Skip to content

test(pacquet): cover generate_provenance / sigstore signing in pacquet publish #12739

Description

@KSXGitHub

Context

generate_provenance (pacquet/crates/publish/src/provenance_gen.rs, added in #12691) builds the SLSA provenance statement, fetches a sigstore-audience OIDC token, and signs it:

let bundle = SigningContext::production()
    .signer(token)
    .sign_raw_statement(&statement_bytes)
    .await?;

The statement-building (build_statement, github_statement, gitlab_statement) and the token-fetch (fetch_sigstore_token) sit behind the Sys dependency-injection seam and are unit-tested. But the generate_provenance orchestrator and the signing step are uncovered, because the sigstore client (SigningContext::production() → real Fulcio/Rekor) is not injectable.

Ask

Either:

  • (a) introduce a DI seam for the signing step — a capability on the Host provider that returns the bundle — so generate_provenance can be unit-tested with a fake signer (mirroring how pnpm mocks sigstore in its provenance tests); or
  • (b) add an opt-in integration test against sigstore's staging instance.

(a) is preferred, matching the rest of the publish crate's DI test strategy.

Note for implementers

Add/port the corresponding pacquet publish provenance tests in the same PR as the seam/harness — don't land the plumbing without the coverage.

Refs: #12691, roadmap #11633.


Written by an agent (Claude Code).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions