Comparing changes

This should ensure we're running the code in the PR rather than the code from main. Signed-off-by: Billy Lynch <billy@chainguard.dev>

This change adds logic to select the ref to checkout for events. By default pull_request_target will use the base branch as the target since it was originally intended for trusted workloads. However, we need to use this to have access to the OIDC creds for the e2e tests, so insert our own logic here. This is effectively a ternary of the form ${{ <condition> <true> || <false> }}. See https://docs.github.com/en/actions/learn-github-actions/expressions for more details. Signed-off-by: Billy Lynch <billy@chainguard.dev>

- Fixes attached signature verification to respect the same options as detached signatures. - Adds tests for attached signature verification. - Exports useful functions to allow other libraries to validate commits. - Adds package documentation for what should go into git vs signature packages (because if I was getting getting tripped up, other people will too). - Removed found signature / found tlog entry claims - I'm not sure how useful these are on their own, and my gut instinct is the yes / no for the validation is probably sufficient. - Changes smimesign output in verification info to gitsign. Signed-off-by: Billy Lynch <billy@chainguard.dev>

I was foolish thinking it was right the first time. Fixes the expression to actually be correct. Verified in a test repo. Signed-off-by: Billy Lynch <billy@chainguard.dev>

…on. (#53) Mostly a refactor to replace some of the cosign calls with their equivalent underlying implementations. Signed-off-by: Billy Lynch <billy@chainguard.dev>

This reimplements much of the behavior in https://github.com/sigstore/cosign/blob/v1.9.0/cmd/cosign/cli/fulcio/fulcio.go to remove the dependency on cosign for fulcio operations. We may want to upstream this library to sigstore/sigstore, but starting off here to get a feel for other changes we might want to make first. Signed-off-by: Billy Lynch <billy@chainguard.dev>

* Bump actions/cache from 3.0.2 to 3.0.3 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@48af2dc...30f413b) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com>

Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump actions/cache from 3.0.3 to 3.0.4 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@30f413b...c3f1317) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com>

* Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@536b37e...7e0881f) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com>

Signed-off-by: Josh Dolitsky <josh@dolit.ski>

* Export rekor package. This is used within pkg/git, so exporting the matching interface to stay consistent. - Removes separate Get/Verify funcs for a single Verify func. - Both Verify and Write now take in x509 certs instead of []byte. - Swap commit/sig params in Writer interface. Signed-off-by: Billy Lynch <billy@chainguard.dev>

* update/fix version flag Signed-off-by: cpanato <ctadeu@gmail.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comparing changes

Open a pull request

Commits on Jun 2, 2022

Commits on Jun 3, 2022

Commits on Jun 6, 2022

Commits on Jun 13, 2022

Commits on Jun 14, 2022

This comparison is taking too long to generate.

Uh oh!