Closed flavio closed 1 year ago
(I've monitored this since I was the one that merged https://github.com/kubewarden/allow-privilege-escalation-psp-policy/pull/40 without performing manual testing myself)
It seems that right now the problem is missing permissions for cosign, even if we only sign blobs that get uploaded to GHA artifacts, because of the reusable build policy workflow. The fix should be: https://github.com/kubewarden/verify-image-signatures/blob/bf2c7252ee8e0e768304a04633ac16412a9e4031/.github/workflows/release.yml#L24-L25
I've changed the code to install only kwctl
. This time it should work, but then fail with the e2e errors you reported on the other issue
it seems it's not enough. The reusable gha policy-build-rust builds, signs via cosign, and uploads the signatures artifacts to the workflow artifacts:
https://github.com/kubewarden/github-actions/blob/v1/policy-build-rust/action.yaml#L51-L64
I'm ok with that signing. An option would be to add a new sign
input var to that gha policy-build-rust, defaulting to true
. And we set it to false
when using the workflow just for e2e tests.
The policy now has e2e tests. We should run these tests on each PRs