e2e.yml

name: End-to-End Testing

on:
  pull_request:
  push:
    branches:
      - main
      - 'releases/*'

permissions: {}

jobs:
  e2e-oci:
    name: Publish/Verify (Container Image)
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      contents: read
      id-token: write
    services:
      registry:
        image: registry@sha256:860f379a011eddfab604d9acfe3cf50b2d6e958026fb0f977132b0b083b1a3d7 # 2.8.3
        ports:
          - 5000:5000
    env:
      REGISTRY: localhost:5000
      IMAGE_NAME: test
      IMAGE_TAG: latest
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      - name: Update GH CLI
        uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 # v0.2.0
        with:
          gh-cli-version 2.49.0
      - name: Build Dockerfile
        run: |
          cat <<EOF > Dockerfile
          FROM scratch
          COPY README.md .
          EOF
      - name: Build and push container image
        id: push
        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
        with:
          context: .
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
      - name: Attest image
        id: attest-action
        uses: ./
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.push.outputs.digest }}
      - name: Verify attestation
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh attestation verify oci://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} -R ${{ github.repository }}