fix(verify): improves user feedback in verify command #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Conda Witness Integration Test | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - feat/conda-witness | |
| paths: | |
| - ".github/workflows/conda-witness-integration-test.yml" | |
| - "Makefile" | |
| permissions: | |
| contents: read | |
| id-token: write # For Sigstore signing | |
| jobs: | |
| integration-test: | |
| name: Test Conda + Witness Integration | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install Dependencies | |
| run: make conda-deps | |
| - name: Setup Conda and Witness | |
| run: make conda-setup | |
| # ========================================================= | |
| # Build Conda Package WITH Witness Attestation | |
| # ========================================================= | |
| - name: Build Conda with Attestations | |
| run: make conda-build-attested | |
| - name: Create and Sign Verification Policy | |
| run: make conda-sign-policy | |
| # ========================================================= | |
| # Verify the Built Conda Package with Witness Attestation | |
| # ========================================================= | |
| - name: Verify Built Package with Conda Verify | |
| run: make conda-verify | |
| - name: Test Conda Verify Command | |
| run: | | |
| # Test that conda verify command works without installing the package | |
| # This uses the local source code with PYTHONPATH | |
| export PYTHONPATH="${PWD}:${PYTHONPATH}" | |
| python -m conda.cli.main verify --help | |
| echo "✓ Conda verify command is working" | |
| - name: Create Test Summary | |
| run: | | |
| cat >> $GITHUB_STEP_SUMMARY << 'EOF' | |
| ## 🎉 Conda + Witness Integration Test Results | |
| ### ✅ Build Phase | |
| - Conda package built successfully with witness attestation | |
| - Build process captured in verifiable attestation | |
| - Attestation signed using GitHub OIDC via Sigstore/Fulcio (keyless signing) | |
| - Cryptographically bound to this specific GitHub Actions workflow run | |
| ### ✅ Verification Phase | |
| - Built package verified using `conda verify` command | |
| - Attestation validated against policy | |
| - Supply chain integrity confirmed | |
| ### 🔐 Security Features | |
| - **Keyless Signing**: No private keys to manage or leak | |
| - **Identity-based**: Tied to GitHub Actions OIDC token | |
| - **Non-repudiable**: Proves this exact workflow built the package | |
| - **Transparent**: Certificate logged to Rekor transparency log | |
| ### 📦 Artifacts | |
| EOF | |
| echo "- Package: $(ls dist/*.whl)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Attestation: conda-build.attestation.json" >> $GITHUB_STEP_SUMMARY | |
| echo "- Policy: build-policy-signed.yaml" >> $GITHUB_STEP_SUMMARY | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: integration-test-artifacts | |
| path: | | |
| dist/ | |
| *.json | |
| *.yaml | |
| *.txt | |
| *.pub |