TUF conformance

.github/workflows/ci.yml

@@ -12,13 +12,14 @@ jobs:
   ruby-versions:
     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
     with:
-      engine: cruby-truffleruby # TODO: change to all when jruby is supported
+      engine: all
       min_version: 3.0
 
   test:
     needs: ruby-versions
     runs-on: ${{ matrix.os }}
-    name: Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
+    name: Test Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
+    continue-on-error: ${{ startsWith(matrix.ruby, 'jruby') }}
     strategy:
       fail-fast: false
       matrix:
@@ -41,17 +42,54 @@ jobs:
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
+
       - name: Run the tests
         run: bin/rake test
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: sigstore/sigstore-ruby
+
+  sigstore-conformance:
+    needs: ruby-versions
+    runs-on: ${{ matrix.os }}
+    continue-on-error: ${{ startsWith(matrix.ruby, 'jruby') }}
+    name: Sigstore Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        os: [ubuntu-latest]
+        # os: [ ubuntu-latest, macos-latest, windows-latest ]
+        # include:
+        #   - { os: windows-latest, ruby: ucrt }
+        #   - { os: windows-latest, ruby: mingw }
+        #   - { os: windows-latest, ruby: mswin }
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
       - name: Run the conformance tests
-        uses: sigstore/sigstore-conformance@52311dc3b1d7aba6fb2c4b468791fbb119e7f022
+        uses: sigstore/sigstore-conformance@bcbeee6cda143ee50f852f22a96162b111bf8a71
         with:
           entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
           xfail: "${{ matrix.ruby != 'head' && 'test_verify_rejects_bad_tsa_timestamp' }}"
           skip-signing: true
         if: ${{ matrix.os }} == "ubuntu-latest"
       - name: Run the conformance tests against staging
-        uses: sigstore/sigstore-conformance@52311dc3b1d7aba6fb2c4b468791fbb119e7f022
+        uses: sigstore/sigstore-conformance@bcbeee6cda143ee50f852f22a96162b111bf8a71
         with:
           entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
           xfail: "${{ matrix.ruby != 'head' && 'test_verify_rejects_bad_tsa_timestamp' }}"
@@ -65,11 +103,59 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: sigstore/sigstore-ruby
 
+  tuf-conformance:
+    needs: ruby-versions
+    runs-on: ${{ matrix.os }}
+    name: TUF Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
+    continue-on-error: "${{ startsWith(matrix.ruby, 'jruby') || (matrix.ruby == '3.0') }}"
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        os: [ubuntu-latest]
+        # os: [ ubuntu-latest, macos-latest, windows-latest ]
+        # include:
+        #   - { os: windows-latest, ruby: ucrt }
+        #   - { os: windows-latest, ruby: mingw }
+        #   - { os: windows-latest, ruby: mswin }
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Touch requirements.txt
+        run: touch requirements.txt
+
+      - name: Run the TUF conformance tests
+        uses: theupdateframework/tuf-conformance@94bcfb2b21c3dec514cbc0ba2afd225f2c5eb6d7
+        with:
+          entrypoint: ${{ github.workspace }}/bin/tuf-conformance-entrypoint
+          artifact-name: "test repositories ${{ matrix.ruby }} ${{ matrix.os }}"
+        if: |
+          ${{ matrix.os }} == "ubuntu-latest" && ${{ matrix.ruby }} != "3.0"
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: sigstore/sigstore-ruby
+
   all-tests-pass:
     if: always()
 
     needs:
       - test
+      - sigstore-conformance
+      - tuf-conformance
 
     runs-on: ubuntu-latest
 
@@ -85,6 +171,7 @@ jobs:
           jobs: ${{ toJSON(needs) }}
 
   lint:
+    needs: ruby-versions
     runs-on: ubuntu-latest
     name: Lint
     steps:
@@ -97,7 +184,7 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
         with:
-          ruby-version: "3.3.1"
+          ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
           bundler-cache: true
       - name: Run the linter
         run: bin/rubocop

.gitleaksignore

@@ -0,0 +1,4 @@
+data/_store/staging/root.json:generic-api-key:20
+data/_store/staging/root.json:generic-api-key:24
+data/_store/staging/root.json:generic-api-key:28
+data/_store/staging/root.json:generic-api-key:32

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.2
+    rev: v8.18.4
     hooks:
       - id: gitleaks
   - repo: https://github.com/jumanjihouse/pre-commit-hooks

Gemfile.lock

@@ -147,4 +147,4 @@ CHECKSUMS
   webmock (3.23.1) sha256=0fa738c0767d1c4ec8cc57f6b21998f0c238c8a5b32450df1c847f2767140d95
 
 BUNDLED WITH
-   2.5.10
+   2.5.16

Rakefile

@@ -48,10 +48,22 @@ namespace :conformance do
   task setup: "test/sigstore-conformance/env/pyvenv.cfg" # rubocop:disable Rake/Desc
 end
 
+task :find_action_versions do # rubocop:disable Rake/Desc
+  require "yaml"
+  gh = YAML.load_file(".github/workflows/ci.yml")
+  actions = gh.fetch("jobs").flat_map { |_, job| job.fetch("steps", []).filter_map { |step| step.fetch("uses", nil) } }
+              .uniq.map { |x| x.split("@", 2) }
+              .group_by(&:first).transform_values { |v| v.map(&:last) }
+  raise "conflicts: #{actions.select { |_, v| v.size > 1 }.inspect}" if actions.any? { |_, v| v.size > 1 }
+
+  @action_versions = actions.transform_values(&:first)
+end
+
 task test: %w[sigstore_conformance]
 
 desc "Update the vendored data files"
 task :update_data do
+  require "sigstore"
   require "sigstore/trusted_root"
   {
     prod: Sigstore::TUF::DEFAULT_TUF_URL,
@@ -69,7 +81,8 @@ end
 require "open3"
 
 class GitRepo < Rake::Task
-  attr_accessor :path, :url, :commit
+  attr_accessor :path, :url
+  attr_writer :commit
 
   include FileUtils
 
@@ -96,7 +109,7 @@ class GitRepo < Rake::Task
     head.strip!
     return true if status.success? && head == commit
 
-    desired, status = Open3.capture2(*%w[git rev-parse], "#{commit}^{commit}", chdir: path)
+    desired, status = Open3.capture2(*%w[git rev-parse], "#{commit}^{commit}", "--", chdir: path)
     desired.strip!
     status.success? && desired == head
   end
@@ -113,23 +126,34 @@ class GitRepo < Rake::Task
 
     sh "git", "-C", path, "switch", "--detach", commit do |ok, _|
       unless ok
-        sh "git", "-C", path, "fetch", "origin", commit
+        sh "git", "-C", path, "fetch", "origin", "#{commit}:#{commit}"
         sh "git", "-C", path, "switch", "--detach", commit
       end
     end
   end
+
+  def commit
+    case @commit
+    when String
+      @commit
+    when ->(c) { c.respond_to?(:call) }
+      @commit.call
+    else
+      raise "unexpected commit type: #{@commit.inspect}"
+    end
+  end
 end
 
-GitRepo.define_task(:sigstore_conformance).tap do |task|
+GitRepo.define_task(sigstore_conformance: %w[find_action_versions]).tap do |task|
   task.path = "test/sigstore-conformance"
   task.url = "https://github.com/sigstore/sigstore-conformance.git"
-  task.commit = "52311dc3b1d7aba6fb2c4b468791fbb119e7f022"
+  task.commit = -> { @action_versions.fetch("sigstore/sigstore-conformance") }
 end
 
-GitRepo.define_task(:tuf_conformance).tap do |task|
+GitRepo.define_task(tuf_conformance: %w[find_action_versions]).tap do |task|
   task.path = "test/tuf-conformance"
-  task.url = "https://github.com/jku/tuf-conformance.git"
-  task.commit = "b938daaea0e3a9b4cc5c5d743954be6a6ae32893"
+  task.url = "https://github.com/theupdateframework/tuf-conformance.git"
+  task.commit = -> { @action_versions.fetch("theupdateframework/tuf-conformance") }
 end
 
 namespace :tuf_conformance do

bin/conformance-entrypoint

@@ -13,6 +13,11 @@ tmp = Dir.mktmpdir
 require "simplecov"
 SimpleCov.command_name "conformance:#{Digest::SHA256.hexdigest ARGV.join(" ")}"
 load File.expand_path("../.simplecov", __dir__)
+SimpleCov::Formatter::HTMLFormatter.module_eval do
+  def puts(...)
+    # Suppress output
+  end
+end
 
 ENV.update(
   "HOME" => tmp,

bin/tuf-conformance-entrypoint

@@ -28,15 +28,28 @@ OptionParser.new do |parser|
   parser.on("--target-base-url U") do |v|
     args << "--target-base-url" << v
   end
+  parser.on("--target-name N") do |v|
+    args << v
+  end
 end.parse!
 
 require "simplecov"
 SimpleCov.command_name "tuf-conformance:#{Digest::SHA256.hexdigest ARGV.map { |a|
   a.sub(tmp, "$TMPDIR")
 }.join(" ")}"
 load File.expand_path("../.simplecov", __dir__)
+SimpleCov::Formatter::HTMLFormatter.module_eval do
+  def puts(...)
+    # Suppress output
+  end
+end
 
 command = ARGV.shift
 
 ARGV.unshift "sigstore_tuf_#{command.tr("-", "_")}", *args
-Gem::GemRunner.new.run ARGV.clone
+begin
+  Gem::GemRunner.new.run ARGV.clone
+rescue Gem::SystemExitException => e
+  # For rubygems < 3.3.0
+  exit e.exit_code
+end