integration test for signing w/ GH Sigstore

Signed-off-by: Brian DeHamer <[email protected]>
github-early-access · Nov 18, 2023 · 9ed906e · 9ed906e
1 parent 06e38be
commit 9ed906e
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -118,3 +118,23 @@ jobs:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
+
+  test-action-private:
+    name: GitHub Actions Test (Private)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Test Local Action
+        id: test-action
+        uses: ./
+        with:
+          subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+          subject-name: 'subject'
+          private: 'true'
diff --git a/src/main.ts b/src/main.ts
@@ -16,11 +16,14 @@ const COLOR_DEFAULT = '\x1B[39m'
  */
 export async function run(): Promise<void> {
   // Provenance visibility will be public ONLY if we can confirm that the
-  // repository is public. Otherwise, it will be private.
+  // repository is public AND the undocumented "private" arg is NOT set to true.
+  // Otherwise, it will be private.
   const visibility =
-    github.context.payload.repository?.visibility === 'public'
+    github.context.payload.repository?.visibility === 'public' &&
+    core.getInput('private') !== 'true'
       ? 'public'
       : 'private'
+
   core.debug(`Provenance attestation visibility: ${visibility}`)
 
   try {