.github/workflows/ci.yml

name: CI

on:
  push:
    branches:
      - main
  pull_request:
  schedule:
    - cron: "0 12 * * *"

permissions: {}

jobs:
  ruby-versions:
    uses: ruby/actions/.github/workflows/ruby_versions.yml@3fbf038d6f0d8043b914f923764c61bc2a114a77
    with:
      engine: cruby-truffleruby
      min_version: 3.1

  test:
    needs: ruby-versions
    runs-on: ${{ matrix.os }}
    name: Test Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
        os: [ubuntu-latest]
        # os: [ ubuntu-latest, macos-latest, windows-latest ]
        # include:
        #   - { os: windows-latest, ruby: ucrt }
        #   - { os: windows-latest, ruby: mingw }
        #   - { os: windows-latest, ruby: mswin }
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Ruby
        uses: ruby/setup-ruby@1287d2b408066abada82d5ad1c63652e758428d9 # v1.214.0
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true

      - name: Run the tests
        run: bin/rake test

      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: sigstore/sigstore-ruby

  sigstore-conformance:
    needs: ruby-versions
    runs-on: ${{ matrix.os }}
    name: Sigstore Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
        os: [ubuntu-latest]
        # os: [ ubuntu-latest, macos-latest, windows-latest ]
        # include:
        #   - { os: windows-latest, ruby: ucrt }
        #   - { os: windows-latest, ruby: mingw }
        #   - { os: windows-latest, ruby: mswin }
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Ruby
        uses: ruby/setup-ruby@1287d2b408066abada82d5ad1c63652e758428d9 # v1.214.0
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true

      - name: Run the conformance tests
        uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
        with:
          entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
          xfail: "${{ matrix.ruby != 'head' && matrix.ruby != '3.4' && 'test_verify_rejects_bad_tsa_timestamp' }}"
        if: ${{ matrix.os }} == "ubuntu-latest"
      - name: Run the conformance tests against staging
        uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
        with:
          entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
          xfail: "${{ matrix.ruby != 'head' && matrix.ruby != '3.4' && 'test_verify_rejects_bad_tsa_timestamp' }}"
          environment: staging
        if: ${{ matrix.os }} == "ubuntu-latest"
      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: sigstore/sigstore-ruby

  tuf-conformance:
    needs: ruby-versions
    runs-on: ${{ matrix.os }}
    name: TUF Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
        os: [ubuntu-latest]
        # os: [ ubuntu-latest, macos-latest, windows-latest ]
        # include:
        #   - { os: windows-latest, ruby: ucrt }
        #   - { os: windows-latest, ruby: mingw }
        #   - { os: windows-latest, ruby: mswin }
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Ruby
        uses: ruby/setup-ruby@1287d2b408066abada82d5ad1c63652e758428d9 # v1.214.0
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true

      - name: Touch requirements.txt
        run: touch requirements.txt

      - name: Run the TUF conformance tests
        uses: theupdateframework/tuf-conformance@dee4e23533d7a12a6394d96b59b3ea0aa940f9bf
        with:
          entrypoint: ${{ github.workspace }}/bin/tuf-conformance-entrypoint
          artifact-name: "test repositories ${{ matrix.ruby }} ${{ matrix.os }}"
        if: |
          ${{ matrix.os }} == "ubuntu-latest"

      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
        if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: sigstore/sigstore-ruby

  smoketest:
    needs: ruby-versions
    runs-on: ubuntu-latest
    name: Smoketest
    permissions:
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
        os: [ubuntu-latest]
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: Set up Ruby
        uses: ruby/setup-ruby@1287d2b408066abada82d5ad1c63652e758428d9 # v1.214.0
        with:
          ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
          bundler-cache: true
      - name: Build the gem
        run: bin/rake build
      - name: List built gems
        id: list-gems
        run: |
          echo "gems=$(find pkg -type f -name '*.gem' -print0 | xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT
      - name: Run the smoketest
        run: |
          ./bin/smoketest ${BUILT_GEMS}
        env:
          BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}
          WORKFLOW_NAME: ci

  all-tests-pass:
    if: always()

    needs:
      - test
      - sigstore-conformance
      - tuf-conformance

    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - name: check test jobs
        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
        with:
          jobs: ${{ toJSON(needs) }}

  lint:
    needs: ruby-versions
    runs-on: ubuntu-latest
    name: Lint
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Ruby
        uses: ruby/setup-ruby@1287d2b408066abada82d5ad1c63652e758428d9 # v1.214.0
        with:
          ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
          bundler-cache: true
      - name: Run the linter
        run: bin/rubocop