feat: CGW strategy + plugin architecture + CI workflows

.github/workflows/ci.yml

@@ -0,0 +1,44 @@
+name: CI
+
+on:
+  pull_request:
+    branches: ["main", "release*"]
+  push:
+    branches: ["main", "release*"]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.8.0
+          args: --verbose --timeout=15m
+
+  unit-test:
+    name: Unit tests
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Build
+        run: go build ./...
+
+      - name: Run strategy tests
+        run: go test ./pkg/... -v -count=1

.github/workflows/e2e.yml

@@ -0,0 +1,148 @@
+name: E2E
+
+on:
+  pull_request:
+    branches: ["main", "release*"]
+  push:
+    branches: ["main", "release*"]
+  workflow_dispatch:
+    inputs:
+      operator_image:
+        description: "Operator image (e.g. ghcr.io/securesign/secure-sign-operator:latest)"
+        required: false
+      operator_ref:
+        description: "secure-sign-operator branch/tag for CI infrastructure"
+        required: false
+        default: main
+
+env:
+  REGISTRY: ghcr.io
+  OPERATOR_REPO: securesign/secure-sign-operator
+  OPERATOR_REF: ${{ inputs.operator_ref || 'main' }}
+  TEST_NAMESPACE: test
+
+jobs:
+  e2e:
+    name: E2E tests
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Checkout secure-sign-operator
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.OPERATOR_REPO }}
+          ref: ${{ env.OPERATOR_REF }}
+
+      - name: Checkout sigstore-e2e
+        uses: actions/checkout@v4
+        with:
+          path: e2e
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: e2e/go.mod
+
+      - name: Resolve operator image
+        id: operator-image
+        run: |
+          if [ -n "${{ inputs.operator_image }}" ]; then
+            echo "img=${{ inputs.operator_image }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "img=registry.redhat.io/rhtas/rhtas-rhel9-operator:1.4.0" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Log in to GitHub Container Registry
+        uses: redhat-actions/podman-login@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          auth_file_path: /tmp/config.json
+
+      - name: Log in to registry.redhat.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+          registry: registry.redhat.io
+          auth_file_path: /tmp/config.json
+
+      - name: Install Kind cluster
+        id: kind
+        uses: ./.github/actions/kind-cluster
+        with:
+          config: ./ci/config.yaml
+          keycloak: "true"
+          olm: "true"
+          prometheus: "true"
+
+      - name: Pull operator image
+        run: podman pull ${{ steps.operator-image.outputs.img }}
+
+      - name: Load operator image into Kind
+        run: |
+          podman save ${{ steps.operator-image.outputs.img }} -o operator-oci.tar
+          kind load image-archive operator-oci.tar
+
+      - name: Deploy operator
+        run: |
+          make dev-images generate && cat config/default/images.env
+          IMG=${{ steps.operator-image.outputs.img }} make deploy
+
+      - name: Wait for operator
+        run: |
+          kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager \
+            --timeout=120s -n openshift-rhtas-operator
+
+      - name: Add service hosts
+        run: |
+          echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" \
+            | sudo tee -a /etc/hosts
+
+      - name: Install SecureSign
+        run: |
+          OIDC_HOST="${{ steps.kind.outputs.oidc_host }}"
+          sed -i "s#https://your-oidc-issuer-url#http://${OIDC_HOST}/realms/trusted-artifact-signer#" \
+            config/samples/rhtas_v1alpha1_securesign.yaml
+          kubectl create ns ${{ env.TEST_NAMESPACE }}
+          kubectl create -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }}
+          sleep 1
+          kubectl wait --for=condition=Ready securesign/securesign-sample \
+            --timeout=5m -n ${{ env.TEST_NAMESPACE }}
+
+      - name: Run E2E tests
+        working-directory: e2e
+        env:
+          OIDC_ISSUER_URL: "http://${{ steps.kind.outputs.oidc_host }}/realms/trusted-artifact-signer"
+          CLI_STRATEGY: cli_server
+          CLI_SERVER_URL: "http://cli-server.local"
+        run: |
+          REKOR_UI_URL=$(kubectl get rekor -o jsonpath='{.items[0].status.rekorSearchUIUrl}' -n ${{ env.TEST_NAMESPACE }})
+          export REKOR_UI_URL
+          TUF_URL=$(kubectl get tuf -o jsonpath='{.items[0].status.url}' -n ${{ env.TEST_NAMESPACE }})
+          export TUF_URL
+          REKOR_URL=$(kubectl get rekor -o jsonpath='{.items[0].status.url}' -n ${{ env.TEST_NAMESPACE }})
+          export REKOR_URL
+          FULCIO_URL=$(kubectl get fulcio -o jsonpath='{.items[0].status.url}' -n ${{ env.TEST_NAMESPACE }})
+          export FULCIO_URL
+
+          source ./tas-env-variables.sh
+
+          go run github.com/playwright-community/playwright-go/cmd/playwright install --with-deps
+          go test -v ./test/...
+
+      - name: Dump operator logs
+        if: failure()
+        run: |
+          kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
+
+      - name: Archive test artifacts
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: e2e-results
+          path: e2e/test/**/k8s-dump-*.tar.gz
+          if-no-files-found: ignore

.golangci.yml

@@ -1,54 +1,38 @@
-linters-settings:
-  lll:
-    line-length: 170
+version: "2"
+
 linters:
-  enable-all: true
-  disable:
-    - cyclop
-    - deadcode
-    - depguard
-    - dupl
-    - exhaustive
-    - exhaustivestruct
-    - exhaustruct
-    - forbidigo
-    - funlen
-    - gci
-    - gochecknoglobals
-    - gochecknoinits
-    - gocognit
+  default: none
+  enable:
+    - copyloopvar
+    - errcheck
     - goconst
     - gocyclo
-    - godox
-    - goerr113
-    - gofumpt
-    - golint
-    - gomnd
-    - gomoddirectives
-    - ifshort
-    - interfacer
-    - ireturn
-    - lll
-    - maligned
+    - gosec
+    - govet
+    - ineffassign
+    - misspell
     - nakedret
-    - nestif
-    - nilnil
-    - nlreturn
-    - nolintlint
-    - nosnakecase
-    - paralleltest
-    - revive
-    - rowserrcheck
-    - scopelint
-    - structcheck
-    - sqlclosecheck
-    - tagalign
-    - tagliatelle
-    - tenv
-    - testpackage
-    - varcheck
-    - varnamelen
-    - wastedassign
-    - whitespace
-    - wrapcheck
-    - wsl
+    - prealloc
+    - staticcheck
+    - unconvert
+    - unparam
+    - unused
+  exclusions:
+    generated: lax
+    rules:
+      - linters:
+          - errcheck
+        path: (test/|pkg/support/)
+      - linters:
+          - gosec
+        path: (test/|pkg/support/|pkg/kubernetes/|pkg/clients/)
+      - linters:
+          - goconst
+          - prealloc
+          - staticcheck
+        path: test/
+
+formatters:
+  enable:
+    - gofmt
+    - goimports

README.md

@@ -25,11 +25,24 @@ This test suite aims to cover Trusted Artifact Signer deployment with end-to-end
   - Windows PowerShell: `tas-env-variables.ps1`
 
 
-- Optional: Set `CLI_STRATEGY` environment variable to either `openshift` or `local`:
+- Optional: Set `CLI_STRATEGY` environment variable to configure how CLI binaries are obtained:
 ```
 export CLI_STRATEGY=openshift
 ```
-This configures the test suite to download `cosign`, `gitsign`, `rekor-cli`, `ec`, `tuftool` binaries from the cluster's console. If not set, the suite will use local binaries by default.
+  Available strategies:
+  - `local` (default) — uses binaries already on `$PATH`
+  - `openshift` — downloads from the cluster's `ConsoleCLIDownload` resources
+  - `cli_server` — downloads from a CLI server (requires `CLI_SERVER_URL`)
+  - `cgw` — downloads from the Red Hat content gateway (requires `CGW_URL`)
+
+  For the `cgw` strategy, set the base URL including the RHTAS version:
+```
+export CLI_STRATEGY=cgw
+# GA
+export CGW_URL=https://developers.redhat.com/content-gateway/file/cgw/RHTAS/1.4.0
+# Stage
+# export CGW_URL=https://developers.qa.redhat.com/content-gateway/file/cgw/RHTAS/1.4.0
+```
 
 - Optional: To use a manual image setup, set the `MANUAL_IMAGE_SETUP` environment variable to `true` and specify the `TARGET_IMAGE_NAME`.
 ```

go.mod

@@ -1,6 +1,6 @@
 module github.com/securesign/sigstore-e2e
 
-go 1.21
+go 1.24
 
 replace github.com/go-jose/go-jose/v3 => github.com/go-jose/go-jose/v4 v4.0.5
 
@@ -25,6 +25,7 @@ require (
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/deckarep/golang-set/v2 v2.6.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-stack/stack v1.8.1 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect

go.sum

@@ -127,6 +127,8 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
 github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=

pkg/api/values.go

@@ -19,6 +19,7 @@ const (
 	GithubRepo       = "TEST_GITHUB_REPO"
 	CliStrategy      = "CLI_STRATEGY"
 	CLIServerURL     = "CLI_SERVER_URL"
+	CGWURL           = "CGW_URL"
 	ManualImageSetup = "MANUAL_IMAGE_SETUP"
 	TargetImageName  = "TARGET_IMAGE_NAME"
 	CosignImage      = "COSIGN_IMAGE"
@@ -29,6 +30,12 @@ const (
 	TestSafari       = "TEST_SAFARI"
 	TestEdge         = "TEST_EDGE"
 
+	ContainerImage = "CONTAINER_IMAGE"
+	ContainerPath  = "CONTAINER_PATH"
+	GitURL         = "GIT_URL"
+	GitBranch      = "GIT_BRANCH"
+	GitBuildDir    = "GIT_BUILD_DIR"
+
 	// 'DockerRegistry*' - Login credentials for 'registry.redhat.io'.
 	DockerRegistryUsername = "REGISTRY_USERNAME"
 	DockerRegistryPassword = "REGISTRY_PASSWORD"