Add missing //go:build integration tag to verify_integration_test.go#13303
Merged
Conversation
The four tests in this file (TestVerifyIntegration, TestVerifyIntegrationCustomIssuer, TestVerifyIntegrationReusableWorkflow, TestVerifyIntegrationReusableWorkflowSignerWorkflow) call NewLiveSigstoreVerifier which requires network access to Sigstore and GitHub TUF servers. Unlike the other integration test files in this package (attestation_integration_test.go, sigstore_integration_test.go, inspect_integration_test.go), this file was missing the //go:build integration tag, causing these tests to run during a regular 'go test ./...' and fail in network-isolated build environments.
|
Thanks for your pull request! Unfortunately, it doesn't meet the minimum requirements for review:
Please update your PR to address the above. Requirements:
This PR will be automatically closed in 7 days if these requirements are not met. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds the missing Go integration build tag to ensure Sigstore/GitHub-network-dependent tests in the attestation verify package only run when -tags=integration is explicitly enabled.
Changes:
- Add
//go:build integrationat the top ofverify_integration_test.goto prevent unintended execution duringgo test ./...in network-isolated environments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
|
No need for an issue. |
williammartin
approved these changes
Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
//go:build integrationbuild tag topkg/cmd/attestation/verify/verify_integration_test.go, which was the only integration test file in the attestation package missing this tag.Problem
The four tests in
verify_integration_test.go(TestVerifyIntegration,TestVerifyIntegrationCustomIssuer,TestVerifyIntegrationReusableWorkflow,TestVerifyIntegrationReusableWorkflowSignerWorkflow) callverification.NewLiveSigstoreVerifier()which requires network access to Sigstore and GitHub TUF servers to initialize trusted roots.Unlike the other integration test files in the same package (
attestation_integration_test.go,sigstore_integration_test.go,inspect_integration_test.go), this file was missing the//go:build integrationtag. This caused these tests to run during a regulargo test ./...and fail withno valid Sigstore verifiers could be initializedin network-isolated build environments (e.g. openSUSE package builds).Fix
Add
//go:build integrationas the first line, matching the convention used by all other integration test files. These tests will continue to run in CI where-tags=integrationis passed explicitly (see.github/workflows/go.yml).