A collection of reusable GitHub Actions workflows used in a demo on automated governance.
See the demo application README for more information.
Integration tests for the reusable workflows exist under test/.
To run locally, you'll need to install:
⚠️ WARNING: The tests run cosign initialize, meaning that if you have a custom TUF root configured, it will be temporarily overwritten in place of the TUF root for Sigstore's staging environment. The tests will attempt to save the TUF root in ~/.sigstore-backup before running, and restore it after. If the tests fail to restore the custom root, you can remove it by running rm -rf ~/.sigstore and mv ~/.sigstore-backup ~/.sigstore. If you're not using a custom TUF root, deleting the ~/.sigstore directory should suffice.
Fork https://github.com/liatrio/gh-trusted-builds-workflows-integration-tests to a personal account. This is a fixture repository in which the workflows under test will run.
Create a GitHub personal access token. It's recommended to use the GitHub cli, as it will be easier to create a token with the proper scopes, and securely provide the token to the tests.
gh auth login -s read:packages
Install npm dependencies, npm i.
GITHUB_TOKEN=$(gh auth token) npm test