a3756ac to 10d8add Compare June 11, 2026 23:59
@lockwobr lockwobr enabled auto-merge (squash) June 12, 2026 00:10
@lockwobr lockwobr merged commit 81c3fb0 into main Jun 12, 2026
33 of 34 checks passed
@lockwobr lockwobr deleted the feat/sigstore-scaffolding-e2e branch June 12, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci area/tests size/XL theme/ci-dx CI pipelines, developer experience, and build tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Integration-test private Sigstore signing via sigstore/scaffolding

2 participants