Closed jku closed 6 months ago
Adding --staging
works for me, but thinking even more generally: it'd be nice to make this parametric, i.e. allow every test to run on both staging and production (if supported by the client).
(But that's a more generic, long-term thought. I'm okay with having this be one-off for now.)
I can add a staging flag into the java "cli".
I also think it might make sense to run this on a cron (if people aren't already). Currently java only runs it on PRs.
I also think it might make sense to run this on a cron (if people aren't already). Currently java only runs it on PRs.
Agreed -- I believe we run it on a schedule on sigstore-python
, and it's helped us with regressions/availability issues before!
I'm reopening since the staging support is not really usable yet.
I have a plan that allows us to get to running staging tests soon but is still compatible with the idea of running "the whole suite" against testing. This plan assumes the workflows running the suite will add a new step (essentially will run the action a second time for staging).
--staging
--staging
in the command line--staging
in action.py--staging
sigstore sign --staging
instead of the correct sigstore --staging sign
staging: true
After these steps we'll know the staging support works, can maybe improve cli_protocol.md a bit and then ask client devs to implement --staging
in their conformance clients and add the new workflow step.
@woodruffw how does this sound?
This plan assumes the workflows running the suite will add a new step (essentially will run the action a second time for staging).
I suppose alternatively action.py could call pytest twice if --staging
is given to it, once with staging and once with prod.
currently all tests supposedly run against staging: this does not actually work as all of the embedded assets are for production infra
I believe sigstore-go, sigstore-java, sigstore-js, and sigstore-python all now support providing a custom trust root, so an alternative here would be to ensure the tests with embedded assets include a trust root for production, if they don't currently have one.
I suppose alternatively action.py could call pytest twice if
--staging
is given to it, once with staging and once with prod.
I slightly prefer this, as a matter of keeping changes/configuration effort on each downstream's CI to a minimum. Otherwise your proposal SGTM @jku!
I believe sigstore-go, sigstore-java, sigstore-js, and sigstore-python all now support providing a custom trust root, so an alternative here would be to ensure the tests with embedded assets include a trust root for production, if they don't currently have one.
We aren't quite there yet on the sigstore-python side yet, unfortunately: https://github.com/sigstore/sigstore-python/issues/821
(Taking a step back: I suppose we need to define how --staging
and --trusted-root
will interact in the conformance suite. We could say that they're mutually exclusive, I think?)
Supporting trusted-root
seems like a good plan but since AFAIK that is not possible for a signing client at the moment, I think that's a future feature.
Current plan is for enable-staging
to be an "additional feature" (in other words enable-staging=true
does not disable testing production). With trusted-root
that's probably different: I would expect staging and production to not be tested in that case, just the infrastructure defined by the trustedroot.
It eould be useful if this project also ensured that the client works with current staging infra:
There might be several ways to accomplish this but a simple one might be to
--staging
flag to the client-under-test CLI spectest_simple_staging()
that does exactly whattest_simple()
does but against stagingcc @loosebazooka