test(e2e): add Executor v2alpha1 bats fixtures & group v1 fixtures into v1/#2583
Open
fseldow wants to merge 1 commit into
Open
test(e2e): add Executor v2alpha1 bats fixtures & group v1 fixtures into v1/#2583fseldow wants to merge 1 commit into
fseldow wants to merge 1 commit into
Conversation
fseldow
requested review from
akashsinghal,
binbin-li,
jimmyraywv,
luisdlp,
susanshi and
toddysm
as code owners
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Gatekeeper/Ratify BATS test fixtures for config.ratify.dev/v2alpha1 Executor and Gatekeeper constraints/templates to cover namespace-scoped keys and several negative/edge configurations.
Changes:
- Added multiple v2
ExecutorYAML configs to exercise store/verifier/policy combinations (including invalid store and keyless cases). - Added Gatekeeper
ConstraintTemplatevariants (default vs namespace-prefixed key format) plus aConstraintfor test deployments.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| test/bats/tests/config/v2_executor_no_verifiers.yaml | New v2 Executor fixture intended to represent “no verifiers” behavior via a non-matching verifier scope. |
| test/bats/tests/config/v2_executor_no_notation.yaml | New v2 Executor fixture for cosign-only verification (no notation verifier). |
| test/bats/tests/config/v2_executor_namespace_notation.yaml | New v2 Executor fixture scoped to a namespace/repo path for notation verification. |
| test/bats/tests/config/v2_executor_namespace_cosign.yaml | New v2 Executor fixture scoped to a namespace/repo path for cosign verification. |
| test/bats/tests/config/v2_executor_k8s_secret_auth.yaml | New v2 Executor fixture for credentialed registry access (currently static creds). |
| test/bats/tests/config/v2_executor_invalid_store.yaml | New v2 Executor fixture with an invalid store type for negative-path testing. |
| test/bats/tests/config/v2_executor_cosign_legacy_keyless.yaml | New v2 Executor fixture for cosign keyless trust policy (legacy-labeled). |
| test/bats/tests/config/v2_executor_cosign_legacy.yaml | New v2 Executor fixture for cosign (key-based) + notation together (legacy-labeled). |
| test/bats/tests/config/v2_executor_cosign_keyless.yaml | New v2 Executor fixture for cosign keyless trust policy. |
| test/bats/tests/config/constraint_template_default.yaml | New Gatekeeper ConstraintTemplate using non-namespaced image keys for Ratify external_data calls. |
| test/bats/tests/config/constraint_template.yaml | New Gatekeeper ConstraintTemplate using namespace-prefixed image keys for Ratify external_data calls. |
| test/bats/tests/config/constraint.yaml | New Gatekeeper Constraint applying the template to Pods in selected namespaces. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2583 +/- ##
=======================================
Coverage 77.62% 77.62%
=======================================
Files 105 105
Lines 4657 4657
=======================================
Hits 3615 3615
Misses 893 893
Partials 149 149 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
fseldow
force-pushed
the
xinhl/v2-executor-test-fixtures
branch
6 times, most recently
from
6a83817 to
8901147
Compare
fseldow
changed the title
fseldow
force-pushed
the
xinhl/v2-executor-test-fixtures
branch
from
8901147 to
38a8efe
Compare
Contributor
|
the moved fixtures are referenced from |
YitongFeng-git
suggested changes
Jun 16, 2026
fseldow
force-pushed
the
xinhl/v2-executor-test-fixtures
branch
6 times, most recently
from
1c5526d to
01cd2a0
Compare
Signed-off-by: xinhl <xinhl@microsoft.com>
fseldow
force-pushed
the
xinhl/v2-executor-test-fixtures
branch
from
01cd2a0 to
46dea08
Compare
charleswool
reviewed
Jun 18, 2026
charleswool
left a comment
charleswool
left a comment
Contributor
There was a problem hiding this comment.
Would moving the v1 fixtures into v1/ breaks the existing references still pointing at the old paths?
Contributor
Author
may consider to modify in future pr. CUrrently reference is e2e test, e2e is not working |
charleswool
approved these changes
Jun 18, 2026
susanshi
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two fixture-tree changes:
v2alpha1fixtures. Newconfig.ratify.dev/v2alpha1Executormanifests used by the upcoming v2 provider bats e2e suite.config_v1beta1_*.yamlfiles intotest/bats/tests/config/v1/so the v1 and v2 trees are visually separate. Because the v1 fixtures now live under their ownv1/subdir, the new files do not need av2_prefix.Important — references not updated yet
This PR is fixture-tree only. It does NOT touch
base-test.bats,azure-test.bats,helpers.bash, theMakefile, or any workflow. The Gatekeeper constraint / constraint-template YAML is also intentionally kept out and will land separately.Because the v1 fixture paths change, the existing references in
base-test.bats/azure-test.bats(≈27 paths) become stale until the follow-up PR — which rewrites the suite to apply v2ExecutorCRs — lands. This PR is meant to land together with that follow-up, not on its own.Fixtures added (file → consuming
@test)executor_cosign_keyless.yamlcosign keyless testexecutor_cosign_legacy.yamlcosign legacy keyed testexecutor_cosign_legacy_keyless.yamlcosign legacy keyless testexecutor_invalid_store.yamlstore crd status checkexecutor_k8s_secret_auth.yamlvalidate K8s secrets ORAS auth providerexecutor_namespace_cosign.yamlnamespaced notation/cosign verifiers testexecutor_namespace_notation.yamlnamespaced notation/cosign verifiers testexecutor_no_notation.yamlvalidate crd add, replace and delete+namespaced notation/cosign verifiers testexecutor_no_verifiers.yamlnamespaced notation/cosign verifiers testexecutor_notation_akv.yamlazure-test.batsrewrite)executor_cosign_akv.yamlazure-test.batsrewrite)The two AKV fixtures use
__VAULT_URI__/__CLIENT_ID__/__TENANT_ID__/__NOTATION_CERT_NAME__/__COSIGN_KEY_NAME__placeholders, to be substituted viasedat runtime (same pattern the current v1 azure tests use against theconfig/samples/clustered/kmp/*templates).v1 fixtures moved
All 10
config_v1beta1_*.yamlfiles →test/bats/tests/config/v1/.Related
Split out of #2565.