I pressed the merge button by mistake in https://github.com/slsa-framework/slsa-verifier/pull/705. There were unresolved comments: - https://github.com/slsa-framework/slsa-verifier/pull/705#discussion_r1342227323. I think this is covered by https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gha/npm_test.go#L801 in unit tests, but it's missing from the regression tests. I think the main problem here is that to tests it, we need to be able to publish a package with the correct version and package name, but a different hash. I don't think it's actually possible. We don't explicitly verifi package name and version in the regression tests, we verify signature mismatch. Ideas? - https://github.com/slsa-framework/slsa-verifier/pull/705#discussion_r1342228689 needs to be updated. @trishankatdatadog @ianlewis
I pressed the merge button by mistake in #705. There were unresolved comments:
https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gha/npm_test.go#L801 in unit tests, but it's missing from the regression tests. I think the main problem here is that to tests it, we need to be able to publish a package with the correct version and package name, but a different hash. I don't think it's actually possible. We don't explicitly verifi package name and version in the regression tests, we verify signature mismatch. Ideas?
@trishankatdatadog @ianlewis