Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use @EnabledIfOidcExists instead of several Gradle test tasks #147

Merged
merged 1 commit into from
Sep 15, 2022
Merged

Use @EnabledIfOidcExists instead of several Gradle test tasks #147

merged 1 commit into from
Sep 15, 2022

Conversation

vlsi
Copy link
Collaborator

@vlsi vlsi commented Sep 14, 2022

Summary

The idea is to keep a single test task only, which would make IDE UI easier: it won't ask "which of test, testGithubOidc, testManual tasks would you like to use to execute the test".

Release Note

NONE

Documentation

NONE

@vlsi vlsi force-pushed the enableifoidc branch 6 times, most recently from f3f7f7b to 8d11b76 Compare September 14, 2022 10:34
@vlsi
Copy link
Collaborator Author

vlsi commented Sep 14, 2022
edited
Loading

A side-effect is that ./gradlew build would attempt to execute the test with oidcprovider in (ANY, MANUAL).
I'm inclined to add a property like skipOidc to allow skipping OIDC flows when testing on a dev machine.

@vlsi vlsi requested a review from loosebazooka September 14, 2022 11:18
@loosebazooka
Copy link
Member

LGTM, but I would like a way to disable manual testing locally (calling to sign in)

@vlsi
Copy link
Collaborator Author

vlsi commented Sep 15, 2022

disable manual testing locally

Run with -PskipOidc=true or add skipOidc=true to your $HOME/.gradle/gradle.properties.
Is that good enough?

PS https://docs.gradle.org/current/userguide/build_environment.html#sec:gradle_configuration_properties
PPS https://docs.gradle.org/current/userguide/build_environment.html#sec:project_properties

@vlsi vlsi mentioned this pull request Sep 15, 2022
Closed
loosebazooka
loosebazooka previously approved these changes Sep 15, 2022
View reviewed changes
Copy link
Member

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do our actions need an update?

@vlsi
Copy link
Collaborator Author

vlsi commented Sep 15, 2022

I'm inclined to add id-token: write to the regular ci.yaml

@vlsi vlsi requested a review from loosebazooka September 15, 2022 17:18
@loosebazooka
Copy link
Member

So this will work because: id-token:write will never be accessible to an external PR? But those test just wont run anyway because of these checks?

@vlsi
Use @EnabledIfOidcExists instead of several Gradle test tasks
4f44155 
-PskipOidc command-line option could be used to skip OIDC tests.
skipOidc=true could be added to gradle.properties or $HOME/gradle.properties


Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
@loosebazooka
Copy link
Member

loosebazooka commented Sep 15, 2022
edited
Loading

I'm inclined to add id-token: write to the regular ci.yaml

Id tokens are scoped to workflow, so there appears to be reduced risk if leaked.

@vlsi vlsi merged commit 80c21e5 into sigstore:main Sep 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vlsi @loosebazooka