The test suite sort of naturally includes tests for verifying old bundles with new client... but it would be useful to ensure that bundles created by current client are verified correctly by expected old clients -- I think we don't have any tests like this.
- job 1:
- checkout current branch
- sign
- upload bundle as artifact
- job2: matrix of older git tags
- checkout tag
- download artifact
- verify bundle
This might be a little more involved (e.g. we don't expect 3.x to verify bundles with rekorv2 entries)
The test suite sort of naturally includes tests for verifying old bundles with new client... but it would be useful to ensure that bundles created by current client are verified correctly by expected old clients -- I think we don't have any tests like this.
This might be a little more involved (e.g. we don't expect 3.x to verify bundles with rekorv2 entries)