Update verification results printing by malancas · Pull Request #9937 · cli/cli · GitHub
Skip to content

Update verification results printing#9937

Merged
phillmv merged 15 commits into
cli:trunkfrom
malancas:verify-result-processing
Nov 22, 2024
Merged

Update verification results printing#9937
phillmv merged 15 commits into
cli:trunkfrom
malancas:verify-result-processing

Conversation

@malancas

@malancas malancas commented Nov 19, 2024

Copy link
Copy Markdown
Contributor

Improve how we filter attestations shown as verification results to the user cc #9850

Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>

@phillmv phillmv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still need to read over the tests but here is a prelim comment

Comment thread pkg/cmd/attestation/verification/extensions.go Outdated
Comment thread pkg/cmd/attestation/verification/extensions.go Outdated
Comment thread pkg/cmd/attestation/verification/extensions.go Outdated
malancas and others added 9 commits November 20, 2024 12:46
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>

@phillmv phillmv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approve of the shape of this PR and I have only not clicked Approve because I think we should improve some comments (see my feedback)

Comment thread pkg/cmd/attestation/verify/attestation_integration_test.go Outdated

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ideally i'd like to check that the rwfResult is specifically the one being excluded. can we do an array comparison for sgjAttestation[0] and sgjAttestation[1]?

return &MockSigstoreVerifier{t, mockResults}
}

func NewDefaultMockSigstoreVerifier(t *testing.T) *MockSigstoreVerifier {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

food for thought / not high priority suggestion: considering the nature of this change i'd invert this: NewMockSigstoreVerifierWithMockResults so we don't modify every other usage of it / i feel like it's harder to reason what the Default Mock is.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, we can definitely iterate on this one

// if at least one attestation is verified, we're good as verification
// is defined as successful if at least one attestation is verified
return nil
if err := verifyCertExtensions(*attestation.VerificationResult.Signature.Certificate, ec.Certificate); err != nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yesterday we had a conversation where we realized it's not obvious WHY we verifyCertExtensions separately from the CertificateIdentity provided in sigstore-go (and frankly, maybe we should just upstream how we've done it here) and

after some mild effort,

we discovered it's so we can support case insensitivity around repo & owner names.

given that conversation let's add a wee comment to func verifyCertExtensiosn denoting that - "this func exists so we can do case insensitive comparisons"

malancas and others added 2 commits November 21, 2024 15:20
Co-authored-by: Phill MV <phillmv@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas malancas marked this pull request as ready for review November 21, 2024 22:31
@malancas malancas requested a review from a team as a code owner November 21, 2024 22:31
@cliAutomation cliAutomation added the external pull request originating outside of the CLI core team label Nov 21, 2024
@cliAutomation

Copy link
Copy Markdown
Contributor

Signed-off-by: Meredith Lancaster <malancas@github.com>

@phillmv phillmv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@phillmv phillmv merged commit f84c1c6 into cli:trunk Nov 22, 2024
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Nov 28, 2024
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cli/cli](https://github.com/cli/cli) | minor | `v2.62.0` -> `v2.63.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>cli/cli (cli/cli)</summary>

### [`v2.63.0`](https://github.com/cli/cli/releases/tag/v2.63.0): GitHub CLI 2.63.0

[Compare Source](cli/cli@v2.62.0...v2.63.0)

#### What's Changed

-   Support bare repo creation by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#9905
-   Refactor the `getAttestations` functions by [@&#8203;malancas](https://github.com/malancas) in cli/cli#9892
-   Added a section on manual verification of the relases. by [@&#8203;kommendorkapten](https://github.com/kommendorkapten) in cli/cli#9936
-   Adding option to return `baseRefOid` in `pr view` by [@&#8203;daliusd](https://github.com/daliusd) in cli/cli#9938
-   Update verification results printing by [@&#8203;malancas](https://github.com/malancas) in cli/cli#9937
-   Fix some multiline command documentation to use `heredoc` strings by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#9948
-   Print friendly error when `release create` fails due to missing `workflow` OAuth scope by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#9791

**Full Changelog**: cli/cli@v2.62.0...v2.63.0

#### Security

-   A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com.

    For more information, see GHSA-jwcm-9g39-pmcw

#### New Contributors

-   [@&#8203;daliusd](https://github.com/daliusd) made their first contribution in cli/cli#9938

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@malancas malancas deleted the verify-result-processing branch December 3, 2024 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

external pull request originating outside of the CLI core team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants