Skip to content

Latest commit

 

History

History
75 lines (54 loc) · 3.24 KB

File metadata and controls

75 lines (54 loc) · 3.24 KB

Conforma CLI

Go CLI for verifying software supply chain artifacts — validates container image signatures, provenance, and evaluates OPA/Rego policies. Built with CGO_ENABLED=0.

Build & Test

make build                   # Build for current platform → dist/ec_<os>_<arch>
make test                    # Run unit + integration + generative tests
make lint                    # golangci-lint + addlicense + tekton-lint (0 warnings enforced)
make lint-fix                # Auto-fix lint issues
make ci                      # Full CI: test + lint-fix + acceptance

Acceptance Tests

make acceptance              # Run all (Cucumber/Gherkin via Godog, 20m timeout)
make scenario_<name>         # Single scenario (replace spaces with underscores)
make feature_<name>          # All scenarios in a feature file

Flags: -persist keeps test env for debugging, -restore reruns against persisted env, -tags=@focus runs tagged scenarios. Update snapshots: UPDATE_SNAPS=true make acceptance.

See acceptance/README.md for Testcontainers setup, WireMock stubbing, and snapshot testing details.

macOS: Acceptance tests require a Podman machine. Run ./hack/macos/setup-podman-machine.sh once for automated setup (creates machine with 4 CPUs, 8GB RAM, configures DNS and networks), then ./hack/macos/run-acceptance-tests.sh to run tests. See hack/macos/README.md for options and hack/macos/TROUBLESHOOTING.md for detailed debugging.

Test Tags

Tests use build tags with different timeouts:

  • unit (10s), integration (15s), generative (30s), acceptance (20m)
  • Run specific: go test -tags=unit ./internal/evaluator -run TestName

Key Conventions

  • Multi-module project: root, acceptance/, tools/ each have their own go.mod. Run go mod tidy in the right module.
  • Debug mode: --debug or EC_DEBUG=1 preserves ec-work-* temp directories for inspection.
  • Conventional commits with Jira key encouraged (e.g., feat(EC-1234): description).

CGO and DNS Resolution

Binaries are built with CGO_ENABLED=0 for portability. This uses Go's native DNS resolver, which cannot resolve second-level localhost domains (e.g., apiserver.localhost). Acceptance tests require /etc/hosts entries:

127.0.0.1 apiserver.localhost
127.0.0.1 rekor.localhost

Design Documents

Read these before modifying the corresponding areas:

Troubleshooting

System-level issues that surface in acceptance tests:

Problem Fix
Go checksum mismatch go env -w GOPROXY='https://proxy.golang.org,direct'
Podman container failures Use user service: systemctl enable --user --now podman.socket
Too many containers (inotify) echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf
Key limit errors echo kernel.keys.maxkeys=1000 | sudo tee -a /etc/sysctl.conf